Route only specific clients over VPN

Comes here often

Route only specific clients over VPN

I know rather basic request so excuse beginner networking knowledge...


I want to set up a site-to-site...

Location A has firewall, switch, and WAP 

Location B will have firewall and WAP.


At the remote location I only have two devices that I want to route all traffic (full tunnel?) over the VPN. The other clients don't need to use the Location A IP.


This is likely a larger topic so I'm ok being pointed in the right direction (group policy or etc?).


Would this be what I'm needing to do? -


Kind of a big deal

I'm assuming we are talking about AutoVPN here.


Either all traffic has to use full tunnel or none of it.  You can't make it be different by client.


If this is web browsing traffic then you could setup a proxy server at the remote site and configure the limited number of machines to use that in their browser settings.

@PhilipDAth thanks and yes AutoVPN. I figured as much however not a dealbreaker!

Kind of a big deal

If this is only 2 clients then possibly use a Client VPN, then you can give them a full tunnel to location A and also you could leave the connection to always on.

Meraki Employee

@PhilipDAth Is correct in that with MX autoVPN, currently you have to full-tunnel all client traffic or split-tunnel for all!


@SoCalRacer's suggestion to use Client VPN for those clients is also very clever and is viable (if it's only 2 clients, but might not scale if this number increases)!


If you throw Meraki access points in the mix, you can look into SSID Tunneling! This allows any clients connecting to the configured SSID to full-tunnel (or split-tunnel) their traffic to a MX concentrator.

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂
Getting noticed

Create a new VLAN at the remote site and don't include the VLAN in the VPN topology. This VLAN would use the local internet connection for everything. You would have to then move some clients to the new VLAN somehow so either a new SSID or switchport changes.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.