Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wireguard Split-Vpn Fails with Unifi OS v4.0.6 #213

Open
calyx-labs opened this issue Sep 23, 2024 · 1 comment
Open

Wireguard Split-Vpn Fails with Unifi OS v4.0.6 #213

calyx-labs opened this issue Sep 23, 2024 · 1 comment

Comments

@calyx-labs
Copy link

Hello,

I'd like some help diagnosing an issue with Split-Vpn running on an UDM-Pro SE running Unifi OS v4.0.6. When I set this up the first time prior to upgrading to Unifi OS v4+ on v3.x it worked following the setup directions the first time for the Wireguard (kernel module) instructions..

After upgrading and rebooting, my split-vpn setup no longer works. I tried disabling the service and running wg-quick up ./wg0.conf from my vpn subdirectory and then running wg and I confirmed that the tunnel establishes and it receives a valid handshake. With the killswitch enabled, connected clients lose all connectivity, suggesting that the issue is with routing client traffic over the wireguard interface.

For context, here are my config files (redacted):

wg0.conf

[Interface]
PrivateKey = <...>
Address = 10.0.56.250/32
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = <...>:51820

vpn.conf

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.1.1/24 192.168.2.1/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

DNS_IPV4_IP="10.0.0.1"
DNS_IPV4_PORT=53
DNS_IPV6_IP=""
DNS_IPV6_PORT=53

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0

REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="<...>"
VPN_ENDPOINT_IPV6=""

GATEWAY_TABLE="auto"

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
@calyx-labs
Copy link
Author

calyx-labs commented Sep 24, 2024
edited
Loading

Following up, this may be an issue with Unifi OS v4.0.6 and not split-vpn.

I just tried setting up a Wireguard Client through the GUI and following the instructions to create a policy-based route to redirect traffic through the wireguard tunnel and I get the exact same issue. Tunnel and interface created, handshake successful, once policy route for redirecting all clients is in place all traffic is simply dropped. Removing the policy route returns traffic to normal and clients have internet connection again, tunnel still indicating handshakes and successful creation. But for some reason redirecting clients through a wireguard tunnel appears simply broken in Unifi OS v4.0.6.

I also tried different VPN providers, same error for all providers I tried.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@calyx-labs