TunnlTo is a lightweight, fast, Windows WireGuard VPN client built for split tunneling.
The gif demonstrates TunnlTo routing Edge Browser through a WireGuard VPN tunnel without affecting Chrome Browser. Edge's IP changes, Chrome's does not.
TunnlTo is a tool for controlling which Windows applications, processes, and IP addresses can use a WireGuard VPN tunnel.
- Route only FireFox through a privacy VPN
- Route Slack and Microsoft Office through a work VPN
- Route a game through a gaming VPN
- Stop a game from routing through a privacy VPN
- Stop a browser from routing through a work VPN
- Route a specific IP address range through a privacy VPN
- Route all traffic through a privacy VPN except a specific IP address range
- Route all applications within a folder through a VPN
- Route all traffic through a VPN except applications within a folder
TunnlTo is built in collaboration with the creator of WireSock. TunnlTo 'wraps' the WireSock CLI application to provide a simple user interface for enhanced accessibility. WireSock is currently closed source and an open source version is being considered.
WireSock VPN Client is a lightweight command line WireGuard VPN client for Windows that has advanced features not available in the official WireGuard for Windows such as selective application tunneling and disallowed IP addresses.
WireSock VPN Client combines the power of Windows Packet Filter and BoringTun (user space WireGuard implementation in Rust) to provide exceptional performance, security and scalability.
| Download | Upload | |
|---|---|---|
| WireGuard Official | 719 Mbps | 892 Mbps |
| TunnlTo | 892 Mbps | 879 Mbps |
| TunSafe | 284 Mbps | 435 Mbps |
- A basic understanding of WireGuard
- Access to a WireGuard server
- Windows 10/11
Please follow the project on Twitter to be notified of new releases and updates.
Visit the releases page to download the installer for the latest version.
These are requests made by the community. Please review them before making a new issue or discussion.
- Dark Mode
- Kill Switch
- Nested Tunnels (or Multi-Hop)
- Simultaneous Tunnels
- UWP App Support
- Trigger System - WiFi on/off, location, 4g/5g status, Bluetooth status, endpoint status
- System tray controls. Icon colour to reflect status. Tooltip for status/IP. Right click for menu.
- Statistics / Status data in UI
- Persistent KeepAlive parameter in config
- Bulk VPN config import
Please use issues for any problems you may encounter and discussions for any suggestions, ideas or feature requests you may have.
The description of your WireGuard tunnel.
Work VPN
The local interface IP address.
10.0.0.1
The local interface port.
- If nothing is set, the port will be automatically assigned.
54236
The private key for the local interface.
The DNS server to use for the tunnel.
- If left blank, the systems default DNS server will be used.
- Use a comma to separate multiple DNS servers.
1.1.1.1, 8.8.8.8
The MTU for the tunnel.
1420
The address of the Wireguard endpoint.
The port of the Wireguard endpoint.
The Public key for the tunnel.
The Preshared key for the tunnel.
The persistent keep-alive setting for the tunnel.
The list of applications that can use the tunnel.
- If left blank, all applications will be allowed.
- Use a comma to separate multiple applications.
- If this parameter is used, the Allowed IP's parameter must also be set.
- Use the full path to the executable
- List the process name without the .exe extension
- List the process name with the .exe extension
C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome, msoffice, firefox
The list of applications that can use the tunnel.
- Use a comma to separate multiple folders.
- If this parameter is used, the Allowed IP's parameter must also be set.
- List a folder path (which should include at least one slash or backslash), and all executables within that folder and its subfolders will be included.
C:\Program Files (x86)\D:\Work Apps\, C:\Program Files\Slack\
The list of IP addresses and IP ranges that can use the tunnel.
- Use a comma to separate multiple IP addresses and IP ranges.
- If the Allowed Apps parameter is set, this will forward all the listed IP addresses and IP ranges used by the Allowed Apps through the tunnel.
0.0.0.0/0192.168.1.0/24
Apps that cannot use the tunnel.
- Allowed Apps takes precedence, and if both are specified, then Allowed Apps is matched first.
- Use a comma to separate multiple applications.
