Bug: Wireguard Client Split Tunnel not routing all allowed_ips

alzhao · 2022-04-22T08:56:49.062Z

Can you add the wirguard by post the whole config file?

When edit each filed it has the “Invalid AllowedIPs” bug. But when add as a config file it is OK.

deepsheet · 2022-04-22T09:47:54.111Z

Yes you are correct. I added the config file by hand and now I can see:

root@GL-E750:~# wg show wg0
interface: wg0
  public key: (redacted)
  private key: (hidden)
  listening port: 33782

peer: (redacted)
  endpoint: (redacted):51820
  allowed ips: 10.0.0.0/24, 192.168.1.0/24, 192.168.2.0/24
  latest handshake: 1 minute, 40 seconds ago
  transfer: 476 B received, 692 B sent
  persistent keepalive: every 25 seconds

But again I cannot access anything in 192.168.1.0/24 or 192.168.2.0/24

alzhao · 2022-04-22T09:55:59.732Z

Can you confirm it is 3.212 beta3?

deepsheet · 2022-04-22T13:13:53.234Z

alzhao:

Can you confirm it is 3.212 beta3?

I’ve downloaded the firmware from here:

alzhao:

Can you also try 3.212 beta3? GL.iNet download center

Filename is openwrt-e750-3.212-0407.tar and modem shows:

Screenshot 2022-04-22 at 16.13.291220×414 23.7 KB

chatelp · 2022-05-03T17:00:19.414Z

I have the same problem on Beryl/MT-1300, even when using the latest beta firmware.
Basically I want to have access to both Web and remote network through wireguard.
Using the web interface,

if I use AllowedIPs = 0.0.0.0/0 → I can access only web, which is expected since this subnet is said to preclude local network access.
if I use AllowedIPs = 192.168.1.0/24 (my remote network where the WG server is) I can only access the remote network and not web (that’s also expected)
if I want to use AllowedIPs = 0.0.0.0/0, ::/0, 192.168.1.0/24 → I can’t enter it via web interface, and using the aforementioned command line method it doesn’t work either. It is set (wg command shows me it is set) but network is not working.
I also tried AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 to no avail, only web access and no remote network access

Please help

michaelb · 2022-05-22T11:12:46.372Z

Same issues for me; AR750; 3.212 (non-beta). I had a good config, but it started ignoring my second address at some point. The first address in the allowedip’s line was handled fine.
wg setconf hack doesn’t help.
Looking, it seems that the only issue is the route, so as a workaround, I simply added the route in; since I keep the connection up, this is fine for me; but it could easily be added to a cron too (since it won’t add if the wg0 interface isn’t up).
So @deepsheet would need

route add -net 192.168.1.0 netmask 255.255.255.0 metric 0 dev wg0
route add -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev wg0

alzhao · 2022-05-24T10:00:21.693Z

Wireguard split route in firmware 3.x does have problems.

In firmware 4.x we improved vpn with custom router so pls wait for 4.x firmware.

s.okamoto · 2022-06-18T03:35:32.641Z

there is a flaw in the processing of /etc/init.d/wireguard and multiple routes are not configured.

currently, the value obtained from allowed_ips is treated as two values, ipv4 and ipv6.
this can be resolved by treating them as a list of multiple ip addresses.

it is also possible to enable the DNS servers specified in the WireGuard configuration by reloading dnsmasq after connecting.

I have a patch for GL-SF1200 v3.212 (gl-wg_3.0.95-2_mips_siflower.ipk), Would there a problem writing it here?

alzhao · 2022-06-20T06:40:04.040Z

s.okamoto:

Would there a problem writing it here?

No problem. Can you post?

s.okamoto · 2022-06-20T07:38:13.947Z

thank you alzhao.

there is patch for /etc/init.d/wireguard.
this will enable even if multiple prefixes are described in AllowedIPs.
wireguard.zip (1.0 KB)

alzhao · 2022-06-20T08:24:32.332Z

I asked developer to have a check and merge it in firmware 3.215.

reball · 2022-09-16T10:15:30.202Z

I see that firmware 3.215 beta3 is available (for Beryl) with has a bugfix as below

Fixed WireGuard manual edit allowedip parsing error.

…which I assume is this issue?

However, even with 3.215 beta3 I still cannot get a split tunnel working correctly over 2 subnets, as well as still get the “Invalid AllowedIPs” when editing/saving the config.

This still seems an issue, @alzhao can you (or other cusotmers) please confirm?

