I setup a family VPN that just works - split tunnel with private DNS
Most home VPN guides are written for nerds who want to tinker. This one is for people who want it to work quietly in the background for everyone in the house - including the kids - without anyone noticing it's there.
Here's what I did and why it's become one of the best things on my home network.
The problem
I wanted three things:
- Access to my home network from anywhere
- Ad blocking and content filtering on all family devices, everywhere - not just at home
- No impact on normal internet speeds or mobile data usage
The standard solutions all had tradeoffs. A full tunnel VPN routes all your traffic through home, which is slow and hammers your home upload. A Pi-hole only works when you're on the home network. Commercial DNS filtering services cost money and you're trusting a third party with everything.
The solution
I'm running WireGuard on a Unifi Cloud Gateway Ultra managed through a CloudKey, with DNS provided by Atmosphere - a filtering service from my ISP Neptune that handles ad blocking, malware filtering and content categories including adult content.
The clever bit is the WireGuard configuration. Most guides tell you to use AllowedIPs = 0.0.0.0/0 which routes everything through the tunnel. Instead I use split tunnelling - only specific traffic goes through the VPN:
[Interface]
PrivateKey = <your private key>
Address = 192.168.2.x/32
DNS = <atmosphere dns servers>
[Peer]
PublicKey = <your server public key>
AllowedIPs = 192.168.10.0/24, <dns server 1>/32, <dns server 2>/32, <dns server 3>/32, <dns server 4>/32
Endpoint = <your home ip>:51820
The AllowedIPs list does two things:
192.168.10.0/24routes all traffic destined for my home LAN through the tunnel, giving me full remote access to everything on my network- The
/32DNS entries force DNS queries to the Atmosphere servers through the tunnel, so the filtering works wherever you are
Everything else - Netflix, browsing, downloads - goes straight out your device's own internet connection. Watch a 5GB movie on your phone, your home connection doesn't see a single byte of it.
The key insight most guides miss
Just putting your DNS servers in the DNS = field isn't enough if they're not also in AllowedIPs. Without the explicit /32 routes for each DNS server, the queries bypass the tunnel entirely and your filtering doesn't work away from home. Adding them as individual host routes is the fix.
The family setup
I installed the WireGuard app on every device in the house - phones, tablets, laptops - and configured it to activate automatically whenever the device leaves the home WiFi network. On the kids' iPhones I removed the WireGuard app from the home screen so it's out of sight and out of mind.
The result: every device in the family has ad blocking and content filtering everywhere they go. If someone manually turns the VPN off, it automatically reconnects. It just works quietly in the background.
What you need
- A Unifi gateway that supports WireGuard (UDM, UXG, or similar)
- A static IP or dynamic DNS for your home connection
- A filtering DNS service - I use Atmosphere from Neptune but AdGuard DNS or NextDNS work the same way
- WireGuard app installed on client devices
The whole thing took a weekend to figure out. I couldn't find this exact setup documented anywhere which is why I'm writing it up now.