From 57816029e58a1cc535303b8cf41eeb447f785762 Mon Sep 17 00:00:00 2001
From: Frederico Gomes <fredericojfgomes@gmail.com>
Date: Mon, 16 Feb 2026 14:05:14 +0000
Subject: [PATCH] wireguard: Fix split tunneling

- Currently, when adding a server, we have an option for 'default route' but
unchecking it does not work. This is due to allowed_peers always containing
::0/0 and 0.0.0.0/0. Fix this by setting the allowed_peers to a value containing
only the IP of the WireGuard network.

Tests:

- When default routing it checked, routing table shows default route for
wireguard device. Traceroute confirms routing through WireGuard network.

- When default routing it unchecked, routing table does not show default route
for wireguard device. Traceroute confirms routing through regular network.

Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 plinth/modules/wireguard/forms.py | 6 ++++--
 plinth/network.py                 | 9 +++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/plinth/modules/wireguard/forms.py b/plinth/modules/wireguard/forms.py
index 75e1a9f24..87450ac32 100644
--- a/plinth/modules/wireguard/forms.py
+++ b/plinth/modules/wireguard/forms.py
@@ -109,6 +109,7 @@ class AddServerForm(forms.Form):
 
     def get_settings(self):
         """Return NM settings dict from cleaned data."""
+        ip_address = self.cleaned_data['ip_address']
         settings = {
             'common': {
                 'type': 'wireguard',
@@ -116,8 +117,8 @@ class AddServerForm(forms.Form):
             },
             'ipv4': {
                 'method': 'manual',
-                'address': self.cleaned_data['ip_address'],
-                'netmask': '',
+                'address': ip_address,
+                'netmask': '255.255.255.0',
                 'gateway': '',
                 'dns': '',
                 'second_dns': '',
@@ -125,6 +126,7 @@ class AddServerForm(forms.Form):
             'wireguard': {
                 'peer_endpoint': self.cleaned_data['peer_endpoint'],
                 'peer_public_key': self.cleaned_data['peer_public_key'],
+                'ip_address': ip_address,
                 'private_key': self.cleaned_data['private_key'],
                 'preshared_key': self.cleaned_data['preshared_key'],
                 'default_route': self.cleaned_data['default_route'],
diff --git a/plinth/network.py b/plinth/network.py
index dfe99e466..873bcd5bb 100644
--- a/plinth/network.py
+++ b/plinth/network.py
@@ -507,8 +507,13 @@ def _update_wireguard_settings(connection, wireguard):
             peer.set_preshared_key_flags(nm.SettingSecretFlags.NONE)
             peer.set_preshared_key(wireguard['preshared_key'], False)
 
-        peer.append_allowed_ip('0.0.0.0/0', False)
-        peer.append_allowed_ip('::/0', False)
+        if wireguard['default_route']:
+            peer.append_allowed_ip('0.0.0.0/0', False)
+            peer.append_allowed_ip('::/0', False)
+        else:
+            ip_addr = wireguard['ip_address']
+            peer.append_allowed_ip(f'{ip_addr}/24', False)
+
         settings.clear_peers()
         settings.append_peer(peer)