- Use the full path to the executable
- List the process name without the .exe extension
- List the process name with the .exe extension
C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome, msoffice,firefox.exe
The folders containing apps that cannot use the tunnel.
- Allowed Folders takes precedence, and if both are specified, then Allowed Apps is matched first.
- Use a comma to separate multiple folders.
- List a folder path (which should include at least one slash or backslash), and all executables within that folder and its subfolders will be excluded.
C:\Program Files (x86)\D:\Work Apps\, C:\Program Files\Slack\
The IP addresses and IP ranges that cannot use the tunnel.
- Use a comma to separate multiple IP addresses and IP ranges.
- If the Allowed Apps parameter is set, this will block all the listed IP addresses and IP ranges used by the Allowed Apps from using the tunnel.
1.1.1.1, 192.168.1.0/24
These examples show the use of optional parameters. The required parameters such as private key, public key etc. are not shown. If you would like an example added, please open a discussion.
You utilise a privacy VPN to protect your privacy when browsing the internet. You want to use the privacy VPN when browsing the internet with FireFox and when torrenting, but you do not want to use the privacy VPN for any other applications.
In this example, FireFox and qBittorrent are routed through the tunnel while all other applications are routed through the default network adapter. DNS requests from FireFox and qBittorrent will route through the tunnel and use the DNS servers specified.
- DNS:
1.1.1.1, 8.8.8.8 - Allowed Apps:
firefox, qBittorrent - Allowed IP's:
0.0.0.0/0
You utilise a company VPN to access your employers servers. You want the Chrome browser traffic to route through your default network adapter so it will:
- Not be tracked by your employer
- Not overload the company VPN bandwidth when watching videos, downloading files etc.
In this example, all traffic is routed through the tunnel except Chrome.
- DNS:
1.1.1.1, 8.8.8.8 - Disallowed Apps:
chrome - Allowed IP's:
0.0.0.0/0
You utilise a company VPN to access your employers servers. You want all of your work applications that are installed in a specific folder to route through your company VPN so that they:
- Work correctly with your companies servers
- Follows your company policies
In this example, all apps in the C:\Work Apps\ folder are routed through the tunnel. The company DNS server is used for DNS requests.
- DNS:
10.64.0.1 - Allowed Apps:
D:\Work Apps\ - Allowed IP's:
0.0.0.0/0
You want to access a company intranet when using the Edge browser, otherwise it should use your normal network adapter.
In this example, an IP address range is routed through the tunnel when the the IP range is accessed by the Edge browser. Otherwise, all Edge browser traffic is routed through the default network adapter. Note that in this example the DNS parameter is not set, so the default DNS server will be used by Edge. If the DNS parameter was set to the company DNS server, all Edge DNS requests would route through the tunnel to the company DNS server.
- Allowed Apps:
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - Allowed IP's:
10.0.0.0/64
You want to access company servers through a company VPN server, however all other traffic should use your default network adapter.
In this example, an IP address and IP range are routed through the tunnel for all applications. All other traffic is routed through the default network adapter.
- Allowed IP's:
200.200.200.200, 10.10.10.0/24
You want to use a privacy VPN service for all network traffic except some specific IP addresses and IP address ranges.
In this example, an IP address and IP range are routed through the default network adapter and NOT the tunnel. All other traffic is routed through the tunnel.
- Allowed IP's:
0.0.0.0/0 - Disallowed IP's:
200.200.200.200, 10.10.10.0/24
You utilise an overseas VPN server for faster ping times to an overseas region in Counter Strike. You also still play on local servers and do not want to have to enable/disable the VPN depending on what servers you're playing on.
Counter Strike traffic is routed through the tunnel except for when a specific IP address range is accessed by the game. In this case the IP range are local servers.
- Allowed Apps:
csgo - Allowed IP's:
0.0.0.0/0 - Disallowed IP's:
12.34.45.0/24
- WireSock
- WireGuard
- Tauri
- Rust, TypeScript, React, TailwindCSS
Copyright (c) 2023 TunnlTo. TunnlTo is not currently licensed.
- WireSock and its creator Vadim Smirnov
- WireGuard
- Tauri