Split Tunnel via VPN Policy or via Wireguard allowedIPs config?

Hi,

I use a Beryl AX as client and a Brume 2 as wireguard server.
Since the Beryl AX is my travel router I’d like to do split tunnel for all clients connected to Beryl AX with only traffic passing the tunnel which connects to my local lans which are connected to Brume.

Usually I do this on e.g. my android client by limiting the allowedIPs in my client config like this:

AllowedIPs = 10.0.0.0/24, 192.168.3.0/24, 192.168.134.0/24, 192.168.230.0/24 

This works fine when establishing a tunnel from my android to brume.

On my Beryl I can do this either via the wireguard client config as well or I use “VPN Policy Base on the Target Domain or IP” on the global VPN settings page.

So I was wondering what is the prefered way of doing it. Is there a difference and what happens if I do both?

just to add on this, I already did some testing with interesting behaviour.

  1. Using VPN Policy and Wireguard client config with AllowedIPs = 0.0.0.0/0, ::/0
    • I can connect to my local networks but the internet traffic goes via the brume as well, which is an desired behaviour
  2. Global Proxy and Wireguard client config with AllowedIPs = 10.0.0.0/24, 192.168.3.0/24, 192.168.134.0/24, 192.168.230.0/24
    • I can connect to my local networks but don’t have internet access at all

Are you looking for those devices connected to your Beryl AX (‘client devices’) to only use the VPN Client tunnel? If so it might be easier to just set their MACs to do so.

(GL GUI → VPN → VPN Dashboard → VPN Client → Global Proxy → Based on the Client Device)

Otherwise the VPN Policy Base on the Target Domain or IP is really intended for remote domains (eg: Netflix’s numerous domains) but hey, if it works & you’re happy w/ its results, it works.

There’s also GL GUI → VPN → VPN Dashboard → VPN Client → Global Proxy → Route Mode → Customize Routing Rules if you need something more, well, custom.

So I was wondering what is the prefered way of doing it. Is there a difference and what happens if I do both?

I’d try to keep as much of it in the GL GUI itself before resorting to conf editing like AllowIPs. There may be a time you use the GL GUI &/or a firmware update inadvertently conflicts w/ the WG conf. That’s merely speculation & my opinion though; you can see your WG Client conf/details @ /etc/config/wireguard

I’d strip the AllowedIPs & see if clears it up. 0.0.0.0/0, ::/0 should be the defaults in that case.

I am actually looking for an easy way to switch between a full tunnel and a split tunnel for all clients connected to Beryl.

  1. Use case is being connected to my home lan while on the road and the same time have direct access to the internet e.g. for Netflix and others.
  2. Use case is to route everything on Beryl clients through this tunnel for maximum privacy.

That’s a really good information. I wasn’t aware of this. I furthermore figured out, that the Route Mode “Auto Detect” seems to be a feasible way to do this. This way I define different wireguard client profiles with different AllowedIPs and can easily switch between full and split tunnel.

I totally agree. That’s also my focus. Fortunately on the latest firmware you can configure the wireguard configs in the UI as well.

One more thing I realized while testing different configs, is that apparently the Beryl completely ignores the DNS entrys in my wireguard config files. For maximum privacy, I usually use DNS Server on my VPN Server. However devices connected to Beryl always use Beryl’s own DNS Server. Any Idea on that?

I’d think Base on the Target Domain or IP might be the best case then if there’s the expectation of more general traffic going through the clearnet than the VPN tunnel. You can always put ipleak.net in that same policy list to test & confirm. I usually put https://ipecho.net/plain in there too for the few times I’m trying out experimental/random configs.

Well, Hell, I’d just throw the Global Proxy policy on @ GL GUI → VPN → VPN Dashboard → VPN Client → Global Proxy if that’s the case for that spell of time. IDK but I presume that function is also available in GL’s phone app but I’ve never used the app. I’d imagine it’d be easier than toggling a different connection in ea. device’s WG app but it still may not be exactly what you’re looking for.

I do something quite similar though I offload upstream DNS to a third party host once the request is processed through my local blocklists (handled by dnscrypt-proxy2) on my GL device.

Yeah, your WG Client connected devices (LAN clients) are hitting the dnsmasq process which handles DHCP & DNS forwarding behind the scenes before routing through the WG Client & its conf/specifics. If you head over to DNS via GL GUI → Network → DNS you’ll find a host of options for various configurations. IDK if mere Manual w/ IPv4 would be what you’re looking for but it’s the simplest option. That runs on port 53, as does all traditional, unencrypted, insecure DNS lookups but if you’re shunting it thru a WG tunnel it’s of no matter.

