WireGuard Split Tunneling with AllowedIPs

WireGuard's AllowedIPs parameter doubles as both an ACL filter and a routing table. NetRoute Pro generates a ready-to-paste AllowedIPs string from any website's domains. No extra ip route commands needed — just edit the peer config and reload.

Prerequisites

Any WireGuard client: wg-quick on Linux, the WireGuard GUI on Windows/macOS, the mobile apps on Android/iOS, or a router with WireGuard support
NetRoute Pro Chrome extension installed
A working WireGuard peer you can edit

Step 1. Generate AllowedIPs in NetRoute Pro

Open the target website in Chrome
Click the NetRoute Pro icon in your extensions
Select the WireGuard platform
Click Analyze Website
Copy the generated AllowedIPs line — it looks like:

AllowedIPs = 104.21.32.0/24, 172.67.182.0/24, 162.159.135.0/24, ...

Tip: enable RIPE BGP optimization in the extension — it replaces individual IPs with real announced BGP prefixes, giving stable subnets that don't break when Cloudflare/Fastly rotate IPs.

Step 2. Paste into your peer config

Linux (wg-quick)

Edit your tunnel config file (typically in /etc/wireguard/, for example /etc/wireguard/wg0.conf). Under the [Peer] section, replace the existing AllowedIPs = ... line with the string you copied:

[Peer]
PublicKey = <your-peer-public-key>
Endpoint = <your-endpoint>:51820
AllowedIPs = 104.21.32.0/24, 172.67.182.0/24, 162.159.135.0/24
PersistentKeepalive = 25

Windows / macOS (GUI)

Open the WireGuard app
Select your tunnel and click Edit
In the config editor, modify the AllowedIPs field under [Peer]
Click Save

Android / iOS

Open the WireGuard mobile app
Tap your tunnel → Edit
Replace the Allowed IPs field value
Tap Save (top right)

Heads up: on Android, tap Back/Save carefully — the app sometimes resets the field on exit if you leave focus without saving explicitly.

Step 3. Restart the tunnel

Reload the peer so the new routing table takes effect.

Linux: sudo wg-quick down wg0 && sudo wg-quick up wg0 (replace wg0 with your tunnel name)
Windows/macOS GUI: toggle the tunnel off and then on again
Mobile: disable and re-enable the tunnel switch

Verify

Run sudo wg show — the peer should be listed with the new allowed ips values:

sudo wg show

You can also confirm routing with ip route (Linux/macOS) or route print (Windows) — the listed subnets should point through your WireGuard interface.

Common issues

Losing all network access

If you removed 0.0.0.0/0 but your new AllowedIPs doesn't cover the default route you intended to use, only the listed subnets will go through the tunnel — that's the whole point of split tunneling. Make sure your list contains exactly the subnets you want and nothing else is unintentionally missing.

Android tunnel stuck on "connecting"

Re-save the config explicitly: enter edit mode, tap out of the AllowedIPs field, and tap Save again. Some Android versions need this to commit the change.

Error: AllowedIPs has invalid format

Check for trailing commas, stray whitespace, or newline characters inside the value. AllowedIPs must be a single comma-separated list on one logical line.

References

Ready to try?

NetRoute Pro — a free Chrome extension to generate routes from any website.

Install Extension