Hi! I’m using WireGuard on macOS and it’s working fine. Is it possible to exclude Chrome, or a specific range of IPs, from the tunnel?
Thank you!
In theory, yes.
You need policy routing. In linux, this can be done by marking packets, and using an additional routing table.
Any network traffic that matches a rule will be marked and a different routing table will be used for the traffic. (Allowing you to route over wireguard, or other)
In macOS… I don’t know to fully implement this.
You could split-tunnel. So that only IP’s relevant to your VPN connection hit the VPN & everything else to go out your normal internet.
Within the [Peer] section of the client config
AllowedIPs = 128.0.0.0/1, [behind firewall IP range], [VPN IP range]
such as:
AllowedIPs = 128.0.0.0/1, 192.168.1.0/16, [VPN IP range]
For the VPN IP look at the IP in the [Interface] section of the config & then N.N.N.0/16
Thank you! I’ve come across some posts suggesting that, but I was hoping there might be a setting within the tunnel configuration to achieve it. Thanks again!
Well… There ‘kind of’ is, but it’s in the form of scripts that can be placed and used within wg-quick, but I don’t think this can be applied nicely in MacOS:
“PreUp, PostUp, PreDown, PostDown”
The other thing to look at ultimately is ‘how’ you enable and disable a tunnel. simply using the wg command itself or the GUI might be limiting. If you can use wg-quick or some other ‘wrapper’ for wireguard, then you can likely include some additional scripts or commands to execute when your tunnel is started/stopped.