split-vpn no longer works on UniFI OS v4.x

[BehnH]

Currently in Early Access, so this may be a Unifi issue, but this script doesn't work on v4 of Unifi OS. Neither forcing domains, nor MACs, works.

Clients are unable to resolve any data, and instead just hang when attempting to connect to the destination.

[Richigeht]

Odd, it works for me still. Can you share your complete config?
I am mainly using source interface forcing, that works fine.

[traktuner]

Odd, it works for me still. Can you share your complete config? I am mainly using source interface forcing, that works fine.

which gateway do you use?
For me, the script stopped working on my idm-pro a few months ago. Completely removed it and reinstalled it (Forced source interface, some exclusions) but no client then has internet access. But the wireguard VPN itself connects just fine.

[Richigeht]

Odd, it works for me still. Can you share your complete config? I am mainly using source interface forcing, that works fine.

which gateway do you use? For me, the script stopped working on my idm-pro a few months ago. Completely removed it and reinstalled it (Forced source interface, some exclusions) but no client then has internet access. But the wireguard VPN itself connects just fine.

What you mean which gateway?
i am not setting one in the VPN.conf. It just loads it from the wgX tunnel, if I am not mistaking.

[traktuner]

What you mean which gateway? i am not setting one in the VPN.conf. It just loads it from the wgX tunnel, if I am not mistaking.

I mean UDM Base, UDM-Pro, SE etc

[Richigeht]

UDM Pro

[hfagelnour]

Any Luck for anyone to get this thing running again?

[ddkedr]

Can anyone explain what exactly is not working? Iptables Routes, VPN connections, Intreface creation? What errors are you getting?

[Richigeht]

I still have two separate installations - one at home and one at work which both still work fine.
currently running at home v4.0.18.

Would be great to get more details from those with issues (or maybe ui improves their integrarion) so that we could try to sort them out :)

[pastly]

I moved the comment I made here to a new issue #212 because I'm not so sure it's actually relevant. Sorry for the noise.

[Unlearned6688]

With the recent Unifi OS 4.0.6 update my split-vpn (I only route specific domains- to avoid creepy sites that play ads only in some countries) stopped working.

Just FYI: the main UI implementation is still somehow not fully functional

If you have one of the bigger VPNs a lot of USA will have, surfshark and PIA both, UI says "lol, good luck!"

Mullvad does work.

however, the domain-based split VPN (under policy based routing-> enter the domain(s)-> select VPN to route through) still doesn't function correctly.

The obvious function should be (no additional setup, but even with hours and hours it won't work!): add VPN via conf file, you add domains to route or exempt, it works

The way it actually works is you do the above, most VPNs won't work with the given conf, and then the domains are highly super limited. While this split-vpn script allows for a high degree of specificity, (you can use wildcards), UI doesn't allow this! HOLY WHY!?!?

It also absolutely refuses to obey DNS whether in the conf OR via adguard/phiole or even their own built in DNS routing! WHY WHY WHY?

is DNS routing that hard? I'd agree it's maybe not "that easy" but it's been like 5 years UI...... hoooooly!

Anyway, so the GUI still doesn't work as it should (is sending test.domain.abc to DNS 111.1.3.4 (example) 100% of the time that much to ask????????). And now an update seems to have broken this superior script. Awesome.

btw the GUI DNS leaks like a sinking boat... or whatever leaks a lot. Insert your own thing. It's horrifying though how the conf is set DNS = Blahblahblah IP but it just straight up ignores it totally

so for those asking "what doesn't work?"
i hope this is helpful.

split-vpn, domain specific routing is what is broken for me.

domains set in my dnsmasq (in the /run dir) simply refuse to resolve.

[calyx-labs]

@peacey I'm experiencing this same issue with a UDM-Pro SE on Unifi OS v4.0.6. I ran this setup on v3.x and it worked the first time with no problems using the instructions for wireguard (kernel). When my system updated Unifi OS to v4.0.6 and I rebooted the setup stopped working. Unifi OS v4.x is also now part of the "official" channel and is no longer early access.

Specifically, it seems that client traffic is no longer being routed to the wireguard interface wg0. I tried disabling the service and running wg-quick manually and I've confirmed that the tunnel and interface get setup correctly and it arranges a successful handshake. But I have the killswitch engaged and so the firewall scripts run and my clients lose connectivity and are not being routed over the wireguard interface like they were being in v3.x.

For context, here are my config files (redacted):

wg0.conf

[Interface]
PrivateKey = <...>
Address = 10.0.56.250/32
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = <...>:51820

vpn.conf

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.1.1/24 192.168.2.1/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

DNS_IPV4_IP="10.0.0.1"
DNS_IPV4_PORT=53
DNS_IPV6_IP=""
DNS_IPV6_PORT=53

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0

REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="<...>"
VPN_ENDPOINT_IPV6=""

GATEWAY_TABLE="auto"

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101

In summary: split-vpn wireguard kernel setup worked flawlessly in Unifi OS 3.x, but after upgrading to Unifi OS v4.0.6 and rebooting client traffic no longer seems to be getting routed over the wireguard interface and the killswitch simply drops connectivity resulting in no connection. The wireguard tunnel and interface still seem to be getting setup and functioning properly.