No one tried this yet?
As it seems no users have information on this, is there any developer who can help out?
I have split tunnel working very fine. B1300 on remote node running wireguard server and wireguard client on iOS and on a Windows laptop.
I seem to have understood that your configuration is a s2s by two gl router and IMO the exclusion for 192.168.10.0/24 on vpn policies (client router) is unnecessary because the ipalloweds configuration is enough.
Where is located your dns server 10.8.0.1?
If it is in your lan then it’s ok on vpn policies and not on ipalloweds otherwise you have to do the opposite.
Thank you for the answer. So to be more precise the complete setup.
Home Network: 192.168.10.0/24
Wireguard Network: 10.8.0.0/24
Wireguard Server and PiHole DNS: 192.168.10.254 respective 10.8.0.1
AR750s external IP: 10.1.10.10
AR750s internal IP: 10.10.11.1 Respective Wireguard Client 10.8.0.3
wireguard client setup DNS 10.8.0.1
wireguard allowed IP and VPN policies 192.168.10.0/24, 10.8.0.1
What am I missing out?
Can you give topology of your complete scenario?
Is tunnel between two routers or WG server on a router and WG client on a laptop like roadwarrior config?
So the goal is to have (e.g.) the Notebook connected to Home Network (e.g. the NAS) while the traffic to the internet use the direct way instead of the wireguard connection (e.g. external IP 84.x.x.x NOT 85.x.x.x)
Then no vpn policies because ipalloweds is enough. Do it and do a traceroute to your pihole; it should be always succesfully.
Dns server over WG and Internet by your router is not the best in terms of latency because you have to resolve names through vpn and go back to your lan gateway to go out to Internet (not exactly compliant with benefits of split tunnel), perhaps when you try by your LTE connection it is ok because You run a direct connection by a wireguard app on the phone instead of a vpn gateway.
A connection to the pihole (or any other device in home network) always worked and never has been the issue. Without VPN policies I don’t have internet access though (nslookup works but ping fails).
With VPN policies active nslookup, ping and tracert deliver expected results. Nevertheless, https://speed.io doesn’t deliver results and downloads stall after about 200kb.
After additional testing, I have to give up.
Even setting 0.0.0.0/0 as allowed IP in wireguard and trying to only use the VPN policies result in stalling downloads and speedtest like speed.io (others also tested) don’t run through and giving connection lost results.
This is very unfortunate, as this makes the VPN policies obsolete to me. I can only route all traffic or none without any limitations.
What version of your firmware do I use 3.100 firmware to simulate your scene and work well
I tried useing 3.025 and 3.100 as well. Unfortunately I have no clue, where to look for the reason this is not working with downloads and speed tests.
@luochongjun Could you send me a screen shot of the redacted wireguard config and the VPN policies, please?
Even a factory reset doesn’t solve my issue:
After starting at expectable speed, it stalls and after a while gives out an error.
Stil hoping for somebody of the support taking up this issue. I tried with tethering, cable to router or as wifi client. Result is the same for all as shown above.
I solved my issue, but could not do that via the GL gui.
I’ll give my solution here, as others might look for the same.
- Go to “MORE SETTINGS” → “Advanced” and log in
- Hover over “System” and go to “Software”
- Search for “luci-proto-wireguard” and klick “install”
- Hover over “Network” and go to “Interfaces”
- “Add new interface…”
- Choose a name for the Interface
- Select “WireGuard VPN” as protocol
- Make WireGuard Settings like in the GL gui
- As allowed IPs choose the Range of the remote network and add a second line for the WireGuard IP of the WireGuard server
- Set checkmark at “Route allowed IPs”
- Go to “Firewall Settings” and add the Interface to the WAN Zone
- Click “Safe & Apply”
Now surfing the web is done via the direct connection (in my case LTE over WWAN), but access to devices in remote network is established at the same time.
If you want to use a DNS Server within the remote Network (e.g. a PiHole):
- Go back to “Interfaces”
- Edit the Interface, that is your inter connection (in my case WWAN)
- Go to “Advanced Settings”
- Uncheck “Use DNS servers advertised by peer” and enter the IP of your desired DNS
5 Likes
Thanks man, that solved it for me!
Do the steps you outline here obsolete the configuration steps in the VPN → WireGuard Client menu on the standard admin panel?
i do this a different way,
i travel often so i connect to many types of vpn routers, that i have no control over, wireguard, openvpn, watchguard.
sometimes, i have to use vpn software on my local laptop.
sometimes, i have i am forced to use a lan connection
so i need a universal solution, simple and flexible.
on my windows laptop, i change the local routing table.
there are several ways to do that but here is one example
# delete default route so no traffic will not tunnel thru vpn
route delete 0.0.0.0 172.27.232.1
# add a route to allow the ip range allocated to the lan behind the vpn server to tunnel thru the vpn
route add 10.6.96.0 mask 255.255.255.0 172.27.232.1
I love the accepted solution.
I wrote an article on the method I use which has worked great.
These instructions still work for me as of 2/14/2024.
Setup is completely through the OpenWRT advanced settings; didn’t touch the GL Wireguard menu options.