Exclude networks from wireguard

[Interface]
Address = 10.0.0.2/30, fd00::2/127
PrivateKey = yourPrivateKey

PostUp = ip route add ###.###.###.0/24 via ###.###.###.###; ip route add ###.###.###.0/24 via ###.###.###.###;
PreDown = ip route delete ###.###.###.0/24; ip route delete ###.###.###.0/24;

[Peer]
PublicKey = vpnPublicKey
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:51820

Where ###.###.###.0 is the network you want to exclude and ###.###.###.### is the default gateway of the system local connection used to access internet.

Original until 202409

PostUp = ip route add 10.180.0.0/24 via 10.180.1.254;
PreDown = ip route delete 10.180.0.0/24;

Testing 202409 killswitch

Remember to check if iptables is installed

PostUp = ip route add 10.180.0.0/24 via 10.180.1.254; iptables -I OUTPUT -d 10.180.1.0/24 -j ACCEPT; iptables -A OUTPUT -d 10.180.0.0/24 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT;
PreDown = ip route delete 10.180.0.0/24; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d 10.180.1.0/24 -j ACCEPT; iptables -D OUTPUT -d 10.180.0.0/24 -j ACCEPT;

One way to test a down tunnel is to delete the IP address from the WireGuard network interface, like this via the Terminal:

sudo ip a del x.y.z.j/32 dev wg0