When using WireGuard to connect to a remote VPN server, such as Cloudflare WARP, for secure VPN tunnel, the default WireGuard tunnel configuration profile changes the private and local IP addresses routing for both IPv4 and IPv6 addresses.

Essentially, all traffic, including those to local network and private network, is routed through WireGuard. However, WireGuard is blocking all untunneled traffic. It’s a kill switch designed to ensure that no traffic and real IP address accidentally leak to outside world. Thus, by default WireGuard attempts to restrict all traffic to the tunnel and all attempts to get outgoing traffic that bypasses the tunnel, i.e. traffic within the local network, fail.

The issue of broken local network routing appears to only happen in WireGuard for Windows, where all traffic is force to go through WireGuard first prior to routing. To resolve the issue that local network routing is prohibited by WireGuard involved adding static route. However, there is easier solution built into WireGuard’s Windows client.

To allow traffic within local network to bypass WireGuard so that the route does not get killed, follow these steps:

  1. Open the WireGaurd Windows client.
  2. In the left pane, select the tunnel that you want local network routing to work, if you have more than one tunnel.
  3. Hit the Edit button.
  4. Uncheck Block untunneled traffic (kill-switch) option.

    Unblock Untunneled Traffic Kill Switch

  5. Hit Save button.
  6. Deactivate and re-activate the tunnel, if the app not yet already done so.

The deselecting of “block untunneled traffic (kill-switch)” option changes the following line:

AllowedIPs = 0.0.0.0/0, ::/0

To:

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

The allowed IPs value tells WireGuard tunnel from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. By using a more specific route which is always preferred over a more general route, it may be triggering some specific actions or controls from within WireGuard on Windows machine that allows local network traffic to be routed properly, instead of blocking them.

You May Also Interested In: