Wireguard Split-Vpn Fails with Unifi OS v4.0.6

[calyx-labs]

Hello,

I'd like some help diagnosing an issue with Split-Vpn running on an UDM-Pro SE running Unifi OS v4.0.6. When I set this up the first time prior to upgrading to Unifi OS v4+ on v3.x it worked following the setup directions the first time for the Wireguard (kernel module) instructions..

After upgrading and rebooting, my split-vpn setup no longer works. I tried disabling the service and running wg-quick up ./wg0.conf from my vpn subdirectory and then running wg and I confirmed that the tunnel establishes and it receives a valid handshake. With the killswitch enabled, connected clients lose all connectivity, suggesting that the issue is with routing client traffic over the wireguard interface.

For context, here are my config files (redacted):

wg0.conf

[Interface]
PrivateKey = <...>
Address = 10.0.56.250/32
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = <...>:51820

vpn.conf

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.1.1/24 192.168.2.1/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

DNS_IPV4_IP="10.0.0.1"
DNS_IPV4_PORT=53
DNS_IPV6_IP=""
DNS_IPV6_PORT=53

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0

REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="<...>"
VPN_ENDPOINT_IPV6=""

GATEWAY_TABLE="auto"

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101

[calyx-labs]

Following up, this may be an issue with Unifi OS v4.0.6 and not split-vpn.

I just tried setting up a Wireguard Client through the GUI and following the instructions to create a policy-based route to redirect traffic through the wireguard tunnel and I get the exact same issue. Tunnel and interface created, handshake successful, once policy route for redirecting all clients is in place all traffic is simply dropped. Removing the policy route returns traffic to normal and clients have internet connection again, tunnel still indicating handshakes and successful creation. But for some reason redirecting clients through a wireguard tunnel appears simply broken in Unifi OS v4.0.6.

I also tried different VPN providers, same error for all providers I tried.