ASUS VPN Fusion Wireguard client not setting up route(s) on connection

[SonoranWoody]

My ISP has me behind NAT. I am setting up a private cloud VPN proxy:

[internal hosts] <-> [ASUS router] <-> [IPS PoP] <-> [internet] <-> [cloud VPN proxy]
           192.168.50/24      192.168.150/24

                     [ASUS router] <------------------------------> [cloud VPN proxy]
                       (client)           WG:    10.10.11/24             (server)

I have the general Wireguard client and server config setup, and the connection between the router and cloud VPN proxy is successful. However on the ASUS side no route is setup and therefore no traffic can flow over the VPN connection. Upon Wireguard connection I have the following active configuration on the ASUS:

admin@ZenWiFi_Pro_ET12:/tmp/home/root# wg show
interface: wgc5
  public key: <ASUS pub key here>
  private key: (hidden)
  listening port: 60240

peer: <cloud VPN proxy pub key here>
  endpoint: <VpnCloudProxyPubIP>:51001
  allowed ips: 10.10.11.0/24
  latest handshake: 1 minute, 30 seconds ago. (sec:90)
  transfer: 92 B received, 340 B sent
  persistent keepalive: every 15 seconds

admin@ZenWiFi_Pro_ET12:/tmp/home/root# ip route
default via 192.168.150.1 dev eth0
1.1.1.1 via 192.168.150.1 dev eth0 metric 1
8.8.8.8 via 192.168.150.1 dev eth0 metric 1
127.0.0.0/8 dev lo scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
192.168.51.0/24 via 192.168.50.249 dev br0 metric 1
192.168.150.0/24 dev eth0 proto kernel scope link src 192.168.150.119
192.168.150.1 dev eth0 proto kernel scope link
239.0.0.0/8 dev br0 scope link

At this point traffic for 10.10.11.0/24 is NOT flowing over the Wireguard connection from the ASUS router (note th lack of a dev route). The VPN server does have it's 10.10.11.10/24 route setup correctly and traffic from it's side is flowing over the VPN connection ("tcpdump -i wg0" validated).

I can manually fix the issue by going on the ASUS router and adding the missing route:

ip route add 10.10.11.0/24 dev wgc5

After which traffic flows over the VPN connection as expected.

admin@ZenWiFi_Pro_ET12:/tmp/home/root# ip route
default via 192.168.150.1 dev eth0
1.1.1.1 via 192.168.150.1 dev eth0 metric 1
8.8.8.8 via 192.168.150.1 dev eth0 metric 1
10.10.11.0/24 dev wgc5 scope link
127.0.0.0/8 dev lo scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
192.168.51.0/24 via 192.168.50.249 dev br0 metric 1
192.168.150.0/24 dev eth0 proto kernel scope link src 192.168.150.119
192.168.150.1 dev eth0 proto kernel scope link
239.0.0.0/8 dev br0 scope link

My Question: Why is the router not doing this itself?

ASUS VPN Fusion WireGuard configuration <personal values removed>:

 

[eibgrad]

Just a guess (since I don't have access to WG on ASUS), it may be using a separate routing table for WG, then using the ip rules database to route traffic through that table. A dump of the ip rules would reveal that, plus the specific routing table, which you can dump as well.

ip rule
ip route show table xxx # maybe wgc5?

But if that's the case, why it's NOT working as intended, I don't know. Sometimes other things preempt the rules, such as ip rules for dual WAN.