Back to Help Center

How to configure Split Tunnelling

WireGuard Split Tunnelling

To start, head over to the configs section of your dashboard and download the configs you'd like to use. Next, you'll want to grab your IP address (or the IP address[es]) that you'd like to route through the VPN server. For the sake of clarity, let's pretend:

  • Our external IP address for this guide is 123.123.123.123
  • We have an internal service running on the VPN server with an IP address of 192.168.1.123
  • The config that we've downloaded is this:
[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Including Subnets

If we only want to route traffic towards our internal service (reminder that the internal IP for the service is outlined above), we would want to update our config to look something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 192.168.1.123/32
PersistentKeepalive = 25

This would mean the WireGuard would only handle routing traffic meant for 192.168.1.123 through the tunnel to the VPN server.

Excluding Subnets

This is a little more complicated. With the same example as above, let's pretend you want to route all traffic through the tunnel except your public IP address. This can be helpful for trying to connect to a VPN from inside an SSH or RDP session to keep you from being disconnected. For that reason, we've created a helpful endpoint to process this for you. The endpoint will take in an IP address (or multiple IP addresses separated by commas) and return the subnets that you would need to include in your AllowedIPs section to exclude the IP address[es] you passed in.

To use the endpoint, you can make a request to /api/ip/exclude-subnets?ip=IP_ADDRESS with the ip query parameter being the IP address (or multiple IP addresses separated by commas) that you want to exclude from the tunnel. For example, using our example IP address of 123.123.123.123, we would make a request to /api/ip/exclude-subnets?ip=123.123.123.123 which would return the following output:

AllowedIPs = 128.0.0.0/1, 0.0.0.0/2, 64.0.0.0/3, 96.0.0.0/4, 112.0.0.0/5, 124.0.0.0/6, 120.0.0.0/7, 122.0.0.0/8, 123.128.0.0/9, 123.0.0.0/10, 123.64.0.0/11, 123.96.0.0/12, 123.112.0.0/13, 123.124.0.0/14, 123.120.0.0/15, 123.122.0.0/16, 123.123.128.0/17, 123.123.0.0/18, 123.123.64.0/19, 123.123.96.0/20, 123.123.112.0/21, 123.123.124.0/22, 123.123.120.0/23, 123.123.122.0/24, 123.123.123.128/25, 123.123.123.0/26, 123.123.123.64/27, 123.123.123.96/28, 123.123.123.112/29, 123.123.123.124/30, 123.123.123.120/31, 123.123.123.122/32

Then, you want to take the output from above and update the AllowedIPs section of your config, which should end up looking something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 128.0.0.0/1, 0.0.0.0/2, 64.0.0.0/3, 96.0.0.0/4, 112.0.0.0/5, 124.0.0.0/6, 120.0.0.0/7, 122.0.0.0/8, 123.128.0.0/9, 123.0.0.0/10, 123.64.0.0/11, 123.96.0.0/12, 123.112.0.0/13, 123.124.0.0/14, 123.120.0.0/15, 123.122.0.0/16, 123.123.128.0/17, 123.123.0.0/18, 123.123.64.0/19, 123.123.96.0/20, 123.123.112.0/21, 123.123.124.0/22, 123.123.120.0/23, 123.123.122.0/24, 123.123.123.128/25, 123.123.123.0/26, 123.123.123.64/27, 123.123.123.96/28, 123.123.123.112/29, 123.123.123.124/30, 123.123.123.120/31, 123.123.123.122/32
PersistentKeepalive = 25

At this point, you should be ready to go! All that is left to do is to bring up the interface (on Linux) or press the "Activate" button (on Windows and Mac) from inside the WireGuard client.