Kali Linux Split Tunneling — 7 Easy Steps with WireGuard & nftables ⚡🚀
When I first tried to get Kali Linux split tunneling working, I assumed it would be a quick job: install ProtonVPN, click a checkbox, and done. Reality check — Proton’s Linux client doesn’t even support Kali. No GUI, no official workaround, nothing.
I wanted fine-grained control: my pentest scans routed securely through Proton, while my local printer and Spotify stream stayed outside the tunnel. That’s the essence of selective VPN routing — deciding what goes in and what stays out.
So I built it myself. What follows is the step-by-step setup I actually use. It’s tested in cafés, airports, and my own lab. By the end, you’ll have a working baseline with WireGuard, nftables, and policy routing, forming the backbone of a secure pentesting workflow.
Key Takeaways 🧭
- Selective routing isn’t native on Kali — you configure it manually.
- WireGuard lets you send only chosen apps/subnets through the tunnel.
- nftables provides firewall-level enforcement of routing rules.
- ProtonVPN configs still work safely with manual setup.
- Policy routing enables flexible traffic flows.
- Works for both pentesting and freelancer scenarios.
- Namespaces allow per-application VPN isolation.
- Becomes part of a resilient ethical hacking VPN workflow.
Step 1 — Install essentials 🔧
sudo apt update
sudo apt install -y wireguard nftables iproute2This installs WireGuard, nftables, and iproute2 — the trio behind Kali Linux split tunneling.
Step 2 — Base WireGuard config 📝
Your Proton dashboard gives you WireGuard configs. Place them in /etc/wireguard/ with permissions 600. This is the same baseline as in my automation guide — only now we’ll extend it for Kali Linux split tunneling.
Quick sanity check before you build anything fancy: bring the tunnel up, confirm you get a VPN IP, then bring it down again. If the baseline doesn’t work, split tunneling will only hide the problem.
sudo wg-quick up wg0
curl ifconfig.io
sudo wg-quick down wg0Step 3 — Add a routing table 📡
Create a new routing table in /etc/iproute2/rt_tables:
200 vpn
Then add rules:
ip rule add from 192.168.1.0/24 table vpn
ip route add default dev wg0 table vpnThis enforces Kali Linux selective VPN routing, sending only chosen subnets via the tunnel.
Small reality check: routing rules are not “security” by themselves. They’re just directions. Enforcement happens when your firewall rules make the wrong path impossible.
Step 4 — nftables rules 🔒
A minimal config for nftables split tunneling Kali:
table inet vpn {
chain prerouting {
type filter hook prerouting priority 0;
ip saddr 192.168.1.100 meta mark set 1
}
chain output {
type route hook output priority 0;
meta mark 1 oifname "wg0"
}
}This marks traffic and routes it through wg0 while leaving other traffic outside. That’s the beginning of fail-closed VPN automation: the traffic that must be tunneled gets a mark, and you can later drop anything with that mark if it tries to exit anywhere else.
Step 5 — Testing 🧪
Run curl ifconfig.io with VPN-marked traffic → it should show a Proton IP.
Run the same command unmarked → it should show your ISP/public network IP.
This duality is the heart of Kali Linux split tunneling. If both tests show the same IP, your marking/routing logic is not doing what you think it’s doing.
Step 6 — Namespaces 🗂️
For per-app routing, I use Linux namespace split tunneling. It’s the cleanest way to keep one tool or browser inside a controlled network bubble without forcing your entire OS into one mode.
ip netns add vpnspace
ip link set wg0 netns vpnspace
ip netns exec vpnspace curl ifconfig.ioThis isolates apps, great for ethical hacking VPN workflow tests. If you ever ran a scan from the wrong terminal tab, namespaces feel like adult supervision for your own fingers.
Step 7 — Daily workflow 🧑💻
At a café, I run my pentest scans inside the namespace (tunneled), while my Spotify stream goes direct (local). That’s the power of VPN automation Kali Linux extension: you stop thinking about routes every five minutes and start thinking about your actual work.
Real use cases 🌍
- Café Wi-Fi: scans safe in VPN, Zoom call direct.
- Airport travel: bypass geo-blocks while email stays secure.
- Lab setups: run Metasploit through Proton, leave printer outside.
- Freelancer workflow: client data in VPN, entertainment out.
All possible with Kali Linux split tunneling. The trick is staying honest about what must be tunneled and what can stay local without creating risk.
Quotes from the web 📖
“Split tunneling gives you the flexibility to route only what matters through the VPN, while keeping other traffic local.”
“Linux namespaces let you design per-application VPNs, ensuring strong isolation.”
“Policy routing with ip rule is the foundation of custom split tunneling.”
Those three sources explain the same truth from different angles: you’re not enabling a feature, you’re building a routing policy and enforcing it.
Related Guides & Tutorials 🔗
Explore these earlier walkthroughs for step-by-step setups.
ProtonVPN + WireGuard on Kali Linux. Create dock shortcuts & automation scripts for instant connections → Check it out
ProtonVPN Kill Switch on Kali. Ensure zero leaks when your secure tunnel fails → Read the guide
Multi-VPN / VPN-over-VPN on Kali. Chain tunnels for layered privacy and region hopping → Learn more
My learning curve (personal story) 🧑💻
When I first tried to build a tunneling setup, I underestimated how tricky routing tables could be. One evening in a crowded café, I attempted to test new rules while juggling poor Wi-Fi and constant distractions. I mistyped a single line, and for half an hour my traffic flowed wide open. That failure embarrassed me, but it taught me something crucial: never trust assumptions, always verify. Over time, every mistake became part of a personal checklist that now feels second nature.
