Wireguard with split tunnel

Hello,

has anyone a split tunnel working with wireguard?

I am trying to only use wireguard to access my home network without having all traffic routed through the tunnel.

In wireguard management I set allowed IPs to 192.168.10.0/24 (my home network), 10.8.0.1 (my PIhole DNS).

In the VPN policies I set the option use only for 192.168.10.0/24 and 10.8.0.1

Connection to my home network runs fine but loading pages on the internet randomly works or end loading without result or issue notice. When I go to http://speed.io (and it manages to load), the speedtest starts at a high speed but then stalls and gives the message connection lost.

Routing everything through the tunnel resolves this issue but leaves me with a much lower bandwidth and worse response times.

Any clues?

btw having the same settings on my phone works like charm and I have my local network and my PIhole on the go while still having full LTE bandwith to the internet.

No one tried this yet?

As it seems no users have information on this, is there any developer who can help out?

I have split tunnel working very fine. B1300 on remote node running wireguard server and wireguard client on iOS and on a Windows laptop.
I seem to have understood that your configuration is a s2s by two gl router and IMO the exclusion for 192.168.10.0/24 on vpn policies (client router) is unnecessary because the ipalloweds configuration is enough.
Where is located your dns server 10.8.0.1?
If it is in your lan then it’s ok on vpn policies and not on ipalloweds otherwise you have to do the opposite.

Thank you for the answer. So to be more precise the complete setup.
Home Network: 192.168.10.0/24
Wireguard Network: 10.8.0.0/24
Wireguard Server and PiHole DNS: 192.168.10.254 respective 10.8.0.1
AR750s external IP: 10.1.10.10
AR750s internal IP: 10.10.11.1 Respective Wireguard Client 10.8.0.3

wireguard client setup DNS 10.8.0.1
wireguard allowed IP and VPN policies 192.168.10.0/24, 10.8.0.1

What am I missing out?

Can you give topology of your complete scenario?
Is tunnel between two routers or WG server on a router and WG client on a laptop like roadwarrior config?

So the goal is to have (e.g.) the Notebook connected to Home Network (e.g. the NAS) while the traffic to the internet use the direct way instead of the wireguard connection (e.g. external IP 84.x.x.x NOT 85.x.x.x)

Then no vpn policies because ipalloweds is enough. Do it and do a traceroute to your pihole; it should be always succesfully.
Dns server over WG and Internet by your router is not the best in terms of latency because you have to resolve names through vpn and go back to your lan gateway to go out to Internet (not exactly compliant with benefits of split tunnel), perhaps when you try by your LTE connection it is ok because You run a direct connection by a wireguard app on the phone instead of a vpn gateway.

A connection to the pihole (or any other device in home network) always worked and never has been the issue. Without VPN policies I don’t have internet access though (nslookup works but ping fails).

With VPN policies active nslookup, ping and tracert deliver expected results. Nevertheless, https://speed.io doesn’t deliver results and downloads stall after about 200kb.

After additional testing, I have to give up.

Even setting 0.0.0.0/0 as allowed IP in wireguard and trying to only use the VPN policies result in stalling downloads and speedtest like speed.io (others also tested) don’t run through and giving connection lost results.

This is very unfortunate, as this makes the VPN policies obsolete to me. I can only route all traffic or none without any limitations.

What version of your firmware do I use 3.100 firmware to simulate your scene and work well

I tried useing 3.025 and 3.100 as well. Unfortunately I have no clue, where to look for the reason this is not working with downloads and speed tests.

@luochongjun Could you send me a screen shot of the redacted wireguard config and the VPN policies, please?

Even a factory reset doesn’t solve my issue:
After starting at expectable speed, it stalls and after a while gives out an error.

Stil hoping for somebody of the support taking up this issue. I tried with tethering, cable to router or as wifi client. Result is the same for all as shown above.

I solved my issue, but could not do that via the GL gui.

I’ll give my solution here, as others might look for the same.

  • Go to “MORE SETTINGS” --> “Advanced” and log in
  • Hover over “System” and go to “Software”
  • Search for “luci-proto-wireguard” and klick “install”
  • Hover over “Network” and go to “Interfaces”
  • “Add new interface…”
  • Choose a name for the Interface
  • Select “WireGuard VPN” as protocol
  • Make WireGuard Settings like in the GL gui
  • As allowed IPs choose the Range of the remote network and add a second line for the WireGuard IP of the WireGuard server
  • Set checkmark at “Route allowed IPs”
  • Go to “Firewall Settings” and add the Interface to the WAN Zone
  • Click “Safe & Apply”

Now surfing the web is done via the direct connection (in my case LTE over WWAN), but access to devices in remote network is established at the same time.

If you want to use a DNS Server within the remote Network (e.g. a PiHole):

  • Go back to “Interfaces”
  • Edit the Interface, that is your inter connection (in my case WWAN)
  • Go to “Advanced Settings”
  • Uncheck “Use DNS servers advertised by peer” and enter the IP of your desired DNS
2 Likes

Thanks man, that solved it for me!