Can't get split tunnel to work in WireGuard peer in OpnSense 25.1.11

Started by 2HgRyz13, July 21, 2025, 03:50:18 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
July 21, 2025, 03:50:18 AM Last Edit: July 21, 2025, 11:05:09 AM by 2HgRyz13 Reason: include troubleshooting step
v25.1.11 in DEC 850.
Wireguard macOS peer client app.

I have two working WireGuard VPN instances running ok, each with its own interface assignment and no peers with split tunnels:

• one for LAN only over vpn
 (its peer can access the file server on the LAN ok but can't browse the internet because of a related LAN-only firewall rule)

• one for internet only over vpn
 (its peers can browse the web and whatismyipaddress shows their public IP address is OpnSense's  instead of their ISP's and they can't access the LAN)

SPLIT TUNNEL

Today, I spent hours trying to create a split tunnel in several test peers so they can connect to the LAN but browse the internet over their own ISP instead of the vpn's.

The documentation seems simple, but I'm missing something.

For new peer tests with the LAN_only instance, I replaced Allowed IPs 0.0.0.0/0, :::/0
with the LAN network 10.1.10.0/24

Though the peer then browsed the internet over its ISP instead of the vpn, it couldn't access the LAN's file server anymore (10.1.10.99).

Huh???

Yet I can ping it -- 10.1.10.99.

But macOS won't connect to smb://10.1.10.99 as does fine with the default Allowed IPs in the peer.

By design I can't reach, including ping, other nodes on 10.1.10.0.

Then I changed Allowed IPs to 10.1.10.0/24, 10.25.25.0/24 (the latter is the vpn peer range) but the same thing happened.

How did specifying the LAN net(s) break the peer's access to the same LAN?

When I created a test peer with the default Allowed IPs 0.0.0.0/0, :::/0, the peer could again connect to the LAN's file server (smb://10.1.10.99) but by design couldn't browse anything on the internet because of its related LAN-only firewall rule.

I feel like it's gaslighting me. I'm sleep deprived and probably missed something obvious.
 
July 22, 2025, 07:52:21 AM #1
Can anyone tell me if split tunnels in WireGuard VPN peers works properly in the Business edition?

If so, what edition(s)?

I'll switch to Business if it works there.
July 22, 2025, 08:12:30 AM #2 Last Edit: July 22, 2025, 08:14:19 AM by Monviech (Cedrik)
Split Tunnel in Wireguard is only decided by the allowed IPs in the client, which is installing routes to force traffic into the tunnel.

This means it depends on MacOS, Windows, Linux etc if the routing works correctly.

Im also using MacOS but I use OpenVPN there because it works reliably with split tunnel and split dns. I use Viscosity as client software.

I also have wireguard on it but I use it as full tunnel.
Hardware:
DEC740
July 22, 2025, 08:37:28 AM #3
Reading the first post something is definitely wrong. Selective routing through WireGuard while maintaining the default Internet connection does work. I have dozens of tunnels and networks like that.

No time to day to aid in detailled debugging. "Patchday" for our entire data centre - sorry.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 22, 2025, 10:36:19 AM #4
I found this bug report for OpnSense 24.7.6 on October 11th, 2024. Maybe there's another bug now.

Also, if you have working Wireguard split tunnels, did you create the Peers with the Peer Generator in 25.1.11 or were they already created and working before 25.1.11?

https://github.com/opnsense/core/issues/7965

Steps to reproduce the behavior:

    Upgrade to OPNsense 24.7.6
    WireGuard split tunnel is no longer functional.

Expected behavior

Wireguard split tunnels should connect without issue and not show a "peer disconnected" error.

Describe alternatives you considered

Restore a snapshot / backup to OPNsense 24.7.4_1. Solves issue immediately.
July 22, 2025, 10:38:38 AM #5
Quote from: 2HgRyz13 on July 22, 2025, 10:36:19 AMAlso, if you have working Wireguard split tunnels, did you create the Peers with the Peer Generator in 25.1.11 or were they already created and working before 25.1.11?

