Server-side split tunelling

Hi there!
There is an Ubuntu VPS used as Firezone server that is intented to bypass state censorship content blocking for a relatively large group of devices (say, 50).
So here is the question: is there a way to configure split tunelling on the server itself rather than on the clients?
E.g., to force server pushing correct routes to the clients on the event of connect and/or re-route traffic back to the clients’ default gateway except for the certain list of IPs
The reason is that our VPS tariff is limited with the certain amount of traffic, so the goal we would like to achieve is to avoid exceeding the limits and to route traffic through VPN for the blocked recources only, however with no need for the clients to disconnect VPN every time they need to access the recourses available without VPN. I aware of the fact it’s achieveable via AllowedIPs section on the client, but this way the client is able to edit the config and so it may lead to traffic overuse. Also, if the list of allowedips changes for some reason, all the client configs should be recreated and installed on the client side, and that’s a quite resource-intensive task.

Thanks for the question! Unfortunately this isn’t possible with vanilla WireGuard and would require custom client apps and a control layer for pushing routes down to the client. We’re planning to implement this but are probably a ways away.

I know it’s not a perfect solution, but perhaps you could accomplish this in the meantime with egress Rules that whitelist only the IPs you want routed through Firezone?

1 Like