WireGuard VPN configuration optimization: domestic website direct connection, foreign traffic to go to VPN (actual measurement is effective)

Self-Hosted VPN

(1) From LetsVPN to self-built Wireguard VPN full process review (with pit guide)

(2) WireGuard VPN configuration optimization: domestic website direct connection, foreign traffic to go to VPN (actual measurement is effective)

(3) Wireguard domestic direct connection + foreign tunnel configuration

(4) Self-built VPN series Part 4 Wireguard self-built VPN accidental unavailable full replay: from normal use → suddenly no handshake → port is blocked → port change + intelligent shunt complete solution process

(5) After deactivating self-built WireGuard from LetsVPN: Chengdu Mobile Broadband + Vultr Singapore node The measured network speed is very slow to review + pit dry goods

(6) Self-built WireGuard solution port is frequently blocked, the ultimate minimalist solution (nanny class can be reproduced)

(7) Wireguard handshake is normal but can’t open the network? Why do we have to CN2 GIA, with DMIT deployment & out of stock alternatives

(8) ZgoCloud + Wstunnel + Wireguard speed up 4 times, Clash Verge Rev automatically splits and 443 port anti-sealing actual combat

(9) Troubleshooting Transcript: Solve the DNS deadlock problem of “some websites cannot be accessed” under Clash Verge + Wstunnel + Wireguard

(10) ZGoCloud + Wstunnel + Clash Verge Rev under Ubuntu 26.04

(11) Under Ubuntu 26.04 Self-built VPN speed test report: ZgoCloud + Wstunnel + Wireguard solution experience and comparison guide

(12) zgocloud + wstunnel + flclash VPN configuration under android

(13) Complete troubleshooting and schema optimization for Google Play update exceptions on Android

(14) Thunderbird can’t send Gmail mail after self-built VPN: Cause and Solution

(15) Can’t update the Play Store app after self-built VPN? Don’t toss wstunnel, the problem is in the Clash diversion rules

(16) systemd user service 203/exec error troubleshooting: wstunnel self-starting configuration record

(17) Practical Guide to Stable Clash Verge Rev + WireGuard + Wstunnel Configuration (Part 1): Minimalist Principles and Initial Setup

(18) Clash Verge Rev + Wireguard + WSTunnel Stable Configuration Practice (2): Minimum Correction of DNS Contaminated by Google

(19) Help customers to remotely troubleshoot vultr Wireguard without handshake and cannot access the Internet problem (full record)

(20) Full check record from Thunderbird connection failure to switching to Gmail API client

(21) WSTUnnel + Ficlash Remote Troubleshooting full record under client android: from script creation to IP mismatch

(22) FLCLASH + WireGuard + WSTUnnel Stable Configuration Practice (3): Google Play download problem solving

RecentSelf-built WireGuard VPN, the original intention is to scientifically visit overseas websites, but found a headache: opening domestic websites is very slow, loading stuck, and even occasionally timed out. After investigation, it was found that all traffic (including domestic websites) was transferred through WireGuard VPN by default, and it naturally slowed down after a circle.
The core requirements are very clear: let domestic websites and local area network equipment directly connect without VPN; only overseas websites can go through the WireGuard tunnel, which not only ensures smooth overseas access, but also does not affect the loading speed of domestic web pages. Combined with your own configuration and practical process, we have sorted out a complete set of solutions suitable for the official client of Windows and mobile phone WireGuard, and novices can directly copy and use them.
Note: It is recommended to refer to:Wireguard domestic direct connection + foreign tunnel configuration , this blog will have a more thorough solution.

1. The root of the problem: the default global agent leads to domestic traffic detours
Let’s take a look at my original WireGuard configuration (commonly used for computers and mobile phones), which is also the default configuration problem that many people will encounter after building their own VPNs:

[Interface]
PrivateKey = MNcoOjHNvao4gH1+xDV5IO6...
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = XZ2LNJxO7RqjGKHyubFw...
PresharedKey = Fz04FNeapuPYQ+QAH+yNQHIT...
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 139.180.154.26:57586

The problem is in two places:

1. Improper choice of DNS: 1.1.1.1 and 1.0.0.1 used are overseas DNS. The domestic website will detour when parsing, resulting in a high resolution delay, and even a failure of parsing.
2. Allowedips global proxy:0.0.0.0/0, ::/0 It means that all IPv4 and IPv6 traffic go through the VPN tunnel, and the traffic of domestic websites and local area network devices will also be forced to transfer, which will naturally slow down.

2. Optimization ideas: precise diversion, domestic direct connection, foreign VPN
Optimizing the core logic is very simple, without complex scripts, you only need to modify two configurations, so that WireGuard automatically distinguishes domestic and overseas traffic:

• Modify DNS to domestic public DNS to improve the resolution speed of domestic websites;
• Adjust allowedips, only allow overseas IP segments to go to VPN, and domestic IP and local area network IP are automatically connected directly.
  Here we focus on the adjustment logic of allowedips: we do not need to manually add all domestic IP segments (too cumbersome), but use reverse thinking – specify ‘overseas IP segments’ to go to VPN, and all the remaining IPs (domestic and intranet) are automatically directly connected.
  The selected overseas IP segment combination:0.0.0.0/1, 128.0.0.0/2, these two network segments are combined to cover all overseas public IPv4 addresses, domestic IP segments, and local area network IPs (192 .168.x.x, 172.16.x.x, 10.x.x.x) are automatically excluded from the VPN tunnel.

