WireGuard split tunneling via proxy

EDIT: solution found - WireSock. doesn’t expose a proxy like the way i used to have it, but it does let you define a whitelist of apps to pass through the VPN, works great.

​

currently using a commercial VPN with OpenVPN, i have split tunneling set up in a way which passes traffic through the VPN only from apps which have a proxy set and enabled. all other apps avoid the VPN.

now i’m trying to set up my own server with WireGuard to use as a VPN. is something like this achievable with WireGuard and if so, how? i’m on windows, not linux.

if this is not achievable, is there another way i can route traffic only from the select applications through the WireGuard VPN?

Select applications level tunneling I’ve only seen done through the VPN provider apps. They have to be able to poke the system internals to do it, I think. The wireguard clients I’ve seen don’t incorporate that, which doesn’t mean one doesn’t exist, I just haven’t seen one.

You can still do split tunneling, but it’s the normal network level split tunnel, not the per app thing provider VPN apps can do. That requires a little more knowledge of networking, and the destinations (i.e. it can be less convenient for most people in practical terms, although it’s also more powerful in other ways, it just depends on what you are doing).

I use wireguard to route a single subnet for my home LAN. Much simpler than messing with per app settings.

If you are using a proxy with a specific ip you could try split tunnelling using the AllowedIPs option but anything alle requires a deeper look at packages which WireGuard does not support. You can use ProtonVPN to test it. It’s free and supports WireGuard.

THANK YOU SO MUCH FOR THIS.

My company mail doesn’t work via VPN because too many hops, but I can’t exactly use Windows route add each time due to IPs varying between home and hot spot.

This was exactly what I was looking for!

Select applications level tunneling I’ve only seen done through the VPN provider apps. They have to be able to poke the system internals to do it, I think. The wireguard clients I’ve seen don’t incorporate that, which doesn’t mean one doesn’t exist, I just haven’t seen one.

the vpn i use for now and have been using for a while, mullvad, has a guide on how to do this with the bare OpenVPN client. so if this could be done with bare OpenVPN, i was quietly hoping it could be done with WireGuard as well. if it cannot be done, then oh well, i guess i’ll have to live with the inferior OpenVPN instead, too bad algo doesn’t support it, would be easier…

​

You can still do split tunneling, but it’s the normal network level split tunnel, not the per app thing provider VPN apps can do. That requires a little more knowledge of networking, and the destinations (i.e. it can be less convenient for most people in practical terms, although it’s also more powerful in other ways, it just depends on what you are doing).

i’ve heard about the AllowedIPs option, which i guess is what you’re referring to, but that isn’t what i’m looking for. there are cases where i’d like to choose which “outlet” i use when accessing a certain site. not to mention i’d have to keep adding addresses for every website i want to use a vpn for, so i guess this method is a complete miss for me.

how does that work exactly?

Not sure where to start. Home Wireguard server in Docker has access to my home LAN (192.168.whatever) , Wireguard clients are configured to only route traffic addrsssed to 192.168.0.x

so this method is essentially for choosing whether or not a whole client device with a certain LAN IP passes traffic through the VPN or outside of it? if so, that’s unfortunately not what i’m looking for either.

No, each client passes through Wireguard ONLY traffic addressed to my home LAN. All other traffic behaves as normal. For example on my phone I can use my browser to look at example.com without VPN or http://192.168.0.1 through VPN with no extra configuration.

Sorry, I’m not good at explaining.

In your client’s Wireguard conf there’s an allowed IPs field

With proper route rules(which is how you do network level split tunnels), the split is done based on the destination of the traffic, not the source(well, generally speaking- in a more complicated setup, you can do it based on the source at the router level, but as you note, is not what you want). It might look like the source for a rule that encompasses all traffic, but it actually is capturing all traffic regardless of the destination (as opposed to only specific traffic based on the destination, but again, it’s not related to the source).

Typically, in a split tunnel, you have a route rule that in plain english says “for traffic going to this destination, use this gateway”. When you have a VPN enabled, you effectively have another gateway that your device can use(a gateway being the place that network traffic is sent when it has to go to something not local to the sender).