Another option would be setting up DOH or DOT. That way all outbound DNS requests, VPN or no would be encrypted too. I prefer DOH as it uses :443 & no Wi-Fi hotspot/foreign LAN is going to block the very port needed for SSL/TLS.

When you use Encrypted DNS (GL GUI → Network → DNS → DNS Server Settings) dnsmasq forwards all locally originating lookups over to dnscrypt-proxy2 listening on 127.0.0.1#5453. The lists under ‘+ Servers’ are from a local file confs for dnscrypt-proxy2 on the GL device but a custom conf can be uploaded, then symlinked if you wanted your own, strict/custom server to be used. It’ll then be reflected in the GL GUI. Eg:

root@GL-AXT1800:~# ll /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
lrwxrwxrwx    1 root     root          40 Jun 28 02:13 /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -> dnscrypt-proxy.my-personal-third-party-doh-provider.locked.toml

I bring this up because I’m of the position all DNS lookups should be encrypted regardless if running a tunnel or over clearnet.

Fortunately on the latest firmware you can configure the wireguard configs in the UI as well.

Yup; & those files are located @ /etc/config/wireguard & /etc/config/wireguard_server, respectively. You should probably make a backup once you’ve got everything as you want it… I hate the idea of anyone losing a perfectly good network configuration.

I split tunnel with the Target IP range defined to be my local lan. My Beryl AX has been connected for a month like this. My home upload speed is only 10 mpbs so that is key.

The autodetect should be a better way but it was unreliable for me and GL-inet was working on it. I’m going to pick this up again in August but at the moment the family is on the beach and resistant to my fooling around.

As would I be. Look into GoodCloud when you’re able to, just in case.

Maybe I got you wrong but didn’t you say in your first post that Target Domain or IP is really intended for remote domains (eg: Netflix’s numerous domains)?
That sounds contradictory to me.

Yeah, Switching between “Target Domain or IP” and “Global Proxy” could be indeed a good way to switch between Split and Full Tunnel.
From a usability point of view it’s quite similar to switch wg profiles.

I was trying to use different dns server in my wireguard config for split and full tunnel. But I now understand that this is not possible.
The idea is that full tunnel uses dns server on remote vpn server and split tunnel uses local dns server in Beryl. The reason is that imho with split tunnel it doesnt make sense to send the dns request to a far far away vpn server while accessing the internet directly where the beryl is.
If I set up any dns server via GL GUI → Network → DNS → DNS Server Settings it applies always, nevermind I use split or full tunnel. So I would need to change this setting each time switch the tunnel mode.

BTW I use AdGuardHome on both devices, Beryl as local client and Brume as remote vpn server. I check out the config for DoH as Upstream Server for AdGuardHome. Would mean, that the DNS requests are always processed by ADH and DoH locally on the Beryl but this sounds like a good compromise.

I did & it is… as a best practice… but sometimes when you have to drive a nail even a wrench will do.

That was exactly my though process & a helluva lot easier than going thru ea. client device/mobile/whatever to do so.

Yeah so it’d seem if you really wanted it. IDK about the AdGuard Home impact. I don’t use it so I can’t comment on it really. IDK if there’s be any addn’l hoops to jump thru. It might make a good topic for a new thread to elicit a response from one who may know, however.

yeah,

I’m still looking for the best balance of convenience and privacy for my Beryl travel router.

to sum it up, I guess it could be this way:

  • Switching between split and full tunnel (either via wg profiles or via proxy mode settings)
  • have Beryl always handle DNS requests locally via AdGuardHome and DoH.

still gotta do some testing. The last thing which should happen is that I’m on the road with Beryl and it doesn’t work due to the high complexity of my set up.

Well the good news is that it looks like the upstream can be set for DOH. They even use Quad9 in the screenshot of the docs:

One thing I’ll mention that’s not obvious as it requires custom conf: dnscrypt-proxy2 can be set to act as a DOH resolver… & then forward requests on accordingly. If you really wanted to maintain control over DNS I don’t see why you couldn’t run dnscrypt-proxy2 on your DNS server, pointing all clients to it. I’ve not tried such a conf however; it is noted in the confs.

So I can concieve as a custom setup in your case of $client → Beryl AX → dnsmasq → Adguard Home → DOH → your DNS via dnscrypt-proxy2 → $upstream DOH (eg: Quad9).

The trade off would be one extra ‘hop’ to your DNS instead of just directly hitting Quad9 but on the other side you’d have the benefit of knowing your DNS is still under your control even when using AdGuard Home.