In my previous post about setting up a wireguard VPN using DigitalOcean we are using a full tunnel VPN for anonymity. This post discusses the main differences between full and split tunnels and how to implement in wireguard. Like in the previous post, you can find the code here.

Full Tunnel

Full tunnel VPNs will send all network traffic through to the VPN. My VPN repository currently uses a full tunnel setup. This allows for internet anonymity.

Split Tunnel

Split tunnel VPNs are great for sending only the necessary network traffic over to the VPN server. This is great if you want to connect to private servers using the VPN but use the internet normally otherwise.

Wireguard Config

The file we need to look at in the repository is ansible/playbooks/roles/wireguard/templates/wg0-client.conf. The following line creates the full tunnel when connected:

AllowedIPs =

This says that every IP is sent through to the VPN.

Configuring Split Tunnel

That line needs to be updated to the private IP range to create a split tunnel. If I had a server that was on the subnet I could specify the following to only route calls to that subnet through the VPN.

AllowedIPs = 

When you reconnect, you will only have that subnet’s traffic routed.

Ubiquiti Rant

One thing I struggled with recently was that Ubiquiti’s L2TP VPN is a split tunnel. I only want to access private IPs but can’t due to the split tunnel using a public IP address. The only way I have to get around this is to create a route to the IPs you want. Here are my commands that I normally use after connecting to the Ubiquiti VPN on Mac OS.

sudo route add -interface ppp0
sudo route add -interface ppp0

You can add routes for whichever IP addresses you want that are local.