Created before 25.1. But then I never use the peer generator. It's just 5 or so lines of config for a peer, copy public keys, done. Trivial.

Mac OS, IOS, other OPNsense systems.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 22, 2025, 11:52:26 AM #6
I tried it manually, too.

The peer generator is also trivial and makes it easy to scan a QR code. No typing anything except the name and Allowed IPs and just click to add a pre-shared key.

I appreciate your time on this. I doubt you'll have time to try the following, but if you do, could you try creating a new peer with a split tunnel in 25.1.11? With and without the Peer Generator, since both are trivial?

I've read a few bug reports about OpnSense breaking WireGuard split tunnel. I already spent about 20+ hours on this and would hate to spend more if the problem is a bug and therefore outside of my control.

I'm also using macOS Wireguard client 10.0.16 (27). It works fine with LAN-only connections.

With split-tunnel connections, its log files show no errors. Web browsing works through the client ISP as expected, just no LAN access except for ping.

However, when the non-split tunnel client connects, the client status window shows the Data Recieved & Sent fields right away with data, even before I mount the file server, and the value increase steadily as expected.

But when connecting with the split-tunnel peer, the Data Received & Sent fields are missing until I ping the file server. Then the fields are present and show increasing values until I stop pinging, then never progress. That makes sense given the problem.

It seems like the split-tunnel peer I create isn't passing enough protocols and/or ports,  maybe just icmp though I haven't tried others except for the attempt to mount with smb://.

The firewall rule that allows LAN access works fine with non-split-tunnel peers. The only thing different with a split-tunnel peer is the Allowed IPs field, which doesn't reference protocols or ports.

I see a notice that 25.1.12 is released but my OpnSense doesn't find it yet.

Thanks again for your time.

July 22, 2025, 12:00:44 PM #7
Try setting mtu 1280 at the peer.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 22, 2025, 12:37:16 PM #8
Quote from: Monviech (Cedrik) on July 22, 2025, 08:12:30 AMSplit Tunnel in Wireguard is only decided by the allowed IPs in the client, which is installing routes to force traffic into the tunnel.

This means it depends on MacOS, Windows, Linux etc if the routing works correctly.

Im also using MacOS but I use OpenVPN there because it works reliably with split tunnel and split dns. I use Viscosity as client software.

I also have wireguard on it but I use it as full tunnel.

Quote from: Monviech (Cedrik) on July 22, 2025, 08:12:30 AMSplit Tunnel in Wireguard is only decided by the allowed IPs in the client, which is installing routes to force traffic into the tunnel.

This means it depends on MacOS, Windows, Linux etc if the routing works correctly.

Im also using MacOS but I use OpenVPN there because it works reliably with split tunnel and split dns. I use Viscosity as client software.

I also have wireguard on it but I use it as full tunnel.

Thanks, I'll consider that. I used OpenVPN years ago. I'm switching one site from a SonicWall using SSLVPN, which is now considered hopelessly insecure (Norway banned SSLVPN and US & UK don't recommend it anymore). Wireguard is fast and more secure. I tried IPSec VPN on the SonicWall, but even though the Windows client worked fine, there's no good macOS IPSec client except for a general purpose VPN client at $108 USD / year per user. I guess OpenVPN is a form of SSLVPN, but maybe OpenVPN is safer.

I'm migrating a site from SonicWall in order to increase their VPN security and speed. I had to emergency patch SSLVPN in the TZ SonicWall a few times in the last 12 months. Anyway Wireguard security is supposed to be better and its faster and some consider it less buggy (cough cough) because its code base is much smaller.

SonicWall offers Wireguard in its dedicated VPN devices but not in is TZ appliances.

I may have to delay the deployment until I get the split tunnels worked out, either fixing my own config mistake or downgrading OpnSense or switching to the Business edition or try another macOS Wireguard client if available.

