Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard - full tunnel works, split tunnel not, simple fix?

    Scheduled Pinned Locked Moved
    WireGuard
    2
    6
    58
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrwaltman
      last edited by

      Hello.
      I've got a 5100 and recently installed wireguard.
      My WAN IP is dynamic, but I do have a ddns url for it that has worked for years.
      My local subnet is simple, 192.168.1.0/24.
      I created the tunnel (OPT8), and gave it the subnet 10.0.0.1/24.
      I created the first peer using 10.0.0.2/32.
      I created the second peer using 10.0.0.3/32.

      Two firewall rules.
      Wan - ip4, proto:UDP, dst:WAN, ports:51820
      OPT8(wg) - ip4, proto:any
      note this is not the builtin wireguard ruleset, but the interface assigned to tun_wg0

      Config files for Android app are simple

      peer 1 (wanting split tunnel)
      [Interface]
      PrivateKey = <working key>
      Address = 10.0.0.2/24
      DNS = 1.1.1.1, 8.8.8.8

      [Peer]
      PublicKey = <the tunnel public key>
      AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
      Endpoint = my wan ip:51820

      peer 2 (wanting full tunnel)
      [Interface]
      PrivateKey = <working key>
      Address = 10.0.0.3/24
      DNS = 1.1.1.1, 8.8.8.8

      [Peer]
      PublicKey = <the tunnel public key>
      AllowedIPs = 0.0.0.0/0
      Endpoint = my wan ip:51820

      I'm not sure what is wrong here. On either peer connection, if I use endpoint of 0.0.0.0/0, the handshake works just fine. So this tells me that both keys work, both peer configs on pfSense work, the tunnel on pfSense works and the firewall rules work.

      I've played with both the interface address using 24 or 32 but seen no change.

      I've got to be missing something. I've watched a half dozen videos on setting up WG and read three times that many write-ups. In none of those do they make any other "standard" firewall rules to get split tunnel to work. Some tutorials go into NAT but many things say it's not needed.

      So at this point, I can connect with either peer key connection as long as endpoint is 0.0.0.0/0, using either 10.0.0.3 or 10.0.0.4. I can input my wan ip manually or use my ddns url and they both work. Once connected I can access outbound WAN from the tunnel, and I can access my normal 192.168.1.1/24 subnet as well. I can hit my synology NAS and I can hit the webgui at 192.168.1.1 from my phone, all through the tunnel.

      So, it works, but I was hoping to have a split tunnel for my few apps on my phone that I use to interact with the files on my NAS.

      This whole thing was brought about because I wanted to close the forwarded ports to my NAS while still being able to reach it.

      Any thoughts?

      1 Reply Last reply Reply Quote 0
      • M
        mrwaltman
        last edited by mrwaltman

        For clarification:
        Split tunnel
        [Interface]
        Address = 10.0.0.2/24
        DNS = 10.0.0.1
        PrivateKey = <phone interface private key>

        [Peer]
        AllowedIPs = 10.0.0.1/32, 192.168.1.0/24
        Endpoint = <wan ip>:51820
        PublicKey = <pfSense tunnel public key>
        PresharedKey = <pfSense peer PreShared key>

        Changing the DNS from cloudflare/google to the IP of, basically the "gateway" of the tunnel?, allowed a handshake. (that is 10.0.0.1)

        Also, the "allowedips" value on the peer (which is actually pfSense as this is the clients conf file) needed to be 10.0.0.1/32.

        Also, deleted all WireGuard components and started from scratch to verify it all worked, and found that when I make the tunnel, and give it the 10.0.0.1 address, and then not assign OPT8 and only use the pre-existing "Wireguard" firewall rules, the handshake could not happen. It was ONLY when I assigned tun_wg(0) to OPT8, added the rule "IPv4, Proto:Any" to the OPT8 ruleset could it all actually work.

        This is working, sort of. In this case, my phone has wifi off, using cellular data. It can access the local lan (192.168.1.0) just fine. However, it does not access anything with the browser (not split?). Wasn't expecting that.

        Tried it at work on a w10 machine. Did not work with the fully I am guessing because I also use 192.168.1.x on that LAN as well, so WG was confused, should it send data down the tunnel to my NAS or should it head out to the Ubiquiti UDM Pro at work for the 192.168.1.x requests. Hadn't thought of that, where the subnets at different locations might conflict.

        I assume those local subnets need to be different. But what of the split tunnel at my home LAN and the phone being on cell data? it has a very different WAN IP with no routing to RFC1918 ports but still doesn't get outside?

        Any thoughts?

        1 Reply Last reply Reply Quote 0
        • D
          Decepticon
          last edited by

          I suspect that Android does not allow the app to partially override the routing table. If I'm correct, then you won't be able to do what you want. The "Allowed IPs" rule will only allow you to choose between multiple Peers. Here, you only have one, and so you might as well leave it at "0.0.0.0/0, ::/0"

          1 Reply Last reply Reply Quote 0
          • D
            Decepticon
            last edited by Decepticon

            I just played around with WG Android app and confirmed that I was correct.

            When you activate a tunnel, Android routes all traffic to Wireguard. Wireguard then uses the Allowed IPs rule to determine what to send to the Peer. Split tunneling will only work on Android if you have multiple Peers on the same tunnel. You could theoretically set-up a one Peer to one place and a second Peer to where you're already at, but that seems like a big PITA to me.

            Wireguard for Windows will likely behave differently because it can probably write to the routing table in addition to routing between multiple Peers.

            M 1 Reply Last reply Reply Quote 0
            • M
              mrwaltman @Decepticon
              last edited by

              @Decepticon

              Ah, that makes sense. Kinda wierd all those how-to guides don't mention that. But your are correct, a PITA that I won't need. Thanks for taking the time to look into that.

              By chance, do you think that I am correct when I am at my work which also uses the same subnet at my house, that there is collisions and issues because they are the same?

              D 1 Reply Last reply Reply Quote 0
              • D
                Decepticon @mrwaltman
                last edited by

                @mrwaltman

                You haven't given me enough information to know the answer to your question.

                But, if you're worried about it, change your subnet at home.

                Personally, I prefer to use 10.1.1.1/24 for my router. It's super easy to type.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.