9 April 2020

Creating a Split-tunnel user in PiVPN



Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?

What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.

This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.

Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.

Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…

We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.

pivpn add

Then add the name of your split-tunnel user.
In my example, my user is named “P-W-W-F-split”

The next step is to open and edit the configuration file with the followign command.

sudo nano /etc/wireguard/configs/P-W-W-F-split.conf

A full tunnel will have the line:

AllowedIPs = 0.0.0.0/0, ::0/0

That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.

AllowedIPs = 192.168.1.0/24


*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:

Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24

I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.


The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.

To copy or backup your configuration files use the following command:

cp /etc/wireguard/configs/P-W-W-F.conf /home/pi/configs/P-W-W-F.conf
cp /etc/wireguard/configs/P-W-W-F-split.conf /home/pi/configs/P-W-W-F-split.conf


Next Article in this series: Part 6: Setup PiVPN Endpoint Device

Tags: , , , , , , ,
Copyright 2022. All rights reserved.

Posted April 9, 2020 by IT.G.c in category "Linux", "RaspberryPi", "Raspbian", "VPN

12 COMMENTS :

  1. By CDiaz on

    Hello,

    I followed your directions, and the Full VPN works with no issues on either my internal/local network or on the internet. However, when I attempt to use your instructions to create a Split-Tunnel VPN, I can browse the internal/local network, but I cannot cannot browse anything in the internet. I tested this by putting my phone on 4G, and using the Wireguard VPN Client software. My settings seem correct. Any help would be appreciated.

    Reply
    1. By IT.PWWF on

      The config file of your split tunnel config will need to be modified to show the subnet of your home network.
      In the examples I used, you’d need to replace the line
      AllowedIPs = 0.0.0.0/0, ::0/0 with AllowedIPs = 192.168.1.0/24

      Reply
      1. By RW on

        I have the same issue. If I set AllowedIPs to my home LAN (192.168.2.0/24) I can ping a server on my home lan (192.168.2.15) but my internet traffic is killed (I can’t ping google.com).

        Reply
  2. By Kirk Foster on

    The instructions for creating the Split configuration are not totally correct.

    Add this to the allowed IP addresses: 10.6.0.0/24.

    Reply
  3. By Alberto on

    What solution are you using now, if you can share it.

    Thank you for the tutorial

    Reply
    1. By IT.PWWF on

      You’re welcome for the tutorial.
      I’m currently using the VPN solution that is baked into the Ubiquity UDM.

      Reply
  4. By Mike Campbell on

    Do you have setup info for using a UDM? I have that too. Is it better than the pivpn route?

    Reply
  5. By Luca Damo on

    What VPN solution are you using nowadays?
    Why did u switch?

    Thanks

    Reply
    1. By IT.PWWF on

      I’m currently using an L2TP (Layer 2 Tunnel Protocol) VPN option provided in my Ubiquiti UniFi hardware after a hardware refresh.

      Reply
  6. By Parkuozi on

    IT.PWWF

    Thanks for the clear instructions and thanks to Kirk Foster for catching nd sharing this. As a complete newbie who just follows the instructions without actually understanding it completely, I really appreciate the time spent in sharing the knowledge by all not only on this site but on the many others out there.

    I set up Adguard home and Pivpn on a RPI 4 with two clients for my phone one configured for split tunnel
    .
    I would like to be able to set up a third client where the phone cannot access the resources on the local network. I haven’t been able to find any easy to follow instructions. Do hope you can help TIA

    Reply
    1. By IT on

      I think you’re missing the purpose of a VPN. It’s for accessing the local network remotely. I know you’re probably just trying to give them access to your Adguard, but I don’t think you’re going to find an easy solution. I can think of enterprise grade solutions to accomplish asked task, but I think you’ll be outta luck trying to do that on PiVPN – at least very easily.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.