If you've ever seen an address like 192.168.1.0/24 and wondered what the /24 means, you've bumped into subnetting. A subnet divides an IP network into smaller, manageable pieces — and understanding it is the key to home networking, cloud setups, and especially a self-hosted VPN. This guide explains what a subnet is, how subnet masks and CIDR work, the private ranges, and why it all matters.
What a subnet is
A subnet (sub-network) is a logical subdivision of a larger IP network. Rather than one flat network, you split the address space into smaller groups. A subnet mask decides which part of an IP address identifies the network and which part identifies the host (the device).
In a home network of 192.168.1.0/24, the first three numbers identify the subnet and the last identifies each device. Subnetting organises networks, improves routing, and lets you separate and secure groups of devices.
Subnet masks and CIDR
A subnet mask splits an IP into a network portion and a host portion. Written 255.255.255.0 — or in CIDR shorthand /24 — it marks how many leading bits are the network:
- /24 =
255.255.255.0→ 256 addresses (~254 usable hosts). - /25 → fewer hosts per subnet, more subnets.
- /16 =
255.255.0.0→ huge subnets.
CIDR notation (an IP, a slash, and a prefix length like /24) replaced the old rigid class A/B/C system with flexible prefixes — which is why you see it everywhere in routers, cloud and VPN configs.
Private subnet ranges
Certain ranges are reserved for private networks and never routed on the public internet:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
Home routers almost always use 192.168.x.x; larger and cloud networks favour 10.x. Because these aren't globally unique, devices behind them reach the internet through NAT.
Why subnets matter for a VPN
A VPN like WireGuard assigns its own subnet to the tunnel, separate from your physical networks, and routes traffic between them. The config's AllowedIPs are expressed as subnets (CIDR ranges) that decide what goes through the tunnel.
Getting subnets right is essential: the VPN subnet must not overlap with the LAN on either end, or routing breaks. Pick a private subnet for the tunnel that doesn't clash — see self-hosting a VPN on Contabo with WireGuard and our WireGuard config templates. A Contabo VPS at €4.99/month gives you a clean place to host a WireGuard server and design its subnets.
The bottom line
A subnet divides an IP network into smaller logical networks, defined by a subnet mask written in CIDR (like /24). It organises addressing, improves routing, and separates devices — and for a self-hosted VPN it's essential, because you must choose non-overlapping private subnets for your LAN, your tunnel and any remote sites. Learn to read 192.168.1.0/24, and most networking and VPN configuration suddenly makes sense.
Editorial guide based on how subnetting, subnet masks, CIDR and private address ranges work, and their role in VPN configuration. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→
