A split tunnel routes only chosen destinations through WireGuard; everything else uses the
client’s normal connection. It’s all controlled by the client’s AllowedIPs.
Client — /etc/wireguard/wg0.conf
List only the subnets you want to reach over the VPN:
[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
# Only the VPN subnet + a remote office LAN go through the tunnel:
AllowedIPs = 10.0.0.0/24, 192.168.50.0/24
PersistentKeepalive = 25
Compare: 0.0.0.0/0 = full tunnel (everything); a specific list = split tunnel (only those).
Server — /etc/wireguard/wg0.conf
The server side is the normal road-warrior server. If the client needs to reach a LAN behind
the server (like 192.168.50.0/24), the server also needs IP forwarding and a NAT rule — see the
home-LAN and NAT recipes.
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
Verify which traffic uses the tunnel
ip route get 192.168.50.10 # should go via wg0
ip route get 1.1.1.1 # should go via your normal interface
curl ifconfig.me # should show YOUR real IP (not the server's)
Add a route later without reconnecting: sudo wg set wg0 peer SERVER_PUBLIC_KEY allowed-ips 10.0.0.0/24,192.168.50.0/24 updates the live peer (then wg-quick save wg0 to persist). Remember
AllowedIPs on the client is also a routing table, so editing it changes what’s tunneled.