July 22, 2025, 12:37:40 PM #9
Quote from: Patrick M. Hausen on July 22, 2025, 12:00:44 PMTry setting mtu 1280 at the peer.

Thanks for the idea. I just tried it but it didn't help.
July 22, 2025, 01:08:02 PM #10
Here we go...

[Interface]
PrivateKey = redactedxxxxxxx
Address = 10.25.25.4/32

[Peer]
PublicKey = redactedxxxxxxx
PresharedKey = redactedxxxxxxx
AllowedIPs = 10.1.10.0/24
Endpoint = redactedxxxxxxx.redactedxxxxxxx.com:51222


The file server is on the LAN at 10.1.10.99.

Non-split tunnel clients successfully access the file server through a firewall rule that only allows access to 10.1.10.99 on the LAN, but the access only works with a client using Allowed IPs: 0.0.0.0/0, ::/0 (not split tunneled)

I also tried MTU = 1280 (didn't help)

And I tried Allowed IPs:
       10.1.10.99/32
then 10.1.10.0/24, 10.1.10.99/32
then 10.1.10.0/24, 10.1.10.99/32, 10.25.25.0/24

None helped. Split Tunnels sure look easy to set up, with just the Allowed IP = the LAN net x.x.x.0/24.

DNS shouldn't matter since we access the fileserver by IP address, not by name, but I tried the following anyway in the config (none helped)
        DNS = 1.1.1.1
then DNS = 10.1.10.1
then DNS = 10.1.10.1, 10.25.25.1
then DNS = 10.1.10.1, 10.25.25.1, 1.1.1.1

Disabling Unbound DNS didn't help (as expected)
Disabling Outbound NAT & Normalization didn't help (as expected)

I suspect a bug in...

• OpnSense 25.1.11
• or my macOS WireGuard client 1.0.16 (27)
• or macOS Sequoia 15.5

What macOS Wireguard client do you use successfully with split tunnels?

I just read a notice that 25.1.12 is released, but my DEC 850 doesn't find it yet. Maybe in hours.
July 22, 2025, 01:09:20 PM #11
What's the AllowedIPs setting for the peer on the OPNsense side?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 22, 2025, 01:19:24 PM #12
Quote from: Patrick M. Hausen on July 22, 2025, 01:09:20 PMWhat's the AllowedIPs setting for the peer on the OPNsense side?

Not sure what you mean.

I thought the Allowed IP setting is only on the client side, though I used the OpnSense firewall's built-in Wireguard Peer Generator to create the peer with Allowed IP= 10.1.10.0/24. Then I continued trying Allowed IP values with manual changes to the config file on the client Mac.

OpnSense Wireguard Instances don't have an Allowed IP setting, just the tunnel address setting, e.g., 10.25.25.1/24.

The file server is at 10.1.10.99, which is reachable through non-split-tunnel connections (Allowed IPs: 0.0.0.0/0, ::/0).
July 22, 2025, 01:28:04 PM #13
Dang, I just read this in a Brave AI search result about Wireguard clients for MacOS.

There are several WireGuard clients available for macOS, including the official WireGuard client and third-party alternatives. The official WireGuard client is available on the Mac App Store and provides basic functionality for managing and using WireGuard tunnels. However, it lacks advanced features such as split tunneling and more access to configuration options.

But it doesn't show a source for that, just for sentences preceding it.

Still, this would explain it.

I'm going to try at least one other macOS Wireguard client.

Until I do, I don't recommend trying to help me with this until I report back, except please tell me with macOS Wireguard client you like.
July 22, 2025, 01:28:53 PM #14
Apart from https://github.com/opnsense/core/issues/8974 when using default routes from wireguard (or other VPNs) consider using 0.0.0.0/1,128.0.0.0/1 as a default policy to avoid clobbering your system's default route 0.0.0.0/0.


Cheers,
Franco
Print
Go Up Pages1 2 3
User actions