3. Final optimization configuration (computer + mobile phone independent configuration, just change 2 core fields)
Note: I created 2 independent WireGuard configurations for computers and mobile phones at that time, not a general configuration. However, whether the computer (editing configuration file) or mobile phone (editing form field), only need to modify 2 core fields, no need to change other content, the following is the complete configuration after optimization of the two (you can directly copy/corre the field to modify the field).
(1) Optimized configuration on the computer side (exclusive for editing files, copy and replace directly)
The computer can directly edit the configuration file, select all to replace the original content, and only modify the two fields of DNS and AllowedIPs:

[Interface]
PrivateKey = MNcoOjHNvao4gH1+xDV5IO6...
Address = 10.66.66.2/32, fd42:42:42::2/128
# 国内阿里公共DNS，解析速度快，避免绕路
DNS = 223.5.5.5, 223.6.6.6

[Peer]
PublicKey = XZ2LNJxO7RqjGKHyubFw...
PresharedKey = Fz04FNeapuPYQ+QAH+yNQHIT...
# 仅海外IPv4流量走VPN，国内、内网自动直连
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2
# 删除IPv6全局代理（::/0），避免国内IPv6流量绕路
Endpoint = 139.180.154.26:57586

(2) Optimized configuration on the mobile phone side (exclusively for form field editing, only 2 fields are changed) as shown in Figure 1

The mobile terminal is independently configured, no need to copy the complete file, just modify the following 2 fields in the form (the rest of the fields remain unchanged):

• DNS server: delete the original 1.1.1.1, 1.0.0.1, modify it to 223.5.5.5, 223.6.6.6
• Remote (Peer) – IP address (segment) of the route: delete the original 0.0.0.0/0, ::/0, modified to 0.0.0.0/1, 128.0.0.0/2
  Tip: Other fields on the mobile phone (such as privateKey, publicKey, endpoint, etc.) keep the original configuration when the new configuration is created, and only modify the above two core fields.
  Supplement: The core optimization logic of the two configurations of the computer and mobile phone is completely the same. Both DNS and Allowedips are diverted by modifying the DNS and Allowedips.

4. Key matters needing attention
The first time I modified it, I only changed DNS and allowedips, and I ignored a detail, so there are still small problems. You must pay attention to:

• IPv6 global proxy must be removed ::/0: If it is not deleted, the IPv6 traffic of the mobile phone/computer will still all go to the VPN, resulting in the lag of domestic APPs (such as WeChat, Douyin) and high delay;
• No need to add additional scripts: many tutorials recommend using China IP list + routing script. In fact, for the official client, as long as you adjust AllowEdips, you can achieve accurate diversion without complicated operations;
• The server does not need to be modified: all optimizations are performed on the client side, and the server configuration can be kept as it is, so as to avoid the VPN cannot connect to the VPN.

5. Effective verification method (to ensure that the configuration is useful)
After the configuration is completed, a simple 3-step verification, confirm that the domestic direct connection, and the foreign VPN:

1. Test domestic websites: open Baidu, B station, Taobao, Douyin, the loading speed is fast, and there is no delay when the VPN is not enabled;
2. Test overseas websites: open github, google, etc., it can be loaded normally, indicating that the VPN is effective;
3. Test the local area network: access the backend of the router at home (such as 192.168.1.1), which can be opened normally, indicating that the local area network traffic has not gone to the VPN.

6. Solve the common problems
If you encounter the following problems after configuration, please refer to the corresponding solutions:

• Individual overseas websites cannot be opened: there is a high probability that the IP of the website is not there 0.0.0.0/1, 128.0.0.0/2 Network segment, you can tell me the website domain name, just fine-tune the network segment;
• The power consumption of the mobile phone becomes high and the current is disconnected: the configuration can be thinner, and the IPv6 related address (FD42:42:42::2/128) can be deleted, and only the IPv4 configuration is reserved;
• The domestic website is still stuck: check whether it is deleted ::/0, or restart the WireGuard tunnel, restart the device.
  Summary
  After the self-built WireGuard VPN, the core reason for the domestic website Caton is the ‘global proxy’. As long as DNS and Allowedips are accurately adjusted, the needs of ‘direct connection to domestic and foreign VPN’ can be realized. This configuration does not require complex scripts, it is suitable for mobile phones and official computer clients, you can use it directly by copying and pasting, and beginners can easily use it.
  If your WireGuard configuration is similar to mine and encounter the same problem, just replace it with the above configuration directly, and you can perfectly solve the problem of stuckton, taking into account overseas visits and domestic experience.