Community insights 💬
One of the best parts of working on security tooling is the community that surrounds it. Forums, threads, and blogs are full of fellow hackers, sysadmins, and curious tinkerers experimenting with different approaches. Some combine namespaces with containers, others explore creative nftables chains, and a few even build dashboards on top of their scripts. Reading their stories is a reminder that there’s no single “right way” — just patterns we refine together.
Stories from the field ✈️
While traveling, I once depended on a VPN tunnel for critical work. A sudden disconnect cut off not only my secure traffic but also my access to online tools I needed. With split tunneling ready, I could keep general browsing alive while protecting work logins. On another day, I learned that some public networks force re-authentication through captive portals. Running a browser outside the tunnel solved that instantly without breaking secure tasks.
User Experience & Workflow Reflection 🎧
Using advanced networking setups every day taught me that comfort and security can coexist. There are mornings when I want to stream music while running a scan in the background. Without split tunneling, I would have to stop one task to start the other. Now the separation happens automatically: heavy traffic flows in one direction, casual traffic in another. It is not always smooth. One typo or one forgotten sudo can break the flow. But those bumps are also reminders that control comes with responsibility.
Ethical Hacking & Privacy Culture 🔐
Working on setups like this changed how I think about privacy culture. Many people see VPNs as one-click solutions. Showing them that you can choose what goes in or stays out surprises them. It proves privacy is not a binary choice but a series of decisions. Ethical hacking encourages that mindset: don’t accept defaults, test behaviors, and build systems that survive mistakes.
Kali Linux split tunneling gave me the control Proton’s app never did. With wireguard split tunneling linux, nftables split tunneling kali, and linux vpn routing, I decide exactly what flows where. For me as an ethical hacker, that control is more than convenience — it’s operational calm.
Automation, precision, and resilience — that’s what this guide delivers. Whether you’re in a café, a hotel, or your lab, you now have the building blocks for a reliable ethical hacking vpn workflow.
Troubleshooting in practice 🧯
When Kali Linux split tunneling first failed for me, it was because I forgot a rule in my nftables split tunneling kali table. The fix was simple: mark the traffic again and verify the route.
I also once ran a scan outside my namespace and panicked — proof of why linux namespace split tunneling matters. Now I always double-check with ip netns exec when a tool must be tunneled.
Another day, I had DNS leaks until I enforced linux vpn routing more strictly. Lesson learned: always test both IP and DNS behavior after changes.
Closing thoughts 🧠
I tested this setup in cafés, hotels, and airports. I broke it, fixed it, refined it. Now it’s muscle memory. The secure workflow turned my Kali VM from an experiment into something I actually trust.
By now, you’ve seen the full journey: setup, kill switch, automation, and split tunneling. Together they form a complete, battle-tested VPN workflow on Kali Linux. It’s not theory and it’s not copied blindly from a forum. It’s lived experience, refined until it’s usable in real life.
👉 With split tunneling, you gain precise control over your traffic flow.
Stay safe, stay invisible 👻 — and keep experimenting with Kali Linux split tunneling.
Frequently Asked Questions ❓
❓ What is Kali Linux split tunneling?
It’s routing only selected traffic through a VPN while keeping the rest local.
❓ Does WireGuard split tunneling Linux need special software?
No. You mainly need WireGuard, iproute2, and nftables.
❓ Is there an official ProtonVPN Kali split tunneling workaround?
No. Proton supports split tunneling in some desktop Linux apps, but on Kali you build the routing and enforcement yourself.
❓ How safe is nftables split tunneling Kali?
It’s as safe as your rule design. nftables gives firewall-level control, which is exactly what you want when routing mistakes can leak traffic.
❓ Can I use Linux namespace split tunneling daily?
Yes. Namespaces are perfect when you want one tool or browser inside the tunnel without forcing your whole system into VPN mode.
❓ How does this fit in an ethical hacking VPN workflow?
It lets you tunnel pentest tools while keeping lab access and local devices outside the tunnel, which reduces friction without sacrificing control.
❓ Is VPN automation Kali Linux extension complex?
Not really. The logic is simple, but you should test it carefully. Most complexity comes from debugging your own assumptions.
❓ What’s the risk of Linux VPN routing mistakes?
Leaked traffic. One wrong rule can push packets outside the tunnel. Always test with curl and DNS tools after changes.
❓ Does fail-closed VPN automation apply here?
Yes. You can design rules so marked traffic is blocked if the tunnel isn’t available, which prevents silent fallback to the public route.
❓ Why should freelancers care about Kali Linux split tunneling?
Because it separates client traffic (tunneled) from personal browsing (local), which is practical on public networks and reduces accidental exposure.
This article contains affiliate links. If you purchase through them, I may earn a small commission at no extra cost to you. I only recommend tools that I’ve tested in my cybersecurity lab. See my full disclaimer.
No product is reviewed in exchange for payment. All testing is performed independently.
I just tried this on my Kali box and it worked perfectly. Honestly, I always thought split tunneling was only a Windows thing. Your nftables example saved me hours of frustration — thanks a lot!
Glad to hear it worked for you! 🙌 A lot of people assume split tunneling on Linux is black magic, but with a little policy routing and nftables it becomes pretty straightforward. Keep experimenting — every setup has its quirks. And if you want to go a step further, check out my VPN killswitch guide. That way you’ll have a true fail-closed setup with zero leaks. 😉