VPN - excluding local IPs

Dmitrii Tcvetkov demfloro at demfloro.ru
Thu Mar 21 19:50:09 CET 2019

On Thu, 21 Feb 2019 16:08:50 +0100
Andreas Hatzl <andreas at hatzl.org> wrote:

> Hi,
> I have successfully set up a wireguard VPN between my notebook
> (Manjaro behind NAT) and my virtual server (ubuntu 18.04). The only
> "issue" left is that I can't connect to local devices on the client
> while using wireguard. Is there a way to exclude an IP range from
> using wireguard? 
> my client config:
> [Interface]
> Address = 10.x.y.z/32
> PrivateKey = xyz
> [Peer]
> PublicKey =xyz
> Endpoint = xyz:51820
> AllowedIPs =
> PersistentKeepalive = 21
> I am aware that the solution for this has most likely been posted a
> lot of times but I can't find anything on the Wireguard page or
> Google.
> It would be great if somebody could help me with this.
> Thanks
> Andreas

That's odd, if I understood correctly, your setup looks kinda this, if
not, please correct me:

|notebook |
|---------| private inside tunnel

Example LAN device |
-------------------| private

-----|   router with NAT  |-------------
 public public inside tunnel
WireGuard server |

So in this example before connecting to VPN notebook would have:
direct route to
default route via

After connecting to VPN, assuming that VPN setup overrides default
direct route to
direct route to
static route to via (for encrypted WG traffic)
default route via

In that case there would not be any problem for notebook to communicate
with "example LAN device" unless firewall on the notebook or the "LAN
device" interferes.

As far as I know there is no straightforward way to exclude networks
from AllowedIPs, but you can enumerate all public IPv4 prefixes, like
Android WireGuard client does:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

But if you just replace with this in AllowedIPs line without
fixing routing then WireGuard will just reject packets which don't
belong to these prefixes. Network stack of the notebook should route
packets to the LAN, AllowedIPs is more of a precaution in this case.

More information about the WireGuard mailing list