Guest Network goes over VPN

Hi Support Team

I have the GL-AXT1800 setup with Wireguard on main Wifi and also guest WiFi - for the guests (should have only internet over my cellular provider)
With the FW 4.0.1 and 4.0.2 everything was working as expected.
Now with FW 4.0.3 I have realized, that clients on the Guest WiFi are also routed over Wireguard VPN / can access my private network on the other side.

This should not happen - very serious security issue.

Question: what has changed in the 4.0.3 FW?
How can I fix it???

Best regards

Once you setup the vpn, in the GL.iNet dashboard under VPN Policies you can check whether the VPN is used by the guest network. If that is not a option you will need to access LuCi or ssh into the router and change or make a firewall ZONES rule for the guest network.

Thanks for your response.
Unfortunately if I remove wgclient from guest zone - then I the guest network has no internet at all.

Expected is to have the routing over WAN Interfaces. No idea why this does not work.
Tried also with 4.1.0 beta3 FW - same behaviour.

Any other ideas?

What is your vpn policy setup?

By default the guest wifi is routed via vpn and you can use vlan based policy to turn that off.

Where can I find this option on 4.0.3 or 4.1.0 FW?

Can it be that I can’t see this option because I have Manual Wireguard Setup? (I have self hosted WG on Ubiquity UDM Pro)

pls beta at download at

You want to go to LuCi then got to Network tab and click firewall. Add your Rule

I’m already on this beta and can’t find this option.

Pls follow the UI guide below.


thanks! I was missing this menu point! was confused with the naming: global-proxy (VPN routing would be better).

anyhow, there is still one issue.

now I have:
private-wifi → traffic over VPN [OK]
public-wi-fi → traffic over Wan [OK]

but as soon i enable kill switch (Block Non-VPN Traffic) then the public-wifi traffic is being blocked.

in Mudi I was able to set kill switch only for private wifi/vpn. how can I achieve the same on 4.1.0 beta3 FW?

The priority of Kill Switch is higher than vpn polices. So this is the case in firmware 4.x.

But actually you do not need to use Kill Switch in most cases. If you enabled vpn, it has kill switch already.

VPN kill Switch: Internet killed if vpn is failed to connect.
Global Kill Switch: Internet killed if vpn is disabled by purpose.

Also some settings don’t occur immediately and may need a reboot.


So I’ve retested it and as you wrote - kill switch on VPN level is enabled by default. On FW 3.x there was a dedicated toggle - this confused me.
It would make the world simpler if GL.INet would provide this information somewhere on UI mask so ppl do not have to research for this info.

Thanks for help, my guest vpn “issue” is now solved.

Best regards

1 Like