Firstly, thanks for this awesome project!

I'm trying to use this to set up a vlan for mitmproxy/wireshark (i.e anything that connects to the vlan gets intercepted) to assist with some reverse engineering projects that I have on the go. I think I'm nearly there after searching through other issues, but I'm now properly stuck.

mitmproxy has a wireguard mode https://docs.mitmproxy.org/stable/concepts-modes/#wireguard-transparent-proxy which makes this project a great match (conceptually at least!)

some context:

I've got a UDMPRO set up as my gateway (10.1.1.1) with split-vpn installed
no black hole routes/killswitch as I don't really care about leaking traffic on startup given my usecase
I've created a vlan (10.6.6.6/24), and a wireless network called "mitm" connected to it
mitmproxy in wireguard mode is running on 10.1.1.8
adguard home DNS is running on 10.1.1.23, upstream defers to my UDMPRO DNS
I only care about IPv4. IPv6 is disabled on this vlan
I have a few other vlans in 10.1.0.0/48 for guests/smart devices under local control/smart devices under manufacturer control etc)

I can connect to the "mitm" wireless network but my traffic is not showing up in mitmproxy and I can't access the internet from this network. My mobile has been assigned 10.6.6.196 on this network, so should be in the forced IP range. My DNS and mitmproxy/wireguard server are in the 10.1.1.0/24 (exempt destinations) range so should be accessible.

Can you see anything wrong with my config? Any hints/suggestions would be very much appreciated.

I've checked there's no network isolation or content filtering enabled on this vlan and there's no client isolation/guest portal etc enabled on the wireless network.

here are my config files:

wg0.conf

this is copied from mitmproxy startup then edited as follows:

changed Allowed IPs from 0.0.0.0 due to raw IP tables issue #117
removed DNS entry
added PostUp/PreDown per instructions
added Table per instructions (I don't know if 101 is correct/matters? it's the same in vpn.conf. I've also tried 201 in both but that broke all my networks and I had to restart my gateway to get back online! )

[Interface]
PrivateKey = ***
Address = 10.0.0.1/32
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = ***
AllowedIPs = 0.0.0.0/1,128.0.0.0/1
Endpoint = 10.1.1.8:51820

