Bug: Wireguard Client Split Tunnel not routing all allowed_ips

Hello,

I am using an AR-750S with the newest Firmware 3.201.
My goal is to setup a wireguard (split) tunnel to my home network. Basically allow regular traffic to go directly to the internet and route only the traffic to my home network trough the tunnel.
The wireguard client connection is working an I can ping the wireguard server IP.
Regular internet traffic also still works, but I cannot reach any hosts in the home network.
The allowed IPs for the wireguard client include the home network 192.168.0.0/24. I have also tried using VPN policies like this:
Policy "Domain/IP "
“Only allow the following use VPN” 192.168.0.0/24
But even with the VPN policies active I cannot connect to my home network.
Looking at the routing table, I don’t see a route for my home network.
I even tried adding a static route in the luci web interface, but the wg0 does not show up as an interface.
How can I achieve my goal?
Anyone have a clue?

I did some more digging around and it seems it is an issue with the wireguard startup script in /etc/init.d/wireguard
The script defines a variable: AllowIPV4 which is taken from the allowed_ips setting in the peer configuration:
AllowIPV4=$(echo $allowed_ips|cut -d ',' -f 1)
Then it compares it to 0.0.0.0/0 and either sets the default route to wg0 or only the allowed ip
if [ -n "$AllowIPV4" -a "$AllowIPV4" != "0.0.0.0/0" ];then ip route add "$AllowIPV4" dev wg0 else ip route add 0/1 dev wg0 ip route add 128/1 dev wg0
However the issue is, the allowed_ips is a comma separated list of hosts or networks. But this consideres only the first entry in the list. If you want/need to define more than one entry it will not work.
This also seems to be unrelated to the VPN policies setting.

Hi jrennefe,

This is indeed a problem, for now you can do it in this way:

  1. Start the wireguard client
  2. Edit the /var/etc/wireguard.conf and modify the allowedips
  3. Use wg setconf wg0 /var/etc/wireguard.conf to reconfigure the wg interface

We will fix the allowedips problem soon.

Is this fixed yet? I seem to be still having the problem.

Sorry @Riho-shuu is not working in GL.

About your issue, have you checked firmware 3.211 beta2? https://dl.gl-inet.com/firmware/snapshots/3.211_beta2/ar750s/

I tried @Riho-shuu suggestion didn’t work and tried 3.211 beta 2. Unless I’m doing something wrong I think this is still an issue.

I’m having this issue with a GL-AX1800 running 3.208 (no betas available to download). I need to be able to define multiple allowed IPs. I was hoping to purchase multiple units to deploy, but I’ll need to wait until this is addressed.

AX1800 has not yet fixed this BUG, the fixed code will be incorporated in the next release.

Thank you for the quick reply. Is there an estimate for when the new firmware will be made available? I apologize if this is already published somewhere else, I’m still new to GL.iNet products.

I got bitten by this bug today :frowning:

Any updates @luochongjun / @alzhao? I’m using a GL-E750 / Mudi with firmware version 3.211

I tried MT1300 3.212 beta3 and the split routing works.

Can you also try 3.212 beta3? GL.iNet download center

I just flashed it successfully. When adding “10.0.0.0/24, 192.168.1.0/24, 192.168.2.0/24” to Allowed IPs, I get “Invalid AllowedIPs” and it doesn’t save.

Can you add the wirguard by post the whole config file?

When edit each filed it has the “Invalid AllowedIPs” bug. But when add as a config file it is OK.

Yes you are correct. I added the config file by hand and now I can see:

root@GL-E750:~# wg show wg0
interface: wg0
  public key: (redacted)
  private key: (hidden)
  listening port: 33782

peer: (redacted)
  endpoint: (redacted):51820
  allowed ips: 10.0.0.0/24, 192.168.1.0/24, 192.168.2.0/24
  latest handshake: 1 minute, 40 seconds ago
  transfer: 476 B received, 692 B sent
  persistent keepalive: every 25 seconds

But again I cannot access anything in 192.168.1.0/24 or 192.168.2.0/24 :thinking:

Can you confirm it is 3.212 beta3?

I’ve downloaded the firmware from here:

Filename is openwrt-e750-3.212-0407.tar and modem shows:

I have the same problem on Beryl/MT-1300, even when using the latest beta firmware.
Basically I want to have access to both Web and remote network through wireguard.
Using the web interface,

  • if I use AllowedIPs = 0.0.0.0/0 → I can access only web, which is expected since this subnet is said to preclude local network access.
  • if I use AllowedIPs = 192.168.1.0/24 (my remote network where the WG server is) I can only access the remote network and not web (that’s also expected)
  • if I want to use AllowedIPs = 0.0.0.0/0, ::/0, 192.168.1.0/24 → I can’t enter it via web interface, and using the aforementioned command line method it doesn’t work either. It is set (wg command shows me it is set) but network is not working.
  • I also tried AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 to no avail, only web access and no remote network access

Please help :slight_smile:

Same issues for me; AR750; 3.212 (non-beta). I had a good config, but it started ignoring my second address at some point. The first address in the allowedip’s line was handled fine.
wg setconf hack doesn’t help.
Looking, it seems that the only issue is the route, so as a workaround, I simply added the route in; since I keep the connection up, this is fine for me; but it could easily be added to a cron too (since it won’t add if the wg0 interface isn’t up).
So @deepsheet would need

route add -net 192.168.1.0 netmask 255.255.255.0 metric 0 dev wg0
route add -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev wg0
1 Like

Wireguard split route in firmware 3.x does have problems.

In firmware 4.x we improved vpn with custom router so pls wait for 4.x firmware.

there is a flaw in the processing of /etc/init.d/wireguard and multiple routes are not configured.

currently, the value obtained from allowed_ips is treated as two values, ipv4 and ipv6.
this can be resolved by treating them as a list of multiple ip addresses.

it is also possible to enable the DNS servers specified in the WireGuard configuration by reloading dnsmasq after connecting.

I have a patch for GL-SF1200 v3.212 (gl-wg_3.0.95-2_mips_siflower.ipk), Would there a problem writing it here?