Configure WireGuard VPN Split Tunneling on Arch Linux

Split tunneling allows you to route only specific traffic through your VPN while letting other traffic use your regular internet connection. This guide shows you how to configure WireGuard with split tunneling on Arch Linux for optimal performance and flexibility.

Time Required: 20-30 minutes
Difficulty Level: Intermediate
Prerequisites:

• Arch Linux system with sudo access
• Active internet connection
• WireGuard server details (endpoint, keys, port)

Step 1: Install WireGuard

Update your system:

sudo pacman -Syu

Install wireguard-tools package:

sudo pacman -S wireguard-tools

Verify installation:

wg --version

Step 2: Generate WireGuard Keys

Create private and public keys for your client:

# Create directory for keys
mkdir -p ~/wireguard
cd ~/wireguard

# Generate private key
umask 077
wg genkey > privatekey

# Generate public key from private key
wg pubkey < privatekey > publickey

View your keys:

cat privatekey
cat publickey

Important: Share only your public key with the VPN server administrator.

Step 3: Create Split Tunnel Configuration

Create the WireGuard configuration file:

sudo nano /etc/wireguard/wg0.conf

Add this split tunnel configuration:

[Interface]
# Your client's VPN IP address
Address = 10.0.0.2/32
PrivateKey = YOUR_PRIVATE_KEY_HERE
# DNS servers (optional)
DNS = 1.1.1.1, 1.0.0.1

[Peer]
# Server's public key
PublicKey = SERVER_PUBLIC_KEY_HERE
# Server endpoint (IP:Port)
Endpoint = YOUR_SERVER_IP:51820
# Split tunnel: only route specific networks through VPN
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
# Keep connection alive (optional)
PersistentKeepalive = 25

Replace these values:

• YOUR_PRIVATE_KEY_HERE – Your private key from Step 2
• SERVER_PUBLIC_KEY_HERE – Server’s public key (provided by admin)
• YOUR_SERVER_IP – Your WireGuard server IP address
• 10.0.0.2/32 – Your assigned VPN IP (ask your admin)

Key Configuration Details:

The AllowedIPs field defines which traffic routes through VPN:

• Full tunnel: 0.0.0.0/0 = all traffic through VPN
• Split tunnel: Specific networks only (e.g., 10.0.0.0/24)

Step 4: Configure Split Tunnel for Specific Networks

Example 1: Access Home Network Only

Route only your home network (192.168.1.0/24) through VPN:

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 192.168.1.0/24

Example 2: Access Multiple Private Networks

Route multiple private networks:

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24, 172.16.0.0/16

Example 3: Route Specific Websites Through VPN

To route specific websites (e.g., accessing geo-restricted content), first find the IP addresses:

dig +short example.com

Then add those IPs to AllowedIPs:

AllowedIPs = 93.184.216.34/32, 10.0.0.0/24

Step 5: Set Correct Permissions

Protect your configuration file:

sudo chmod 600 /etc/wireguard/wg0.conf
sudo chown root:root /etc/wireguard/wg0.conf

Verify permissions:

ls -la /etc/wireguard/wg0.conf

Should show: -rw------- 1 root root

Step 6: Start WireGuard Connection

Start the VPN connection:

sudo wg-quick up wg0

Check connection status:

sudo wg show

You should see output showing:

• Interface: wg0
• Public key
• Peer information
• Latest handshake timestamp
• Data transfer statistics

Step 7: Verify Split Tunneling Works

Test 1: Check Your Public IP

Without VPN routing all traffic, your public IP should remain unchanged:

curl ifconfig.me

This should show your regular ISP IP address (not VPN IP).

Test 2: Verify VPN Network Access

Ping a device on your VPN network:

ping 10.0.0.1

If this works, split tunneling is configured correctly.

Test 3: Check Routing Table

View active routes:

ip route show

You should see specific routes for your AllowedIPs through the wg0 interface.

