Greetings,
I’ve been trying to get a WireGuard split-tunnel config working on Fedora 42. I can’t access anything behind the VPN (no IP address ping, no DNS resolution). This exact config works on Windows out of the box (tried multiple configs with multiple servers - all work on Windows, none work on Fedora).
What I’ve tried:
Used both wg-quick and imported the config into NetworkManager (nmcli)
DNS servers show correctly in resolvectl status
ip a and ip route show expected addresses and routes
ping to remote IPs on the VPN subnet fails
Can ping external (non-VPN) IPs just fine
tcpdump shows outgoing packets but no replies
Tried lowering MTU to 1280
Disabled firewalld
rp_filter is set to 0
Set up logging on an upstream router; shows no traffic from the VPN subnet (when tested on a working device, logs appear)
Tried two different WireGuard servers (both OPNsense-based), same result
It seems like the tunnel is up, and the routes are correct, but return traffic isn’t making it back — or Fedora’s just not handling it right. No virtual bridges or other weird networking going on.
Any idea what Fedora might be doing differently here, or how I can trace where packets are being dropped? Fedora says it’s kicking the packets out wg0, but the next upstream device never receives them. So… I’m inclined to believe they aren’t leaving the system.