Set up IP-based split tunneling with Firezone
This guide will describe the steps required to enable split tunneling with WireGuard using Firezone so only traffic to defined IP ranges will be routed through the VPN.
Firezone sets the
Allowed IPs field so traffic destined for
specific IPs are encrypted and routed through the gateway.
Step 1: Set AllowedIPs
AllowedIPs can be set globally on the
/settings/default page or individually
for each device during creation. Changes will only apply to new WireGuard
tunnel configurations generated by Firezone.
Some examples of values in this field are:
0.0.0.0/0, ::/0- all network traffic will be routed to the VPN server.
192.0.2.3/32- only traffic to a single IP address will be routed to the VPN server.
22.214.171.124/22- only traffic to IPs in the
126.96.36.199 - 188.8.131.52range will be routed to the VPN server. In this example, the CIDR range for the
ap-northeast-2AWS region was used.
When deciding where to route a packet, Firezone chooses the egress interface corresponding to the most specific route first.
Step 2 (optional): Set the DNS server(s)
You can define the DNS server(s) used by devices when the WireGuard tunnel
is active. By default, it uses Cloudflare's DNS servers (
/settings/default page to override this value.
For split tunneling, this may be desired if you run a DNS server that resolves internal hosts to private IPs reachable via Firezone.
If you wish to resolve DNS queries
over the encrypted VPN tunnel (recommended), ensure the DNS IPs are included in
Step 3: Regenerate the device configurations
Changes made to global settings in the Defaults tab are only applied to future device configurations generated by Firezone.
Users need to regenerate device configurations to update existing devices
for the updated configuration changes to
See add device for instructions.