vpn.conf

```bash ### SPLIT VPN OPTIONS ### # Enter multiple entries separated by spaces. # Do not enter square brackets around the entries. # Force these sources through the VPN. # Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac. FORCED_SOURCE_INTERFACE="" FORCED_SOURCE_IPV4="10.6.6.6/24" FORCED_SOURCE_IPV6="" FORCED_SOURCE_MAC="" # Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...] # Maximum 15 ports per entry. FORCED_SOURCE_IPV4_PORT="" FORCED_SOURCE_IPV6_PORT="" FORCED_SOURCE_MAC_PORT="" # Force these destinations through the VPN. # These destinations will be forced regardless of source. # Format: [IP/nn] FORCED_DESTINATIONS_IPV4="" FORCED_DESTINATIONS_IPV6="" # Force local UDM traffic going out of these WAN interfaces to go through the # VPN instead for both IPv4 and IPv6 traffic. # This does not include routed traffic, only local traffic generated by the UDM. # Do not enable this unless you want to force UDM local traffic through the VPN. # For UDM-Pro, set to "eth8" for WAN1/Ethernet port, or "eth9" for WAN2/SFP+ port, # or "eth8 eth9" for both. For UDM Base, set to "eth1" for the WAN port. # This option might cause unintended problems, so disable it if you encounter any issues. FORCED_LOCAL_INTERFACE="" # Exempt these sources from the VPN. # Format: [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac. EXEMPT_SOURCE_IPV4="" EXEMPT_SOURCE_IPV6="" EXEMPT_SOURCE_MAC="" # Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...] # Maximum 15 ports per entry. EXEMPT_SOURCE_IPV4_PORT="" EXEMPT_SOURCE_IPV6_PORT="" EXEMPT_SOURCE_MAC_PORT="" # Exempt these destinations from the VPN. # Format: [IP/nn] EXEMPT_DESTINATIONS_IPV4="10.1.1.0/24" EXEMPT_DESTINATIONS_IPV6="" # Force/exempt these IP sets # IP sets need to be created before this script is run or the script will error. # IP sets can be updated externally and will be matched dynamically. # Each IP set entry consists of the IP set name and whether to match on source # or destination. src/dst needs to be specified for each IP set field. # # Enable NAT hairpin by exempting UBIOS_ADDRv4_ethX:dst for IPv4 or # UBIOS_ADDRv6_ethX:dst for IPv6 (where X = 8 for RJ45, or 9 for SFP+ WAN). # For IPv6 prefix delegation, exempt UBIOS_ADDRv6_brX, where X = VLAN number (0 = LAN). # # To allow communication with your VLAN subnets without hardcoding the subnets, # exempt the UBIOS_NETv4_brX:dst ipset for IPv4 or UBIOS_NETv6_brX:dst for IPv6. # # Format: [IPSet Name]:[src/dst,src/dst,...] FORCED_IPSETS="" EXEMPT_IPSETS="" # VPN port forwards. # Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port] PORT_FORWARDS_IPV4="" PORT_FORWARDS_IPV6="" # Redirect IPv4 and IPv6 DNS to these addresses for VPN-destined traffic. # Note that many VPN providers redirect DNS going through their VPN network # to their own DNS servers. Redirection to other IPs might not work on all providers, # except for DNS redirects to a local address, or rejecting DNS traffic completely. # # IPV4 Format: [IP] to redirect to IP, "DHCP" if using OpenVPN or OpenConnect to obtain # DNS from DHCP options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on # other VPN types like wireguard/external. # # Example: Get DNS from DHCP DNS_IPV4_IP="10.1.1.23" DNS_IPV4_PORT=53 # Set this to the interface (brX) the DNS is on if it is a local IP. Leave blank for # non-local IPs. Local DNS redirects will not work without specifying the interface. DNS_IPV4_INTERFACE="br0" # IPV6 Format: [IP] to redirect to IP, or "REJECT" to reject IPv6 DNS traffic completely. # IPV6 Format: [IP] to redirect to IP, "DHCP" if using OpenConnect to obtain DNS from DHCP # options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on # other VPN types. DNS_IPV6_IP="" DNS_IPV6_PORT=53 DNS_IPV6_INTERFACE="" # Bypass masquerade (SNAT) for these source IPs. This option should only be used if your # VPN server is setup to know how to route the subnet you do not want to masquerade # (e.g.: the "iroute" option in OpenVPN). # Set these options to ALL to disable masquerading completely. # Format: [IP/nn] or "ALL" BYPASS_MASQUERADE_IPV4="" BYPASS_MASQUERADE_IPV6="" # Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN. KILLSWITCH=0 # Enable this only if you are testing or you don't care about your real IP leaking # when the vpn client restarts or exits. REMOVE_KILLSWITCH_ON_EXIT=1 # Enable this if you added blackhole routes in the Unifi Settings to prevent Internet # access at system startup before the VPN script runs. This option removes the blackhole # routes to restore Internet access after the killswitch has been enabled. # If you do not set this to 1, openvpn will not be able to connect at startup, and your # Internet access will never be enabled until you manually remove the blackhole routes. # Set this to 0 only if you did not add any blackhole routes. REMOVE_STARTUP_BLACKHOLES=0 # Set the VPN provider. # "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard, # or "nexthop" for an external VPN client. VPN_PROVIDER="external" # If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the # gateway route can be automatically added for the VPN endpoint. # OpenVPN passes the VPN endpoint IP to the script and will override these values. # These must be defined if using VPN_PROVIDER="nexthop". VPN_ENDPOINT_IPV4="10.1.1.8" VPN_ENDPOINT_IPV6="" # Set this to the route table that contains the gateway route, "auto", or "disabled". # The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and # "203" for U-LTE. # Default is "auto" which works with WAN failover and automatically changes the endpoint # via gateway route when the WAN or gateway routes changes. # Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN. GATEWAY_TABLE="auto" # Set the MSS clamping on packets going out the VPN tunnel. Usually, it is not needed to # set this manually, but some VPN connections stall if the MSS clamping is not set correctly. # Typical values range from 1240 to 1460, but it could be lower. MSS_CLAMPING_IPV4="" MSS_CLAMPING_IPV6="" # Set this to the timer to use for the rule watcher (in seconds). # The script will wake up every N seconds to re-add rules if they're deleted by # the system, or change gateway routes if they changed. Default is 1 second. WATCHER_TIMER=1 # Options for custom table and chains. # These options need to be unique for each instance of openvpn if running multiple. ROUTE_TABLE=101 MARK=0x169 PREFIX="VPN_" PREF=99 DEV=wg0 # To execute commands when the VPN connects or disconnects, you can use the # callback functions hooks_pre_up, hooks_up, hooks_down, and # hooks_force_down. These functions will be invoked in response to VPN events # pre-up, up, down, and force-down respectively. # # For an example on using these hooks, please see vpn.conf.filled.sample. ```

peacey / split-vpn

no internet access/traffic with mitmproxy (wireguard mode) #197

wg0.conf

vpn.conf