Wireguard with split tunnel


has anyone a split tunnel working with wireguard?

I am trying to only use wireguard to access my home network without having all traffic routed through the tunnel.

In wireguard management I set allowed IPs to (my home network), (my PIhole DNS).

In the VPN policies I set the option use only for and

Connection to my home network runs fine but loading pages on the internet randomly works or end loading without result or issue notice. When I go to http://speed.io (and it manages to load), the speedtest starts at a high speed but then stalls and gives the message connection lost.

Routing everything through the tunnel resolves this issue but leaves me with a much lower bandwidth and worse response times.

Any clues?

btw having the same settings on my phone works like charm and I have my local network and my PIhole on the go while still having full LTE bandwith to the internet.

No one tried this yet?

As it seems no users have information on this, is there any developer who can help out?

I have split tunnel working very fine. B1300 on remote node running wireguard server and wireguard client on iOS and on a Windows laptop.
I seem to have understood that your configuration is a s2s by two gl router and IMO the exclusion for on vpn policies (client router) is unnecessary because the ipalloweds configuration is enough.
Where is located your dns server
If it is in your lan then it’s ok on vpn policies and not on ipalloweds otherwise you have to do the opposite.

Thank you for the answer. So to be more precise the complete setup.
Home Network:
Wireguard Network:
Wireguard Server and PiHole DNS: respective
AR750s external IP:
AR750s internal IP: Respective Wireguard Client

wireguard client setup DNS
wireguard allowed IP and VPN policies,

What am I missing out?

Can you give topology of your complete scenario?
Is tunnel between two routers or WG server on a router and WG client on a laptop like roadwarrior config?

So the goal is to have (e.g.) the Notebook connected to Home Network (e.g. the NAS) while the traffic to the internet use the direct way instead of the wireguard connection (e.g. external IP 84.x.x.x NOT 85.x.x.x)

Then no vpn policies because ipalloweds is enough. Do it and do a traceroute to your pihole; it should be always succesfully.
Dns server over WG and Internet by your router is not the best in terms of latency because you have to resolve names through vpn and go back to your lan gateway to go out to Internet (not exactly compliant with benefits of split tunnel), perhaps when you try by your LTE connection it is ok because You run a direct connection by a wireguard app on the phone instead of a vpn gateway.

A connection to the pihole (or any other device in home network) always worked and never has been the issue. Without VPN policies I don’t have internet access though (nslookup works but ping fails).

With VPN policies active nslookup, ping and tracert deliver expected results. Nevertheless, https://speed.io doesn’t deliver results and downloads stall after about 200kb.

After additional testing, I have to give up.

Even setting as allowed IP in wireguard and trying to only use the VPN policies result in stalling downloads and speedtest like speed.io (others also tested) don’t run through and giving connection lost results.

This is very unfortunate, as this makes the VPN policies obsolete to me. I can only route all traffic or none without any limitations.

What version of your firmware do I use 3.100 firmware to simulate your scene and work well

I tried useing 3.025 and 3.100 as well. Unfortunately I have no clue, where to look for the reason this is not working with downloads and speed tests.

@luochongjun Could you send me a screen shot of the redacted wireguard config and the VPN policies, please?

Even a factory reset doesn’t solve my issue:
After starting at expectable speed, it stalls and after a while gives out an error.

Stil hoping for somebody of the support taking up this issue. I tried with tethering, cable to router or as wifi client. Result is the same for all as shown above.

I solved my issue, but could not do that via the GL gui.

I’ll give my solution here, as others might look for the same.

  • Go to “MORE SETTINGS” → “Advanced” and log in
  • Hover over “System” and go to “Software”
  • Search for “luci-proto-wireguard” and klick “install”
  • Hover over “Network” and go to “Interfaces”
  • “Add new interface…”
  • Choose a name for the Interface
  • Select “WireGuard VPN” as protocol
  • Make WireGuard Settings like in the GL gui
  • As allowed IPs choose the Range of the remote network and add a second line for the WireGuard IP of the WireGuard server
  • Set checkmark at “Route allowed IPs”
  • Go to “Firewall Settings” and add the Interface to the WAN Zone
  • Click “Safe & Apply”

Now surfing the web is done via the direct connection (in my case LTE over WWAN), but access to devices in remote network is established at the same time.

If you want to use a DNS Server within the remote Network (e.g. a PiHole):

  • Go back to “Interfaces”
  • Edit the Interface, that is your inter connection (in my case WWAN)
  • Go to “Advanced Settings”
  • Uncheck “Use DNS servers advertised by peer” and enter the IP of your desired DNS

Thanks man, that solved it for me!

Do the steps you outline here obsolete the configuration steps in the VPN → WireGuard Client menu on the standard admin panel?

i do this a different way,

i travel often so i connect to many types of vpn routers, that i have no control over, wireguard, openvpn, watchguard.
sometimes, i have to use vpn software on my local laptop.
sometimes, i have i am forced to use a lan connection

so i need a universal solution, simple and flexible.

on my windows laptop, i change the local routing table.
there are several ways to do that but here is one example

# delete default route so no traffic will not tunnel thru vpn
route delete
# add a route to allow the ip range allocated to the lan behind the vpn server to tunnel thru the vpn
route add mask

I love the accepted solution.

I wrote an article on the method I use which has worked great.