WireGuard Split Tunnel Config Guide for Windows and More

Beginner-friendly step-by-step guide

Home » How To Guides

Reading time icon 5 min. read

Calendar icon Updated on

by Rom-Jaye Amon 

updated on

Share this article

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

WireGuard split tunnel

Configuring a WireGuard split tunnel has numerous benefits.

WireGuard is a powerful protocol that obscures your internet traffic. On top of that, it dramatically reduces the often inevitable speed loss when using a VPN.

However, you don’t always need to route your communications through WireGuard. Sometimes it’s more beneficial to connect to the internet like normal.

Below, we’ll lead you through the steps of configuring your own WireGuard split tunnel for Windows, Android, macOS, and iOS.

Ready?

Is it possible to split tunnel in WireGuard?

Yes, it’s possible to split tunnel in WireGuard. Basically, this feature lets you decide which apps you want to encrypt, and which ones you want to leave out. The best WireGuard VPN services simplify this process. 

But if you’re manually configuring it, that takes a bit of technical know-how. Fortunately, we prepared guides on how to set it up by yourself.

How to set up split tunneling on WireGuard?

Here’s how to config WireGuard split tunneling on Windows, Android, macOS, and iOS:

Windows

If you’re a PC user, follow these steps:

  1. Download the WireGuard Windows Installer from the official website.

    WireGuard Windows Installer

  2. Run the WireGuard installer.

    WireGuard Windows Installer File

  3. Open the WireGuard client.

    WireGuard Client

  4. Go to Add Tunnel > Add empty tunnel to automatically create a public and private key pair.

    WireGuard Client Add empty tunnel

  5. Provide a tunnel name.

  6. Put these lines in the Interface and Peer sections:


    [Interface]
    PrivateKey =
    Address = 194.128.2.2/32
    DNS = 192.168.2.1

    [Peer]
    PublicKey =
    AllowedIPs = 0.0.0.0/0
    Endpoint = :

  7. Add this line to the Interface section of your WireGuard Windows config to avoid creating a default route automatically:


    Table: off

  8. Make sure that the AllowedIPs line in the Peer section says 0.0.0.0/0.

  9. Open your PC’s registry editor.

  10. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WireGuard.

  11. Create the WireGuard key when you don’t see it.

  12. Create a DWORD value named DangerousScriptExecution.

  13. Set the value of DangerousScriptExecution to 1.

  14. Add these lines to your config’s Interface section:


    PostUp = powershell -command “$wgInterface = Get-NetAdapter -Name %WIREGUARD_TUNNEL_NAME%; route add 0.0.0.0 mask 0.0.0.0 0.0.0.0 IF $wgInterface.ifIndex metric 9999; Set-NetIPInterface -InterfaceIndex $wgInterface.ifIndex -InterfaceMetric 9999;”

    PreDown = powershell -command “$wgInterface = Get-NetAdapter -Name %WIREGUARD_TUNNEL_NAME%; route delete 0.0.0.0 mask 0.0.0.0 0.0.0.0 if $wgInterface.ifIndex metric 9999; Set-NetIPInterface -InterfaceIndex $wgInterface.ifIndex -InterfaceMetric 9999;”

  15. Use a proxy client like Proxifier to specify which network applications should use WireGuard.

  16. Open PowerShell to confirm your routes are working correctly.

  17. Type this:


    netsh interface ip show address

  18. Check if your VPN interface shows the values of Gateway Metric and Interface Metric are both 9999.

Additional notes

Alternatively, you can put x.x.x.x in the DNS field in your tunnel config. Windows uses a complex method to handle DNS requests even when you’re connected to a WireGuard VPN.

To avoid data leaks, you can use a DNS client for Windows like YogaDNS. It can tell apps which DNS servers to use on certain interfaces.

