I’m running Wireguard as a ‘full tunnel’ at the moment, it seems to work ok.
But I would like to create a second profile for splittunneling.
I’ve tried this before, but wasn’t successfull, so I’ll try it again.
I have a series of VLAN’s here
- 10.20.30.0/24 (LAN)
- 10.20.31.0/24 (IOT)
- 10.20.32.0/24 (NOT)
- 10.20.33.0/24 (TEST)
- 192.168.10.0/24 (GUEST)
My working ‘full tunnel’ config:
server:
host: very.secret.url
addresses:
- 10.20.100.1
dns:
- 10.20.30.2
- 10.20.30.3
peers:
- name: KennethsLaptopFullVpn
addresses:
- 10.20.100.10
allowed_ips: []
client_allowed_ips: []
- name: KennethsMobileFullVpn
addresses:
- 10.20.100.11
allowed_ips: []
client_allowed_ips: []
- name: TravelRouter
addresses:
- 10.20.100.12
allowed_ips: []
client_allowed_ips: []
log_level: info
This works perfectly, and even the very nice slate gl-ar750 router connects straight away to the wireguard vpn.
Now the splittunneling part
Looking in the docs, I’m trying to understand the terms:
peers.allowed_ips
As I understand it, it tells the server which ranges are allowed to be sent through the tunnel to the client?
And
peers.client_allowed_ips
Which tells the client what ranges should be sent to the server?
So I added this to the config
- name: KennethSplitTunnelVpn
addresses:
- 10.20.100.13
allowed_ips:
- 172.16.32.0/24
- 172.16.33.0/24
- 172.17.0.0/16
- 10.20.30.0/24
- 10.20.31.0/24
- 10.20.32.0/24
- 10.20.100.0/24
client_allowed_ips:
- 172.16.32.0/24
- 172.16.33.0/24
- 172.17.0.0/24
- 10.20.30.0/24
- 10.20.31.0/24
- 10.20.32.0/24
- 10.20.100.0/24
When I look in the log, I can see that the peers.allowed_ips
are put into the iptables, so that is set at the firewall level, and not just in wg routing. So will it not work with client both with ‘full vpn’ and split-tunnel?
I can see that as soon as I add the ‘split tunnel’ part, none of the tunnels work.