Step 8: Enable WireGuard on Boot

To automatically start WireGuard at system boot:

sudo systemctl enable wg-quick@wg0

Start the service:

sudo systemctl start wg-quick@wg0

Check service status:

sudo systemctl status wg-quick@wg0

Step 9: Manage WireGuard Connection

Stop the VPN:

sudo wg-quick down wg0

Restart the VPN:

sudo wg-quick down wg0
sudo wg-quick up wg0

View connection statistics:

sudo wg show wg0

Disable autostart:

sudo systemctl disable wg-quick@wg0

Step 10: Advanced Split Tunneling Configuration

Route Based on Destination Port

For advanced routing, use policy-based routing. Add to your configuration:

[Interface]
Address = 10.0.0.2/32
PrivateKey = YOUR_PRIVATE_KEY_HERE
PostUp = ip rule add from 10.0.0.2 table 200
PostUp = ip route add default via 10.0.0.1 table 200
PreDown = ip rule del from 10.0.0.2 table 200
PreDown = ip route del default via 10.0.0.1 table 200

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 10.0.0.0/24

Exclude Specific IPs from VPN

To exclude certain traffic from VPN (inverse split tunneling), use multiple specific routes instead of 0.0.0.0/0.

Example excluding local network 192.168.1.0/24:

AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.168.0.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3

Troubleshooting

Connection Not Establishing

Check configuration syntax:

sudo wg-quick up wg0

Look for error messages about invalid keys or IP addresses.

Cannot Access VPN Network

Verify AllowedIPs includes the target network:

sudo wg show wg0 allowed-ips

Check server-side firewall allows your connection.

DNS Not Working

Add DNS servers to your configuration:

[Interface]
Address = 10.0.0.2/32
PrivateKey = YOUR_PRIVATE_KEY_HERE
DNS = 1.1.1.1, 8.8.8.8

Split Tunnel Not Working

Check routing table:

ip route show

Ensure default route still points to your regular gateway, not wg0.

Handshake Fails

Check if server endpoint is reachable:

ping YOUR_SERVER_IP

Verify server port (usually 51820) isn’t blocked:

sudo nmap -sU -p 51820 YOUR_SERVER_IP

Useful Commands Reference

# Start VPN
sudo wg-quick up wg0

# Stop VPN
sudo wg-quick down wg0

# Show status
sudo wg show

# Show specific interface
sudo wg show wg0

# Reload configuration
sudo systemctl reload wg-quick@wg0

# View logs
sudo journalctl -u wg-quick@wg0 -f

# Test connectivity
ping -I wg0 10.0.0.1

# Check routing
ip route show table all

Security Best Practices

1. Protect private keys – Never share your private key
2. Use strong encryption – WireGuard uses modern cryptography by default
3. Regular key rotation – Generate new keys periodically
4. Firewall rules – Configure firewall for VPN interface
5. Monitor connections – Regularly check wg show for unexpected peers
6. Secure storage – Keep configuration files readable only by root

Common Split Tunnel Use Cases

1. Remote Office Access

Route only office network through VPN:

AllowedIPs = 172.16.0.0/12

2. Streaming + Security

Route streaming services normally, secure banking through VPN:

AllowedIPs = 10.0.0.0/24, YOUR_BANK_IP/32

3. Development Environment

Access development servers through VPN:

AllowedIPs = 10.10.0.0/16, 192.168.100.0/24

4. Gaming + Work

Keep gaming traffic on regular connection (low latency):

AllowedIPs = 10.0.0.0/24, 172.16.0.0/16

Performance Optimization

Enable Multithreading

For better performance on multi-core systems, WireGuard automatically uses all CPU cores.

Adjust MTU

If experiencing performance issues, adjust MTU:

[Interface]
Address = 10.0.0.2/32
MTU = 1420
PrivateKey = YOUR_PRIVATE_KEY_HERE

Typical MTU values:

• Standard Ethernet: 1500
• WireGuard default: 1420
• PPPoE connections: 1492

Monitor Bandwidth

Check data transfer:

sudo wg show wg0 transfer

Conclusion

You’ve successfully configured WireGuard with split tunneling on Arch Linux. This setup gives you the flexibility to route only specific traffic through your VPN while maintaining optimal performance for other connections. Similar to how we secured SSH access with fail2ban and automated ZFS snapshots with Sanoid, WireGuard split tunneling provides another layer of network security and efficiency.

Related Resources

• WireGuard Official Documentation
• Arch Linux WireGuard Wiki
• WireGuard Protocol Whitepaper

Thank you for visiting our website, TechsBucket. If you liked the article, then share it with others.