wireguard: Fix split tunneling

- Currently, when adding a server, we have an option for 'default route' but unchecking it does not work. This is due to allowed_peers always containing ::0/0 and 0.0.0.0/0. Fix this by setting the allowed_peers to a value containing only the IP of the WireGuard network. Tests: - When default routing it checked, routing table shows default route for wireguard device. Traceroute confirms routing through WireGuard network. - When default routing it unchecked, routing table does not show default route for wireguard device. Traceroute confirms routing through regular network. Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-03-11 09:04:54 +00:00 · 2026-02-16 14:05:14 +00:00 · 2026-02-16 14:05:14 +00:00 · 57816029e5
commit 57816029e5
parent 3be73bad59
2 changed files with 11 additions and 4 deletions
--- a/plinth/modules/wireguard/forms.py
+++ b/plinth/modules/wireguard/forms.py
@ -109,6 +109,7 @@ class AddServerForm(forms.Form):

    def get_settings(self):
        """Return NM settings dict from cleaned data."""
+        ip_address = self.cleaned_data['ip_address']
        settings = {
            'common': {
                'type': 'wireguard',
@ -116,8 +117,8 @@ class AddServerForm(forms.Form):
            },
            'ipv4': {
                'method': 'manual',
-                'address': self.cleaned_data['ip_address'],
-                'netmask': '',
+                'address': ip_address,
+                'netmask': '255.255.255.0',
                'gateway': '',
                'dns': '',
                'second_dns': '',
@ -125,6 +126,7 @@ class AddServerForm(forms.Form):
            'wireguard': {
                'peer_endpoint': self.cleaned_data['peer_endpoint'],
                'peer_public_key': self.cleaned_data['peer_public_key'],
+                'ip_address': ip_address,
                'private_key': self.cleaned_data['private_key'],
                'preshared_key': self.cleaned_data['preshared_key'],
                'default_route': self.cleaned_data['default_route'],
--- a/plinth/network.py
+++ b/plinth/network.py
@ -507,8 +507,13 @@ def _update_wireguard_settings(connection, wireguard):
            peer.set_preshared_key_flags(nm.SettingSecretFlags.NONE)
            peer.set_preshared_key(wireguard['preshared_key'], False)

-        peer.append_allowed_ip('0.0.0.0/0', False)
-        peer.append_allowed_ip('::/0', False)
+        if wireguard['default_route']:
+            peer.append_allowed_ip('0.0.0.0/0', False)
+            peer.append_allowed_ip('::/0', False)
+        else:
+            ip_addr = wireguard['ip_address']
+            peer.append_allowed_ip(f'{ip_addr}/24', False)
+
        settings.clear_peers()
        settings.append_peer(peer)