I’m a bit confused. I’m fairly certain I’m using split tunnelling with macOS on Wireguard, and I’m fairly certain you are doing so as well.
But why are you adding configurations for every website you want to visit to your VPN config? Surely it’s much saner to list the (hopefully static or subnetted) resources in your company, and then let everything else go through your home network?
iaaan•3h ago
It's AI slop. Split tunneling is one of the most basic things you can configure in Wireguard.
scottydelta•2h ago
It's not AI slop, it's 100 percent written by me. I don't think AI can come up with screenshots/gifs and build process etc of my effort. I am very interested in seeing split tunneling on MacOS on wireguard.
Infact you search Google for 'split tunneling on macos in wireguard ', even Google will tell you that it's only supported via terminal and that's what I did:
> While WireGuard itself doesn't inherently offer split tunneling on macOS, it's possible to achieve this functionality through manual configuration or using a third-party VPN client that supports it. Some VPN providers like Mullvad VPN and ExpressVPN include split tunneling features in their macOS apps. Alternatively, you can configure split tunneling manually using macOS Network settings and Terminal commands, though this method is more complex and may not be suitable for all users.
scottydelta•2h ago
I am not adding IP of every website I want to visit.
I am adding IP of the website that I don't want to traffic through my VPN. It's my private vpn with pihole on it which is always running. Right now you cannot blacklist traffic for ips on wireguard as in not send traffic of an IP via wireguard.
May be my use of split tunneling terminology is wrong?
slau•1h ago
Yes, it is wrong. You just misunderstand how routing works.
Say you’re at work, and the office router (192.168.1.1) gives you access to 10.3.0.0/16. This is where your company’s cloud is or whatever. You want all your traffic to go through your home network for whatever convoluted reason, except for the 10.3 stuff.
You just add
PreUp = ip route add 10.3.0.0/16 via 192.168.1.1 dev eth0
And
AllowedIPs = 0.0.0.0/0
(Edit: remember to add a post up)
And bam, you’re done. No crazy allowedip rules. When your computer generates packets to the company cloud, your OS won’t even try to talk to the VPN. Because the route table makes it go somewhere else entirely.
I don’t know if this was the exact use-case you described in your blog, but I’m sure you can figure it out from here.
> The official macOS app doesn’t support that as it integrates with the VPNKit API to support macOS features like on demand VPN. But you could install wg-quick vie homebrew I believe that could support every option Linux does. But not sure as I am not using the brew version but only the App as the on demand feature is more important to me.
slau•3h ago
But why are you adding configurations for every website you want to visit to your VPN config? Surely it’s much saner to list the (hopefully static or subnetted) resources in your company, and then let everything else go through your home network?
iaaan•3h ago
scottydelta•2h ago
Infact you search Google for 'split tunneling on macos in wireguard ', even Google will tell you that it's only supported via terminal and that's what I did:
> While WireGuard itself doesn't inherently offer split tunneling on macOS, it's possible to achieve this functionality through manual configuration or using a third-party VPN client that supports it. Some VPN providers like Mullvad VPN and ExpressVPN include split tunneling features in their macOS apps. Alternatively, you can configure split tunneling manually using macOS Network settings and Terminal commands, though this method is more complex and may not be suitable for all users.
scottydelta•2h ago
Here is a reddit thread from Wireguard subreddit discussing this problem and please read the comments how split tunneling is not supported: https://www.reddit.com/r/WireGuard/s/0Tdf0P9mNj
slau•2h ago
I think maybe you just misunderstand how the wireguard config works.
scottydelta•2h ago
Even this article shows a python script approach so I made mine as a client. https://www.lautenbacher.io/en/lamp-en/wireguard-exclude-a-s...
May be my use of split tunneling terminology is wrong?
slau•1h ago
Say you’re at work, and the office router (192.168.1.1) gives you access to 10.3.0.0/16. This is where your company’s cloud is or whatever. You want all your traffic to go through your home network for whatever convoluted reason, except for the 10.3 stuff.
You just add
PreUp = ip route add 10.3.0.0/16 via 192.168.1.1 dev eth0
And
AllowedIPs = 0.0.0.0/0
(Edit: remember to add a post up)
And bam, you’re done. No crazy allowedip rules. When your computer generates packets to the company cloud, your OS won’t even try to talk to the VPN. Because the route table makes it go somewhere else entirely.
I don’t know if this was the exact use-case you described in your blog, but I’m sure you can figure it out from here.
Oh and this is also fully documented online in many places, including the AllowedIPs Calculator: https://www.procustodibus.com/blog/2021/03/wireguard-allowed...
scottydelta•1h ago
From the above thread:
> The official macOS app doesn’t support that as it integrates with the VPNKit API to support macOS features like on demand VPN. But you could install wg-quick vie homebrew I believe that could support every option Linux does. But not sure as I am not using the brew version but only the App as the on demand feature is more important to me.