Bug: Wireguard Client Split Tunnel not routing all allowed_ips

jrennefe · April 26, 2021, 7:19pm

Hello,

I am using an AR-750S with the newest Firmware 3.201.
My goal is to setup a wireguard (split) tunnel to my home network. Basically allow regular traffic to go directly to the internet and route only the traffic to my home network trough the tunnel.
The wireguard client connection is working an I can ping the wireguard server IP.
Regular internet traffic also still works, but I cannot reach any hosts in the home network.
The allowed IPs for the wireguard client include the home network 192.168.0.0/24. I have also tried using VPN policies like this:
Policy "Domain/IP "
“Only allow the following use VPN” 192.168.0.0/24
But even with the VPN policies active I cannot connect to my home network.
Looking at the routing table, I don’t see a route for my home network.
I even tried adding a static route in the luci web interface, but the wg0 does not show up as an interface.
How can I achieve my goal?
Anyone have a clue?

jrennefe · April 26, 2021, 7:16pm

I did some more digging around and it seems it is an issue with the wireguard startup script in /etc/init.d/wireguard
The script defines a variable: AllowIPV4 which is taken from the allowed_ips setting in the peer configuration:
AllowIPV4=$(echo $allowed_ips|cut -d ',' -f 1)
Then it compares it to 0.0.0.0/0 and either sets the default route to wg0 or only the allowed ip
if [ -n "$AllowIPV4" -a "$AllowIPV4" != "0.0.0.0/0" ];then ip route add "$AllowIPV4" dev wg0 else ip route add 0/1 dev wg0 ip route add 128/1 dev wg0
However the issue is, the allowed_ips is a comma separated list of hosts or networks. But this consideres only the first entry in the list. If you want/need to define more than one entry it will not work.
This also seems to be unrelated to the VPN policies setting.

Riho-shuu · April 27, 2021, 3:48am

Hi jrennefe,

This is indeed a problem, for now you can do it in this way:

Start the wireguard client
Edit the /var/etc/wireguard.conf and modify the allowedips
Use wg setconf wg0 /var/etc/wireguard.conf to reconfigure the wg interface

We will fix the allowedips problem soon.