Android

Here’s what you should do on Android:

1. Download the native WireGuard app from the official website or Google Play.

WireGuard Android Installer

2. Finish the installation.

3. Launch the app.

4. Tap the plus icon.

WireGuard for Android Plus Icon

5. Choose Create from scratch.

WireGuard for Android Create from scratch option

6. Come up with a tunnel name.

7. Use these Interface and Peer sections:

[Interface]

PrivateKey = <key>

Address = 194.128.2.2/32

[Peer]

PublicKey = <key>

AllowedIPs = 10.0.0.0/8

Endpoint = <public IP>:<port>

8. Make sure to leave the DNS field blank.

There you go!

This config should work like a charm. The “10.0.0.0/8” IP address is just an example. Feel free to use something else if you wish to tunnel a different type of traffic.

macOS

To set up a WireGuard split tunnel on a Mac, do the following:

1. Head to WireGuard’s site or the App Store to download the native client for macOS.

WireGuard macOS Installer

2. Install it.

3. Launch the app.

4. Create a tunnel name.

5. Put these lines in the Interface and Peer sections:

[Interface]

PrivateKey = <key>

Address = 194.128.2.2/32

[Peer]

PublicKey = <key>

AllowedIPs = <subnet of your tunnel> <your macOS device’s IP>

Endpoint = <public IP>:<port>

As long as you put in the right information in the AllowedIPs field, this config will work.

iOS

Here’s what you should do for iOS:

1. Get the WireGuard client from the App Store or official site.

WireGuard iOS Installer

2. Open the app after installation.

3. Think of a tunnel name.

4. Add these lines to the Interface and Peer sections:

[Interface]

PrivateKey = <key>

Address = 194.128.2.2/32

[Peer]

PublicKey = <key>

AllowedIPs = <subnet of your tunnel> <your macOS device’s IP>

Endpoint = <public IP>:<port>

Overall, the iOS config is the same as the macOS one. If you’re a huge fan of Apple products, this should make your life easier.

Related read:

Summary

Manually setting up split tunneling with WireGuard takes effort. Outside of online forums, there aren’t many resources on how to do it.

Luckily, our config guides cover all you need to know. Follow our steps for Windows, Android, macOS, and iOS, and let us know how it turned out!

More about the topics: split tunnel, WireGuard

Rom-Jaye Amon

Rom-Jaye Amon Shield

Software Expert

Romj is a veteran copywriter who used to be a Jack of all trades. Now, he's trying to be a master of one: technology. He jumps down the rabbit hole to size the latest innovations up. As a contributor for VPNCentral, he hopes to help you keep up in our fast-paced world with his discoveries.

One thought on “WireGuard Split Tunnel Config Guide for Windows and More

  1. Hi Rom-jaye Amon.

    I’m using your information for Windows and found some errors/corrections that prevented me from getting this up and running:

    Point 7.
    “Table: off” should be “Table = off”, or it will give an error.

    Point 8.

    “Make sure that the AllowedIPs line in the Peer section says 0.0.0.0/0.”
    This was giving me problems when accessing local resources in some browser tabs, like 192.168.0.144. I changed it to “0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1”, although I don’t understand this fully, I took it from the changes that WireGuard client applies when you uncheck the box “Block untunneled traffic (kill-switch)”.

    Point 14.

    Add these lines to your config’s Interface section:

    PostUp = powershell -command “$wgInterface = Get-NetAdapter -Name %WIREGUARD_TUNNEL_NAME%; route add 0.0.0.0 mask 0.0.0.0 0.0.0.0 IF $wgInterface.ifIndex metric 9999; Set-NetIPInterface -InterfaceIndex $wgInterface.ifIndex -InterfaceMetric 9999;”

    PreDown = powershell -command “$wgInterface = Get-NetAdapter -Name %WIREGUARD_TUNNEL_NAME%; route delete 0.0.0.0 mask 0.0.0.0 0.0.0.0 if $wgInterface.ifIndex metric 9999; Set-NetIPInterface -InterfaceIndex $wgInterface.ifIndex -InterfaceMetric 9999;”

    The quotes in this example are of the wrong type, not recognized by windows, so the command fail (took me a while 😉

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *