Split-tunneling - Allowing non-VPN traffic for only some traffic?

I know you can set split-tunneling using the IPSec VPN client; if one wanted to get granular and ONLY allow some traffic to flow direct from the end-user to the internet, what's the best/most consisitent way to do that? For example, allowing only O365, Zoom, bandwidth-intensive traffic, to go direct but keep the rest of the internal & regular internet traffic coming through the VPN?



  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Jeff,
    You'd need to know the IPs for the services you want to go thru the tunnel and add them as allowed resources (you can add external IPs if you wish.)

    Trying to zero-route everything but O365 and zoom would be a very long list, likely too long for any of the VPN clients to apply.

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    I guess that makes sense as with split-tunnel, you are only permitting explicit traffic through the VPN rather than the other way around.

    Is there a way to do something like the Palo Alto setup?


    where specific domains are excluded from routing through the VPN?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JeffT

    Since the IPSec VPN requires a list of IPs, there's no way to do this now.

    Since there's no way to update that route list to the client in real time (it happens when you initially connect to the VPN) there's no way to update the IPs for whatever service you're using as it updates. Since most of the services you mentioned will change IPs depending on load balancing and geolocation, it wouldn't work with the current set-up.

    My assumption is that the Palo Alto client is building a full (zero-route) tunnel, and modifying the route table on the local machine on the fly. None of the current clients that you can use with the WG IPSec VPN will do that.

    I created two feature requests for this, one for each of the VPNs this could potentially be done with:
    FBX-20890 - IPSec VPN
    FBX-20891 - SSLVPN

    If you'd like to track either of those requests, please create a support case and mention the FBX number somewhere in your case description. The tech that is assigned your case can set that up for you.

    A quick note:
    Over the last few years there's been a push from the OS manufacturers to favor built-in VPN clients. Apple specifically is moving towards this with the disallowing of TAP type adapters soon in Big Sur. While I can't officially speak for any of the OS makers, I don't think there is going to be a point where any of them would include an advanced feature like this in a built-in VPN. Even with the Palo Alto solution, you'll be locking yourself out of being able to use any OSes that end up requiring their VPN clients be used (should that come to fully pass.)

    -James Carson
    WatchGuard Customer Support

  • Is there any chance that Watchguard is working on something? Teams is crushing our SSLVPN and Outlook won't authenticate if connected to VPN and then starting Outlook. I don't want to turn off all traffic routing through the VPN unless I absolutely have to.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RobL
    You can define specific routes and exclude the ones teams goes to -- however, you'll need to know the IP subnets (not FQDNs) for this.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.