Docs - add split tunnel and user instructions (#463)

* add split tunnel and client guide

* reformat deploy steps

reformat deploy steps to refer to client guide

* broken link

* fix trailing whitespace

docs/docs/deploy/clients.md

@@ -1,23 +1,23 @@
 ---
 layout: default
-title: Install Clients
+title: Client Setup
 nav_order: 5
 parent: Deploy
 description: >
   Firezone is compatible with the official WireGuard clients available for all major platforms.
 ---
 ---
+Once successfully deployed, users and devices can be added to
+connect to the VPN server:
 
-Firezone is compatible with the official WireGuard clients available for all
-major platforms. Installation instructions for each platform can be found on the
-main WireGuard website here: [
-https://www.wireguard.com/install/](https://www.wireguard.com/install/).
+* [Add Users]({%link docs/user-guides/add-users.md%}):
+Add users to grant them access to your network.
+* [Client Instructions]({%link docs/user-guides/client-instructions.md%}):
+Send these instructions to the user attempting to establish a connection.
 
-Once the WireGuard client is installed, users can add the tunnel by
-importing the `.conf` file sent by the administrator or logging into the
-Firezone web UI and downloading a `.conf` file there.
-
-![Client Instructions]({{site.asset_urls.client_instructions}}){:width="600"}
+See [User Guides]({%link docs/user-guides/index.md%})
+for additional information on common tasks.
 
 \
 [Previous: Install Server]({%link docs/deploy/server.md%}){:.btn.mr-2}
+[Related: Troubleshooting]({%link docs/administer/troubleshoot.md%}){:.btn.btn-purple}

docs/docs/deploy/server.md

@@ -56,4 +56,4 @@ Find solutions to common issues during deployment in [Troubleshoot]({%link docs/
 
 \
 [Previous: Prerequisites]({%link docs/deploy/prerequisites.md%}){:.btn.mr-2}
-[Next: Install WireGuard Clients]({%link docs/deploy/clients.md%}){:.btn.btn-purple}
+[Next: Client Setup]({%link docs/deploy/clients.md%}){:.btn.btn-purple}

docs/docs/user-guides/add-devices.md

@@ -19,10 +19,13 @@ Once the device profile is created, you can send the WireGuard configuration
 file to the user by:
 
 * **Shareable Link**: Generates a time limited link to the device config file
-  that can be sent to the user.
+that can be sent to the user.
 * **Download Config**: Downloads the device config file to your local machine
-  to be sent securely to the user.
+to be sent securely to the user.
 
 Devices are associated with users. See [Add Users
 ]({% link docs/user-guides/add-users.md %}) for more information on how to add
 a user.
+
+\
+[Related: Client Instructions]({%link docs/user-guides/client-instructions.md%}){:.btn.btn-purple}

docs/docs/user-guides/add-users.md

@@ -19,4 +19,5 @@ to authenticate the user so they are able to establish the connection.
 
 ![add user](https://user-images.githubusercontent.com/52545545/153469244-c007c305-bfb0-4da7-a40c-6f41fa458c76.png){:width="600"}
 
-Next, [add devices]({%link docs/user-guides/add-devices.md%}) to the user.
+\
+[Next: Add Devices]({%link docs/user-guides/add-devices.md%}){:.btn.btn-purple}

docs/docs/user-guides/client-instructions.md

@@ -0,0 +1,39 @@
+---
+layout: default
+title: Client Instructions
+nav_order: 5
+parent: User Guides
+description: >
+  Install the WireGuard client and import the configuration
+  file sent by the administrator to establish a connection.
+---
+---
+
+_This is written for the end user who will be connecting
+to the Firezone VPN server._
+
+Follow this guide to establish a connection to the
+VPN server through the WireGuard native client.
+
+## Step 1 - Install the native WireGuard client
+
+Firezone is compatible with the official WireGuard clients found here:
+
+* [MacOS](https://itunes.apple.com/us/app/wireguard/id1451685025)
+* [Windows](https://download.wireguard.com/windows-client/wireguard-installer.exe)
+* [iOS](https://itunes.apple.com/us/app/wireguard/id1441195209)
+* [Android](https://play.google.com/store/apps/details?id=com.wireguard.android)
+
+For operating systems not listed above see the Official WireGuard site: [
+https://www.wireguard.com/install/](https://www.wireguard.com/install/).
+
+## Step 2 - Download the connection config file
+
+This will end in `.conf` and be sent to you by the Firezone administrator.
+
+## Step 3 - Add the config to the client
+
+Open the WireGuard client and import the `.conf` file.
+Turn on the VPN connection by toggling the `Activate` switch.
+
+![Client Instructions]({{site.asset_urls.client_instructions}}){:width="600"}

docs/docs/user-guides/split-tunnel.md

@@ -0,0 +1,43 @@
+---
+layout: default
+title: Split Tunnel
+nav_order: 5
+parent: User Guides
+description: >
+  Set up split tunneling with WireGuard using Firezone.
+---
+---
+This guide will describe the steps required to enable split tunneling with
+WireGuard using Firezone so only traffic to defined IP ranges will be routed
+through the VPN server.
+
+## Step 1 - Configure Allowed IPs
+
+The `Allowed IPs` field found on the `/settings/default` page determines the IP
+ranges for which the client will route network traffic. Modifications to this
+field will apply only to new WireGuard tunnel configurations generated by Firezone.
+
+![set split tunneling defaults](https://user-images.githubusercontent.com/52545545/154814549-bb686ffe-ea82-4af8-a2a4-5e0b4013dec7.png){:width="600"}
+
+The default value is `0.0.0.0/0, ::/0`, which routes all network traffic
+from the client to the VPN server.
+
+Some examples of values in this field are:
+
+- `0.0.0.0/0, ::/0` - all network traffic will be routed to the VPN server.
+- `192.0.2.3/32` - only traffic to a single IP address
+will be routed to the VPN server.
+- `3.5.140.0/22` - only traffic to IPs in the `3.5.140.1 - 3.5.143.254` range
+will be routed to the VPN server.
+In this example, the CIDR range for the `ap-northeast-2` AWS region was used.
+
+Note: When deciding where to route a packet, Firezone chooses the egress
+interface corresponding to the most specific route first.
+
+## Step 2 - Regenerate WireGuard tunnel configurations
+
+To update existing WireGuard tunnels with the new split tunnel configuration,
+users will need to regenerate the configuration files
+and add them to their native WireGuard client.
+
+See, [add device]({%link docs/deploy/clients.md%}) for instructions.