Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 47: Configuring a VPN Split Tunnel

by | May 15, 2025 | 0 comments

Objective

Set up a VPN with split tunneling to allow specific traffic to pass through the encrypted VPN tunnel while other traffic bypasses the VPN and routes directly to the internet.

Scenario

An organization wants to optimize network performance by allowing internet-bound traffic to bypass the VPN while ensuring sensitive corporate data remains encrypted. In this exercise, you’ll configure a VPN server using OpenVPN or WireGuard and enable split tunneling to selectively route traffic.

⚠️ Important: This exercise must be performed in a legal and controlled lab environment. Unauthorized VPN configurations on production networks are illegal and unethical.

Lab Instructions

Step 1: Install and Configure the VPN Server

a. Install OpenVPN (Server-Side)

sudo apt update
sudo apt install openvpn easy-rsa -y

b. Set Up the VPN Server Configuration

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
sudo nano /etc/openvpn/server.conf
  • Modify these lines:
push "redirect-gateway def1 bypass-dhcp"
  • Change to:
# push "redirect-gateway def1 bypass-dhcp"
  • This disables full tunneling, enabling split tunneling.

c. Enable IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1
  • Persist the change:
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

d. Start the OpenVPN Service

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 2: Configure the VPN Client for Split Tunneling

a. Install OpenVPN on the Client

sudo apt install openvpn -y

b. Edit the Client Configuration

sudo nano /etc/openvpn/client.conf
  • Configure routing to split traffic:
route 10.0.0.0 255.255.255.0
  • This line routes only traffic destined for the 10.0.0.0/24 network through the VPN.

c. Connect to the VPN

sudo openvpn --config client.conf

Step 3: Test Split Tunneling Configuration

a. Verify VPN Traffic

  • Check traffic to the VPN network:
traceroute 10.0.0.1
  • Expected Result: Traffic routes through the VPN.

b. Verify Non-VPN Traffic

  • Check public traffic routing:
traceroute google.com
  • Expected Result: Traffic bypasses the VPN and routes directly to the internet.

Step 4: Configure WireGuard for Split Tunneling (Alternative)

a. Install WireGuard (Server-Side)

sudo apt install wireguard -y

b. Configure WireGuard Server

sudo nano /etc/wireguard/wg0.conf
  • Example configuration:
[Interface]
PrivateKey = <ServerPrivateKey>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <ClientPublicKey>
AllowedIPs = 10.0.0.2/32

c. Configure WireGuard Client

sudo nano /etc/wireguard/wg0.conf
  • Example configuration:
[Interface]
PrivateKey = <ClientPrivateKey>
Address = 10.0.0.2/24

[Peer]
PublicKey = <ServerPublicKey>
Endpoint = <server-ip>:51820
AllowedIPs = 10.0.0.0/24

d. Start WireGuard

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Step 5: Discuss Security Implications of Split Tunneling

  1. Reduced Security: Non-VPN traffic is unencrypted and vulnerable to interception.
  2. Bypass of Security Controls: Internet-bound traffic can bypass corporate firewalls and monitoring.
  3. Potential Malware Exposure: Malware can exploit non-VPN traffic paths.
  4. Improved Performance: Reduces VPN server load and network congestion.

Solution & Explanation

How Split Tunneling Works

  • Split tunneling routes specified traffic through the VPN while allowing other traffic to go directly to the internet.

Advantages

  • Optimized Bandwidth: Reduces the VPN load by routing non-sensitive data outside the VPN.
  • Faster Internet Access: Improves performance for internet-bound traffic.

Disadvantages

  • Security Risks: Unsecured traffic can bypass security measures.
  • Compliance Issues: May conflict with security policies that require all traffic to be monitored.

Types of Split Tunneling

  1. Domain-Based: Specific websites or services bypass the VPN.
  2. Application-Based: Only certain applications use the VPN.
  3. Network-Based: Specific IP ranges are routed through the VPN.

Testing & Verification

  1. Verify VPN Traffic: Confirm that traffic to internal networks routes through the VPN.
  2. Verify Internet Traffic: Confirm that public internet traffic bypasses the VPN.
  3. Check Logs: Monitor VPN logs for connection and routing information.

Verify Routing Table

ip route

Security Best Practices

  1. Use DNS Filtering: Prevent DNS leaks by enforcing VPN DNS servers.
  2. Implement Traffic Monitoring: Monitor both VPN and non-VPN traffic.
  3. Enforce Endpoint Security: Apply endpoint protection on devices using split tunneling.
  4. Restrict Split Tunneling: Apply split tunneling only where necessary.

Additional Script (Optional)

Automate Split Tunneling Configuration (OpenVPN):

#!/bin/bash
# Configure OpenVPN Split Tunneling
sudo apt update
sudo apt install openvpn -y
echo 'route 10.0.0.0 255.255.255.0' | sudo tee -a /etc/openvpn/client.conf
sudo systemctl restart openvpn@client

Run the script:

chmod +x split_tunnel_setup.sh
sudo ./split_tunnel_setup.sh

Conclusion

In this exercise, you configured a VPN with split tunneling using OpenVPN or WireGuard. You verified the traffic routing, explored the security implications, and discussed best practices for secure deployment. Split tunneling offers performance benefits but must be carefully managed to mitigate security risks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *