Split VPN and Wireguard
VPN (Virtual Private Network) is a technology that enables the creation of an encrypted and secure connection from a remote location through the Internet to an internal network (e.g. home or office).
By default, all traffic is routed through the VPN tunnel, but it is also possible to configure the client device so that only specified address spaces are routed through the VPN, while other traffic bypasses the VPN. This concept is called Split VPN. Its implementation varies depending on the VPN technology and software used.
This article discusses how Split VPN can be implemented using WireGuard.
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
WireGuard consists of two components: a server and a client. WireGuard uses public-key cryptography. The server and all connected clients have public keys associated with the tunnel. When the server sends IP packets to a device, it uses the device’s public key to encrypt the packets, and the receiving device can decrypt them using its own private key. This is how the VPN session is created between the client device and the server.
Here is an example of the client configuration:
The configuration file contains an AllowedIPs section. By modifying this, it is possible to restrict which IP addresses or address ranges are permitted for use through the VPN tunnel.
If you set your own network’s public IP address in this field, WireGuard will allow routing traffic only to that address. All other traffic will bypass the WireGuard tunnel. This can, for example, prevent your ISP’s bandwidth from being exhausted if multiple devices are using services like Netflix outside your home. Without this setting, all traffic would be routed through the VPN and is using your network bandwidth.