To remove any confusion, my process is below:

Add new WG VPN profile with the config below

[Interface]
PrivateKey = <redacted>
Address = 10.6.0.9/24
DNS = 10.6.0.1

[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
Endpoint = <redacted>:51821
AllowedIPs = 192.168.10.0/24, 192.168.55.0/24

Save and connect
I can succesfully ping 8.8.8.8, 192.168.10.1, but cannot ping 192.168.55.1.
Disconnect the VPN and edit it.
Check that the “Allowed IPs” is “192.168.10.0/24, 192.168.55.0/24”, click save, and get the “Invalid AllowedIPs” error.

My expected outcome is that all traffic on 192.168.10.0/24 and 192.168.55.0/24 goes through the VPN, everything else bypasses the VPN.

I can provide more details if required.

Edit: Type

alzhao · 2022-09-16T10:20:16.115Z

I reopened the bug internally.

amarsaudon · 2022-10-17T22:47:55.479Z

Fighting this exact same issue on a GL-SFT1200 running 3.215. Is there a workaround available? Had to flip the link to full tunnel for the time being as a band-aid, but I’d prefer to avoid the overhead wherever possible.

alzhao · 2022-10-18T09:43:45.720Z

Let’s confirm:

Firmware 3.x only support the first item in AllowedIPs settings. If you need to have multiple items in AllowedIPs, you may need to use vpn policy.

We solved this problem in Firmware 4.x. So if you use a router which there is Firmware 4.1 for it, pls try.
If still not 4.x firmware (e.g. SFT1200) pls use vpn policy.

jtf · 2023-01-12T04:48:46.844Z

I have a Beryl router that is updated to v4.1.0 beta3, and I still can’t get local routing to work. My goal is to have Wireguard provide a site to site tunnel of all traffic to my home router (a pfsense router) such that my remote systems can access the internet from the home router, and also access the sub-net of my home network. I can establish the Wireguard tunnel, and the internet access, but I can’t ping systems in the sub nets in either direction (home to remote or remote to home). I’ve followed some excellent tutorials on setting this up on the pfSense side, and I believe I have that set up properly, but I could be wrong. Is there a good tutorial on how to set up site to site with the Beryl, or how to debug it if it doesn’t work? With the 4.1.0 firmware, do I simply set 0.0.0.0/0, or do I also need to add the subnet route? (My pfsense network is 192.168.22.0/24, so do I also enter that in the ‘Allowed IP’s’?)

reball · 2023-01-13T11:18:41.775Z

@alzhao what’s the update with this? I ask because V4 seems completely broken for VPN’s now.

I could get a VPN working (default dettings, no split tunnel option) on V3, but I now can’t get that same VPN working working at all on V4.

I have an Opal.

Steps:

Install Stable 3.215, keeping no settings
Tether to iPhone
Add VPN profile manually (copy and paste from .conf file)
Enable VPN, works as expected!

Then test with V4

Install Beta 4.1.1 beta1, keeping no settings
Tether to iPhone
Add VPN profile manually (copy and paste from .conf file)
Enable VPN, VPN does not enable it just hangs and stays disabled with error

Tue Nov 22 15:49:24 2022 daemon.notice netifd: Interface ‘wgclient’ is setting up now

image1401×1043 47.5 KB

@alzhao in your comment above you say that split tunnels will work for V4, yet VPN’s as a whole (for my case) don’t work.

Happy to provide whatever else would be useful to the GL-iNet team (screenshots, videos, further config, etc).

Sanitised .conf file below

[Interface]
PrivateKey = <redacted>
Address = 10.6.0.10/24
DNS = 10.6.0.1

[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
Endpoint = <redacted>:51821
AllowedIPs = 0.0.0.0/0, ::0/0

alzhao · 2023-01-14T01:56:54.024Z

From what you described, you met an issue on Opla 4.x firmware. That may not related to this thread.

So pls just send your requrest via email with your wireguard config and we will help.

ceear · 2023-06-25T08:00:06.030Z

Just wanted to confirm that @s.okamoto patch is perfectly working. I’m on 3.216 (AR750S) and can reach all subnets defined in the wirguard config.

Thank you s.okamoto !

nullswitch · 2023-09-09T18:04:44.274Z

Can you post your wireguard setup? And did you apply the patch or are you saying it looks fixed in 3.216?

I can’t remember the last time I tried but it’d be great to see a working example to make sure I’m not doing something stupid (like using ; instead of ,)