How to setup inclusive split tunneling on wireguard (Mullvad VPN)
Edit: You can now read an updated version of this guide with better formatting here - codeberg.org/rokosun/inclusive…
Some context
So Mullvad VPN has decided to move to WireGuard only and removed support for openVPN since January 15th 2026. And like everyone who had been using OpenVPN to connect to their servers I also had to move to WireGuard. However I had been using their VPN so far with inclusive split tunneling, meaning only a few apps/services will be routing their traffic through the VPN and the rest of my traffic will be unaffected. And I was able to do it thanks to a guide they wrote explaining how to do split tunneling using OpenVPN. But I couldn’t find a similar guide explaining how to do the same in WireGuard, so I was left alone to figure it out myself. And in this post I will explain how I did it.
The new socks5 proxy
So the way this split tunneling had worked in OpenVPN is that you had to manually set up a socks5 proxy in the apps/services you want to route through the VPN, as explained in this guide. For OpenVPN this proxy used to be 10.8.0.1 on port 1080 but for WireGuard you need to use 10.64.0.1 on the same port. Also for WireGuard there is an additional multi-hop feature which you can use through port 10.124.x.x where x can be different numbers depending on which VPN server you want to route through (port is same 1080 as usual). You can get a list of these socks5 proxies for different servers thanks to a project called Mullvad socks proxy list which keeps the list updated by running a script every day using github actions. Alternatively you can also use the socks5 proxy address mentioned in Mullvad servers page which looks like domain names (e.g. al-tia-wg-socks5-003.relays.mullvad.net).
Beware of DNS leaks
If you are using these socks5 proxies there is a chance for DNS leaks, on browsers like Firefox you get an option called Proxy DNS when using SOCKS v5 which you can enable to avoid these leaks, but you may not find such options on other apps/services that you may use this proxy with. So I recommend setting up a custom DNS for your entire system to reduce this problem a bit, pick a good one that you can trust, here is a list of recommended ones - privacyguides.org/en/dns/#reco…
You can check for DNS leaks by visiting this website - ipleak.net
Binding VPN to torrent client
You can of course set up your torrent client to use the socks5 proxy to route all of its traffic through the VPN, but in my experience it is better for connectivity if you can actually bind your VPN to the torrent client directly without needing to use a proxy - as explained in this guide from the qBittorrent Wiki and also shown in this YouTube tutorial:
The solution
Method 1 (doesn't support binding VPN to torrent client)
In your WireGuard configuration you can see this line under the [Peer] section:
AllowedIPs = 0.0.0.0/0,::0/0As you can see by default this is set to
0.0.0.0/0, ::0/0 which includes all IPv4 and IPv6 addresses, meaning all of your traffic will be routed through the VPN. But if we want to only allow the socks5 proxy addresses to go through the VPN we can change it to this:AllowedIPs = 10.64.0.1/32, 10.124.0.0/22The
/32 is used to indicate that it's a single IPv4 address (10.64.0.1) and the /22 indicates that it's a subnet (ranging from 10.124.0.1 to 10.124.3.254). This should make it so that only traffic to these IP addresses would go through the VPN.Notice a change in the logs
So now when you start up WireGuard via the wg-quick up command you will notice a change in its logs... This was the log from before I made the change:
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip6tables-restore -n
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -nAnd this is the log after I changed the
AllowedIPs option:[#] ip link add dev wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add [REDACTED]/32 dev wg0
[#] ip -6 address add [REDACTED]/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.64.0.1/32 dev wg0
[#] ip -4 route add 10.124.0.0/22 dev wg0Looking at these logs I realized that the
ip route command is the one that configures which traffic gets routed through the VPN, and that WireGuard will automatically configure it according to the AllowedIPs option.Limitations
Like I put up in the heading this method won't be suitable if you want to bind your VPN to your torrent client, since we explicitely made it so that only traffic to a specific subset of IP addresses will be allowed through the VPN it rejects any other traffic. But I still wanted to explain this method here because it is good enough for anyone who only cares about the socks5 proxy and it is also the simplest solution.
Method 2 (works for both use cases)
Some context
So in order to archive this we need to do three things:
1. Allow all traffic to be accepted through the VPN, which means we will have to keep this line as is:
AllowedIPs = 0.0.0.0/0,::0/0- Stop WireGuard from automatically configuring all traffic to be routed through the VPN despite the
AllowedIPsoption. - We need to only route traffic to Mullvad's socks5 proxy addresses (
10.64.0.1/32and10.124.0.0/22) through the VPN.
My brekthrough came when I read this blog post explaining how to disable routing for WireGuard. Another useful thing I learned is that you can use the PostUp and PreDown options to run a command when WireGuard starts and stops respectively. Mullvad actually uses this for setting up their kill-switch and has instructions for when you want to add an expection for your local network. You can also see these options documented here.
The solution
So based on these findings this is the solution I came up with, just add these lines under the [Interface] section of your WireGuard configs:
Table = off
PostUp = ip -4 route add 10.64.0.1/32 dev wg0; ip -4 route add 10.124.0.0/22 dev wg0
PreDown = ip -4 route delete 10.64.0.1/32 dev wg0; ip -4 route delete 10.124.0.0/22 dev wg0You can put it right under the
DNS option. On Linux you can run this command to automatically do this for all the .conf files you have in a folder:sed -i '/^DNS = / a Table = off\nPostUp = ip -4 route add 10.64.0.1/32 dev wg0; ip -4 route add 10.124.0.0/22 dev wg0\nPreDown = ip -4 route delete 10.64.0.1/32 dev wg0; ip -4 route delete 10.124.0.0/22 dev wg0' *.confExplanation
The Table = off option disables WireGuard's automatic routing. And then we use the ip route commands to manually add routing for our socks5 proxy addresses when WireGuard starts, and also deletes these routes when WireGuard stops. You might notice that the ip route commands I use are exactly the same ones we saw on the logs I shared above, and yes that made it easy for me to figure this out. And if you're curious this is how the log looks like after I changed to this new method:
[#] ip link add dev wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add [REDACTED]/32 dev wg0
[#] ip -6 address add [REDACTED]/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.64.0.1/32 dev wg0; ip -4 route add 10.124.0.0/22 dev wg0Not much different from the logs of method 1, just the last two lines are combined into one.
inclusive-split-tunneling-on-wireguard
A guide for setting up inclusive split tunneling on WireGuard (Mullvad VPN)Codeberg.org
like this
Tio, TROM and unmittelbar like this.