Wireguard VPN Policies for Site-2-Site Mode to bypass VPN for all traffic except specific IPs

Technical Support for Routers
1

I have one Flint 2 router setup in one city, and another Flint 2 router setup in a second city. One is my home network and one is my remote network. I have the home Flint 2 router setup to connect via VPN to my remote network. I followed this article to make it work, and it works great:

I can even map a drive from the remote network to my home network.

Now what I'm trying to do is figure out how to create VPN routing rules so that traffic from my home network bypasses the VPN completely for everything except a specific IP range or a list of specific IP addresses.

Another way to describe this is that I want all traffic and DNS lookups from my home network to go straight through my home ISP, bypassing the VPN, unless the destination address is one of several computers (IPs) on my remote VPN server network.

I've searched and searched but can't figure out a way of doing this in my specific situation. One of the catches is that per the link above on creating the site-2-site network, the VPN Client Mode is configured to "Auto Detect" to make the site-2-site network work properly. All the articles I'm finding in a search tend to have a different kind of client mode setup so it wouldn't be applicable to my situation.

Any help would be appreciated. Thanks in advance!

2

I took one step forward but one step back.

By changing the configuration in the wireguard client file of the client router, I was able to ensure only traffic for a specific IP range (the IP range of my VPN server network) went through the VPN and all else went through my regular ISP.

All I did was change this:
[Peer]
AllowedIPs = 0.0.0.0/0,::/0

To this:
[Peer]
AllowedIPs = 192.168.8.0/24

It worked great.

But then I was no longer able to map drives from my VPN server network to my VPN client network. So in my client configuration file, I changed this:
AllowedIPs = 192.168.8.0/24

To this:
AllowedIPs = 192.168.8.0/24, 192.168.100.0/24

192.168.8.* is my VPN server network and 192.168.100.* is my home network (VPN client side).

This still didn't work for the drive mapping, though the VPN bypass I wanted still works.

The only thing to add is that on the server under Wireguard Server Route Rules, I have one entry (which I entered following the GL.Inet instructions to setup the Site-2-Site VPN) which is:
Target Address: 192.168.100.0/24
Gateway: 10.0.0.4
Scope: link

192.168.100.0/24 is the internal subnet for my home/client network and 10.0.0.4 is the IP assigned to my home router in the Wireguard client configuration file, like this:
[Interface]
Address = 10.0.0.4/24

It might make sense if someone suggested I need to add another route rule in this table, but I don't know what else I would add and I don't have to add anything else if I use this client configuration:
[Peer]
AllowedIPs = 0.0.0.0/0,::/0

Drive mapping works like that. It's just that the VPN bypass (for non 192.168.8.* IPs) doesn't work with it like that.

3

Well a friend of mine helped me out and thankfully got it working. Posting this here in case someone else ends up searching for this.

I was close - the key was in the AllowedIPs. You want both your subnets AND the wireguard subnet in there. I tried all of that, but not at the same time.

So like this:
AllowedIPs = 192.168.8.0/24, 192.168.100.0/24, 10.0.0.0/24

3 Likes