search

peacey / split-vpn

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.
GNU General Public License v3.0
816 stars 56 forks source link

split-vpn no longer works on UniFI OS v4.x #211

Open BehnH opened 6 months ago

BehnH commented 6 months ago

Currently in Early Access, so this may be a Unifi issue, but this script doesn't work on v4 of Unifi OS. Neither forcing domains, nor MACs, works.

Clients are unable to resolve any data, and instead just hang when attempting to connect to the destination.

Richigeht commented 6 months ago

Odd, it works for me still. Can you share your complete config? I am mainly using source interface forcing, that works fine.

traktuner commented 5 months ago

Odd, it works for me still. Can you share your complete config? I am mainly using source interface forcing, that works fine.

which gateway do you use? For me, the script stopped working on my idm-pro a few months ago. Completely removed it and reinstalled it (Forced source interface, some exclusions) but no client then has internet access. But the wireguard VPN itself connects just fine.

Richigeht commented 5 months ago

Odd, it works for me still. Can you share your complete config? I am mainly using source interface forcing, that works fine.

which gateway do you use? For me, the script stopped working on my idm-pro a few months ago. Completely removed it and reinstalled it (Forced source interface, some exclusions) but no client then has internet access. But the wireguard VPN itself connects just fine.

What you mean which gateway? i am not setting one in the VPN.conf. It just loads it from the wgX tunnel, if I am not mistaking.

traktuner commented 5 months ago

What you mean which gateway? i am not setting one in the VPN.conf. It just loads it from the wgX tunnel, if I am not mistaking.

I mean UDM Base, UDM-Pro, SE etc

Richigeht commented 5 months ago

UDM Pro IMG_6816

hfagelnour commented 5 months ago

Any Luck for anyone to get this thing running again?

ddkedr commented 3 months ago

Can anyone explain what exactly is not working? Iptables Routes, VPN connections, Intreface creation? What errors are you getting?

Richigeht commented 3 months ago

I still have two separate installations - one at home and one at work which both still work fine. currently running at home v4.0.18.

Would be great to get more details from those with issues (or maybe ui improves their integrarion) so that we could try to sort them out :)

pastly commented 3 months ago

I moved the comment I made here to a new issue #212 because I'm not so sure it's actually relevant. Sorry for the noise.

Unlearned6688 commented 2 months ago

With the recent Unifi OS 4.0.6 update my split-vpn (I only route specific domains- to avoid creepy sites that play ads only in some countries) stopped working.

Just FYI: the main UI implementation is **still** somehow not fully functional

If you have one of the bigger VPNs a lot of USA will have, surfshark and PIA both, UI says "lol, good luck!"

Mullvad does work.

however, the domain-based split VPN (under policy based routing-> enter the domain(s)-> select VPN to route through) still doesn't function correctly.

The obvious function should be (no additional setup, but even with hours and hours it won't work!): add VPN via conf file, you add domains to route or exempt, it works

The way it actually works is you do the above, most VPNs won't work with the given conf, and then the domains are highly super limited. While this split-vpn script allows for a high degree of specificity, (you can use wildcards), UI doesn't allow this! HOLY WHY!?!?

It also absolutely refuses to obey DNS whether in the conf OR via adguard/phiole or even their own built in DNS routing! WHY WHY WHY?

is DNS routing that hard? I'd agree it's maybe not "that easy" but it's been like 5 years UI...... hoooooly!

Anyway, so the GUI still doesn't work as it should (is sending test.domain.abc to DNS 111.1.3.4 (example) 100% of the time that much to ask????????). And now an update seems to have broken this superior script. Awesome.

btw the GUI DNS leaks like a sinking boat... or whatever leaks a lot. Insert your own thing. It's horrifying though how the conf is set DNS = Blahblahblah IP but it just straight up ignores it totally

so for those asking "what doesn't work?" i hope this is helpful.

split-vpn, domain specific routing is what is broken for me.

domains set in my dnsmasq (in the /run dir) simply refuse to resolve.

calyx-labs commented 2 months ago

@peacey I'm experiencing this same issue with a UDM-Pro SE on Unifi OS v4.0.6. I ran this setup on v3.x and it worked the first time with no problems using the instructions for wireguard (kernel). When my system updated Unifi OS to v4.0.6 and I rebooted the setup stopped working. Unifi OS v4.x is also now part of the "official" channel and is no longer early access.

Specifically, it seems that client traffic is no longer being routed to the wireguard interface wg0. I tried disabling the service and running wg-quick manually and I've confirmed that the tunnel and interface get setup correctly and it arranges a successful handshake. But I have the killswitch engaged and so the firewall scripts run and my clients lose connectivity and are not being routed over the wireguard interface like they were being in v3.x.

For context, here are my config files (redacted):

wg0.conf

[Interface]
PrivateKey = <...>
Address = 10.0.56.250/32
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = <...>:51820

vpn.conf

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.1.1/24 192.168.2.1/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

DNS_IPV4_IP="10.0.0.1"
DNS_IPV4_PORT=53
DNS_IPV6_IP=""
DNS_IPV6_PORT=53

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0

REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="<...>"
VPN_ENDPOINT_IPV6=""

GATEWAY_TABLE="auto"

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101

In summary: split-vpn wireguard kernel setup worked flawlessly in Unifi OS 3.x, but after upgrading to Unifi OS v4.0.6 and rebooting client traffic no longer seems to be getting routed over the wireguard interface and the killswitch simply drops connectivity resulting in no connection. The wireguard tunnel and interface still seem to be getting setup and functioning properly.