Guest Network goes over VPN

magic · September 25, 2022, 10:24am

Hi Support Team

I have the GL-AXT1800 setup with Wireguard on main Wifi and also guest WiFi - for the guests (should have only internet over my cellular provider)
With the FW 4.0.1 and 4.0.2 everything was working as expected.
Now with FW 4.0.3 I have realized, that clients on the Guest WiFi are also routed over Wireguard VPN / can access my private network on the other side.

This should not happen - very serious security issue.

Question: what has changed in the 4.0.3 FW?
How can I fix it???

Best regards
Lukas

K3rn3l_Ku5h · September 25, 2022, 1:27pm

Once you setup the vpn, in the GL.iNet dashboard under VPN Policies you can check whether the VPN is used by the guest network. If that is not a option you will need to access LuCi or ssh into the router and change or make a firewall ZONES rule for the guest network.

magic · September 26, 2022, 4:41pm

Thanks for your response.
Unfortunately if I remove wgclient from guest zone - then I the guest network has no internet at all.

Expected is to have the routing over WAN Interfaces. No idea why this does not work.
Tried also with 4.1.0 beta3 FW - same behaviour.

Any other ideas?

alzhao · September 27, 2022, 10:34am

What is your vpn policy setup?

By default the guest wifi is routed via vpn and you can use vlan based policy to turn that off.

magic · September 27, 2022, 11:58am

Where can I find this option on 4.0.3 or 4.1.0 FW?

Can it be that I can’t see this option because I have Manual Wireguard Setup? (I have self hosted WG on Ubiquity UDM Pro)

alzhao · September 27, 2022, 12:17pm

pls beta at download at dl.gl-inet.com

K3rn3l_Ku5h · September 27, 2022, 2:25pm

You want to go to LuCi then got to Network tab and click firewall. Add your Rule

magic · September 27, 2022, 4:53pm

I’m already on this beta and can’t find this option.

alzhao · September 28, 2022, 2:35am

Pls follow the UI guide below.

magic · September 28, 2022, 8:58am

Hi

thanks! I was missing this menu point! was confused with the naming: global-proxy (VPN routing would be better).

anyhow, there is still one issue.

now I have:
private-wifi → traffic over VPN [OK]
public-wi-fi → traffic over Wan [OK]

but as soon i enable kill switch (Block Non-VPN Traffic) then the public-wifi traffic is being blocked.

in Mudi I was able to set kill switch only for private wifi/vpn. how can I achieve the same on 4.1.0 beta3 FW?

alzhao · September 28, 2022, 10:16am

The priority of Kill Switch is higher than vpn polices. So this is the case in firmware 4.x.

But actually you do not need to use Kill Switch in most cases. If you enabled vpn, it has kill switch already.

VPN kill Switch: Internet killed if vpn is failed to connect.
Global Kill Switch: Internet killed if vpn is disabled by purpose.

K3rn3l_Ku5h · September 28, 2022, 7:05pm

Also some settings don’t occur immediately and may need a reboot.

magic · September 29, 2022, 4:19am

Hello

So I’ve retested it and as you wrote - kill switch on VPN level is enabled by default. On FW 3.x there was a dedicated toggle - this confused me.
It would make the world simpler if GL.INet would provide this information somewhere on UI mask so ppl do not have to research for this info.

Thanks for help, my guest vpn “issue” is now solved.

Best regards
Magic

alzhao · September 29, 2022, 8:26am

You are DEFINITELY CORRECT!

admon · October 24, 2024, 4:47pm

A post was split to a new topic: Exclude VLAN from VPN