Bug: Wireguard Client Split Tunnel not routing all allowed_ips

alzhao · June 20, 2022, 6:40am

No problem. Can you post?

s.okamoto · June 20, 2022, 7:38am

thank you alzhao.

there is patch for /etc/init.d/wireguard.
this will enable even if multiple prefixes are described in AllowedIPs.
wireguard.zip (1.0 KB)

alzhao · June 20, 2022, 8:24am

I asked developer to have a check and merge it in firmware 3.215.

reball · September 16, 2022, 10:15am

I see that firmware 3.215 beta3 is available (for Beryl) with has a bugfix as below

Fixed WireGuard manual edit allowedip parsing error.

…which I assume is this issue?

However, even with 3.215 beta3 I still cannot get a split tunnel working correctly over 2 subnets, as well as still get the “Invalid AllowedIPs” when editing/saving the config.

This still seems an issue, @alzhao can you (or other cusotmers) please confirm?

To remove any confusion, my process is below:

Add new WG VPN profile with the config below

[Interface]
PrivateKey = <redacted>
Address = 10.6.0.9/24
DNS = 10.6.0.1

[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
Endpoint = <redacted>:51821
AllowedIPs = 192.168.10.0/24, 192.168.55.0/24

Save and connect
I can succesfully ping 8.8.8.8, 192.168.10.1, but cannot ping 192.168.55.1.
Disconnect the VPN and edit it.
Check that the “Allowed IPs” is “192.168.10.0/24, 192.168.55.0/24”, click save, and get the “Invalid AllowedIPs” error.

My expected outcome is that all traffic on 192.168.10.0/24 and 192.168.55.0/24 goes through the VPN, everything else bypasses the VPN.

I can provide more details if required.

Edit: Type

alzhao · September 16, 2022, 10:20am

I reopened the bug internally.

amarsaudon · October 17, 2022, 10:47pm

Fighting this exact same issue on a GL-SFT1200 running 3.215. Is there a workaround available? Had to flip the link to full tunnel for the time being as a band-aid, but I’d prefer to avoid the overhead wherever possible.

alzhao · October 18, 2022, 9:43am

Let’s confirm:

Firmware 3.x only support the first item in AllowedIPs settings. If you need to have multiple items in AllowedIPs, you may need to use vpn policy.

We solved this problem in Firmware 4.x. So if you use a router which there is Firmware 4.1 for it, pls try.
If still not 4.x firmware (e.g. SFT1200) pls use vpn policy.

jtf · January 12, 2023, 4:48am

I have a Beryl router that is updated to v4.1.0 beta3, and I still can’t get local routing to work. My goal is to have Wireguard provide a site to site tunnel of all traffic to my home router (a pfsense router) such that my remote systems can access the internet from the home router, and also access the sub-net of my home network. I can establish the Wireguard tunnel, and the internet access, but I can’t ping systems in the sub nets in either direction (home to remote or remote to home). I’ve followed some excellent tutorials on setting this up on the pfSense side, and I believe I have that set up properly, but I could be wrong. Is there a good tutorial on how to set up site to site with the Beryl, or how to debug it if it doesn’t work? With the 4.1.0 firmware, do I simply set 0.0.0.0/0, or do I also need to add the subnet route? (My pfsense network is 192.168.22.0/24, so do I also enter that in the ‘Allowed IP’s’?)

reball · January 13, 2023, 11:18am

@alzhao what’s the update with this? I ask because V4 seems completely broken for VPN’s now.

I could get a VPN working (default dettings, no split tunnel option) on V3, but I now can’t get that same VPN working working at all on V4.

I have an Opal.

Steps:

Install Stable 3.215, keeping no settings
Tether to iPhone
Add VPN profile manually (copy and paste from .conf file)
Enable VPN, works as expected!

Then test with V4

Install Beta 4.1.1 beta1, keeping no settings
Tether to iPhone
Add VPN profile manually (copy and paste from .conf file)
Enable VPN, VPN does not enable it just hangs and stays disabled with error

Tue Nov 22 15:49:24 2022 daemon.notice netifd: Interface ‘wgclient’ is setting up now

@alzhao in your comment above you say that split tunnels will work for V4, yet VPN’s as a whole (for my case) don’t work.

Happy to provide whatever else would be useful to the GL-iNet team (screenshots, videos, further config, etc).

Sanitised .conf file below

[Interface]
PrivateKey = <redacted>
Address = 10.6.0.10/24
DNS = 10.6.0.1

[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
Endpoint = <redacted>:51821
AllowedIPs = 0.0.0.0/0, ::0/0

alzhao · January 14, 2023, 1:56am

From what you described, you met an issue on Opla 4.x firmware. That may not related to this thread.

So pls just send your requrest via email with your wireguard config and we will help.

ceear · June 25, 2023, 8:00am

Just wanted to confirm that @s.okamoto patch is perfectly working. I’m on 3.216 (AR750S) and can reach all subnets defined in the wirguard config.

Thank you s.okamoto !

nullswitch · September 9, 2023, 6:04pm

Can you post your wireguard setup? And did you apply the patch or are you saying it looks fixed in 3.216?

I can’t remember the last time I tried but it’d be great to see a working example to make sure I’m not doing something stupid (like using ; instead of ,)