So you create a rule that encompasses the desired destination, and sends it over the VPN connection. For other traffic, your default rules would continue to send it over the normal connection.

You can also do the reverse, that is, default all your traffic to the VPN, but use route rules to grant exceptions to the VPN.

Unfortunately, for particular applications that don’t have a fixed and/or known set of destinations, this way of handling traffic can be problematic. For instance, if you wanted say, only Firefox to use the VPN, but not Chrome, you can’t really do that.

A more concrete example: let’s say you want to use the VPN when doing DNS lookups using Google’s DNS. In that case, you create a route entry for 8.8.8.8 that always directs that traffic over the VPN connection. This also illustrates a key difference with route rule based split tunnels. It’s based on the destination- that means just putting a route rule in catches all traffic, which includes DNS. Now, the problem is, lets say you need to use a web browser to connect to 8.8.8.8, but you don’t want to use the VPN. Unfortunately, you are stuck- because this is happening at the network level, you can’t dictate which applications (in this example, DNS lookups vs a browser) use the rule and which don’t.

The takeaway here is that, for the things you want to have go over the VPN, as long as you can define the situation as either “Just these addresses/addresses are the ones you are interested in”, you can manage it. So random addresses you don’t know before hand, or huge swaths of addresses aren’t going to work or may not be practical. In the huge swaths case, it might work doing what I said where you default all traffic over the VPN _except_ certain things.

I highly appreciate the detailed breakdown, thank you. yeah, as per your takeaway, because I want to use my VPN for browsing a lot of sites, many of which may be new, one-visit websites, that’s not going to be viable for me.

right now with the application based split tunneling, I browse the net with one browser as I usually do, and then I have the whole separate other browser just for those websites I would rather use a VPN for. it’s a highly convenient and sound setup, which I’m going to find really hard letting go of.

as a last resort, I could theoretically set up a virtual machine and use the WireGuard VPN there, but this way I’m also sacrificing a bunch of disk space as well as performance of not only the virtualized browser, but the whole host system to a degree.

also, I found an app called proxifier, which apparently allows you to force certain apps to go through a proxy of choice. WireGuard does set up a proxy apparently, but I couldn’t get this to work right, all apps forced to pass through the proxy just lose all connectivity, and to be honest I don’t even know where to start in order to troubleshoot this

Well, the VPN/gateway is a proxy of sorts really, when it comes down to it. Wireguard isn’t really setting one up beyond that, at least, not that I know of. But I see what they could be getting at. If you can have say, a SOCKS proxy that _it_ directs all traffic over a particular gateway, then that could do what you want (you’d configure the proxy to use the VPN, and the browser to use the proxy). I don’t use SOCKS proxies so I don’t know if one exists that can do that or not.

But yeah, otherwise in your situation, the only practical tunnel is to route all traffic over the VPN, and provide exceptions if you only have a few sites that don’t need to go over it. The catch here is of course that it affects all apps. That isn’t always considered as big of a deal, as the web browser is 99% of traffic for most people anyway, although, if you were say, gaming as well from that device, then it might be more problematic.

Most wireguard connections are still back to people’s own gear- are you using it with a commercial provider? If you are, you may just want to see if they also offer a socks proxy as part of their service. A lot of them do, in my experience.

the WireGuard VPN I’m using is not from a commercial provider, it’s algo setup on a hetzner VPS

Oh…so…you are trying to bounce your browser traffic through the VPS?

Can you also install a SOCKS proxy on the VPS? If you can, that solves your issue, at least as far as a browser (or anything capable of using a SOCKS proxy) goes. In that case, you will know what the IP is of the VPS. You install the proxy service on the VPS, you have a route rule that says “just for the IP of the VPS, use the Wireguard VPN”, and then configure your browser to use the SOCKS proxy on the VPS. The route rule/split tunnel will send the traffic for the VPS over the Wireguard connection, and the Proxy software on the VPS will act as the proxy for the browser as you want.

so it’d be browser(local)->wireguard->socks on VPS->Internet

technically I probably can, it’s whether or not I know how to lol

sounds like a coherent idea, don’t have much of an idea on how to pull this off since I’m still very new about this, but I’ll look up some guides and makefully try to make something from it, thank you