Skip to content

Wireguard Split-Vpn Fails with Unifi OS v4.0.6 #213

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Wireguard Split-Vpn Fails with Unifi OS v4.0.6#213
@calyx-labs

Description

@calyx-labs
calyx-labs
opened on Sep 23, 2024

Hello,

I'd like some help diagnosing an issue with Split-Vpn running on an UDM-Pro SE running Unifi OS v4.0.6. When I set this up the first time prior to upgrading to Unifi OS v4+ on v3.x it worked following the setup directions the first time for the Wireguard (kernel module) instructions..

After upgrading and rebooting, my split-vpn setup no longer works. I tried disabling the service and running wg-quick up ./wg0.conf from my vpn subdirectory and then running wg and I confirmed that the tunnel establishes and it receives a valid handshake. With the killswitch enabled, connected clients lose all connectivity, suggesting that the issue is with routing client traffic over the wireguard interface.

For context, here are my config files (redacted):

wg0.conf

[Interface]
PrivateKey = <...>
Address = 10.0.56.250/32
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = <...>:51820

vpn.conf

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.1.1/24 192.168.2.1/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

DNS_IPV4_IP="10.0.0.1"
DNS_IPV4_PORT=53
DNS_IPV6_IP=""
DNS_IPV6_PORT=53

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0

REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="<...>"
VPN_ENDPOINT_IPV6=""

GATEWAY_TABLE="auto"

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions