the entire day I am troubleshooting a weird issue on my Slate 7 with 4.8.1 Firmware.
My setup is simple. I have two vpn configs to connect to my Unifi UDM. They are pretty much the same besides the fact, that one is a full tunnel and the other one is a split tunnel.
full tunnel:
[Interface]
Address = 10.0.66.2/32
PrivateKey = <>
DNS = 10.0.66.1
MTU = 1420
However when I activate the split tunnel config I can connect to my devices and servers behind the vpn but no traffic goes to the internet directly.
First I tought this might be a dns resolving issue but then I tried the policy mode with the split tunnel wireguard config and added the AllowedIPs to the list of targets, too. This time I was able to access the internet for traffic not determined for the vpn tunnel as well as access my internal resources.
So this is kinda weird and feels like something’s not right with the implementation of “Global Mode” in the VPN Settings.
Can you confirm this behavior or did I misunderstood something?
P.S.: since Policy Mode does work, one could say I should just use it that way. However, the reason I prefer Global Mode is, that I can easily switch the Wireguard Profile via the Display on the Slate. This is not possible with Policy Mode, since the IP List in targets stays the same.
right, and therefore all other traffic besides the AllowedIPs should bypass the VPN tunnel. That the default behavior of a wireguard config. And that’s what I am looking for.
The 4.8.x firmware already supports VPN policies based on target domains, doesn't it?
Simply use this one, so you can create different profiles and route your devices just like you need it.
yeah. As I said with Policy Mode one can achieve this but the usability to easily switch between a full tunnel and a split tunnel is not good.
In this scenario one needs to change the destination addresses manually each time you want to switch between full and split.
Think about it, you are traveling with this router, trying to switch. You use your mobile to connect to the router, need to copy the addresses from somewhere and paste it into destination section on the vpn dashboard. If you switch back, you have to delete the destination addresses again. and so on.
The slate 7 has a great display where you can switch VPN profiles but not policies. So for this case it is useless.
Furthermore, before the new Policy Mode was introduced it was definitely possible to use a split tunnel wireguard config without the need for adding the destinations addresses somewhere else outside of the config file. And traffic not intended for the tunnel was being routed to the wan uplink directly.
As far as I remember, there were more than two possible vpn modes. And I think it was called “auto detect”.
You are right. The manual says:
Global Mode is the default VPN mode.
In this mode, all traffic will be routed through the VPN tunnel, and only one VPN client instance can be activated.
Then, this is either a bug - coming from an older firmware where this actually worked or it’s a missing feature.
Can someone from GL.inet stuff please comment on that?
Maybe I am stupid, but the new VPN policies allow you to have multiple VPN endpoints and you can simply enable or disable them. The rules will be used in order, so if your split VPN is higher ranked and you disable it, you will go full VPN then.
but you also need to disable Full Tunnel if you wanna use the Split Tunnel, because otherwise the traffic not intended for the Split Tunnel goes to Prio 2 and is still being routed via the Full Tunnel. But for a Split Tunnel setting it should use the “all other traffic” rule.
I think you meant it the other way round.
Prio 1: Full Tunnel
Prio 2: Split Tunnel
This way, if you leave both tunnels active, you achieved a Full Tunnel setup. If you disable Full Tunnel, dedicated networks are routed via the Split Tunnel while all other traffic uses the “all other traffic” rule.
That works, even tough kinda counter-intuitive, at least for me.
I tested all scenarios and figured out some strange behavior regarding the dns server being used.
my Setup:
In wg config file I use the dns server 10.0.66.1 which is behind the tunnel and the “All other Traffic” rule is always on.
Full Tunnel on / Split Tunnel off:
vpn network access: yes
internet access: via tunnel
dns server: dns from wg config
with Allow Custom DNS to Override VPN DNS activated: DNS from Slate 7 DNS Settings
Full Tunnel off / Split Tunnel on:
vpn network access: yes
internet access: via local wan
dns server: from Slate 7 DNS Settings
with Allow Custom DNS to Override VPN DNS activated: DNS from Slate 7 DNS Settings
Full Tunnel on / Split Tunnel on:
vpn network access: yes
internet access: via tunnel
dns server: dns from wg config
with Allow Custom DNS to Override VPN DNS activated: no feasible due to routing issues
Option 1 works as expected and uses the dns server from the wg config file. If “Allow Custom DNS to Override VPN DNS” is activated it used the glinet routers dns settings.
Option 2 doesn’t use the dns server from the wg config even tough the dns server from the wg config file is accessible and part of the defined destinations. Instead it uses DNS settings from the glinet router. In that case, of course, it doesn’t make a difference whether or not “Allow Custom DNS to Override VPN DNS” is activated
Option 3 works as well but activating “Allow Custom DNS to Override VPN DNS activated” leads to some weird routing issues. Saying some packets get through, some are being dropped for whatever reason.
Last but not least. If I use this workaround, the vpn widget on the display is useless, since it can only switch between different wireguard client configs and not between different profiles on the vpn dashboard.
I’m facing the exact same issue as you. I have my own DNS server and PiHole set up on my network, but I can’t use them because I can’t select my DNS server in the Slate 7 UI.
no, I still believe this is a bug or maybe even a feature. It only happens with split tunnel setups. I use encrypted dns providers as a workaround in network→dns. This is being used for the split tunnel in my case