Creating a Split-tunnel user in PiVPN
- Part 1: Enable SSH
- Part 2: Install Pi-Hole (optional, but highly encouraged)
- Part 3: Install PiVPN
- Part 4: Create a Full-tunnel user in PiVPN
- Part 5: Create a Split-tunnel user in PiVPN
- Part 6: Setup PiVPN Endpoint Device
- Part 7: Remove PiVPN user/client
Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?
What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.
This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.
Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.
Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…
We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.
pivpn add
Then add the name of your split-tunnel user.
In my example, my user is named “P-W-W-F-split”
The next step is to open and edit the configuration file with the followign command.
sudo nano /etc/wireguard/configs/P-W-W-F-split.conf
A full tunnel will have the line:
AllowedIPs = 0.0.0.0/0, ::0/0
That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.
AllowedIPs = 192.168.1.0/24
*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:
Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24
I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.
The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.
To copy or backup your configuration files use the following command:
cp /etc/wireguard/configs/P-W-W-F.conf /home/pi/configs/P-W-W-F.conf
cp /etc/wireguard/configs/P-W-W-F-split.conf /home/pi/configs/P-W-W-F-split.conf
Next Article in this series: Part 6: Setup PiVPN Endpoint Device
Hello,
I followed your directions, and the Full VPN works with no issues on either my internal/local network or on the internet. However, when I attempt to use your instructions to create a Split-Tunnel VPN, I can browse the internal/local network, but I cannot cannot browse anything in the internet. I tested this by putting my phone on 4G, and using the Wireguard VPN Client software. My settings seem correct. Any help would be appreciated.
The config file of your split tunnel config will need to be modified to show the subnet of your home network.
In the examples I used, you’d need to replace the line
AllowedIPs = 0.0.0.0/0, ::0/0
withAllowedIPs = 192.168.1.0/24
I have the same issue. If I set AllowedIPs to my home LAN (192.168.2.0/24) I can ping a server on my home lan (192.168.2.15) but my internet traffic is killed (I can’t ping google.com).
The instructions for creating the Split configuration are not totally correct.
Add this to the allowed IP addresses: 10.6.0.0/24.
Thanks Kirk. I’ve add that note up in the instructions so folks won’t get stuck in the future.
What solution are you using now, if you can share it.
Thank you for the tutorial
You’re welcome for the tutorial.
I’m currently using the VPN solution that is baked into the Ubiquity UDM.
Do you have setup info for using a UDM? I have that too. Is it better than the pivpn route?
What VPN solution are you using nowadays?
Why did u switch?
Thanks
I’m currently using an L2TP (Layer 2 Tunnel Protocol) VPN option provided in my Ubiquiti UniFi hardware after a hardware refresh.
IT.PWWF
Thanks for the clear instructions and thanks to Kirk Foster for catching nd sharing this. As a complete newbie who just follows the instructions without actually understanding it completely, I really appreciate the time spent in sharing the knowledge by all not only on this site but on the many others out there.
I set up Adguard home and Pivpn on a RPI 4 with two clients for my phone one configured for split tunnel
.
I would like to be able to set up a third client where the phone cannot access the resources on the local network. I haven’t been able to find any easy to follow instructions. Do hope you can help TIA
I think you’re missing the purpose of a VPN. It’s for accessing the local network remotely. I know you’re probably just trying to give them access to your Adguard, but I don’t think you’re going to find an easy solution. I can think of enterprise grade solutions to accomplish asked task, but I think you’ll be outta luck trying to do that on PiVPN – at least very easily.