DNS over Wireguard with AllowedIP 0.0.0.0/0 not working - part 2

RexBalgor · February 3, 2026, 5:22pm

Hi,

I have the same issue as in the following topic:

https://forum.gl-inet.com/t/dns-over-wireguard-with-allowedip-0-0-0-0-0-not-working/58069/1

Unfortunately it was not resolved, if it was fixed or not.

@j96314 or @bruce: Can you please tell me, how this ended up?

Would be glad to hear from you.

Thanks and best regards

Rex

bruce · February 4, 2026, 8:02am

Hello,

Is only DNS fails in your issue? ping 8.8.8.8 is available but ping www.google.com does not work?

What device model?
What firmware version?
What topology? Include the VPN server, VPN client, and the subnets of each network device.
Which options are enabled on the VPN server and VPN client respectively?

At the time we did not find a bug; the issue was caused by an abnormal DNS configuration on the VPN server.

We would like to get more information so we can reproduce the issue locally or investigate it remotely in GoodCloud.

RexBalgor · February 4, 2026, 8:45am

Exactly, ping 8.8.8.8 works, but ping google.com doesn’t. If I change the DNS Server on the client of the Gl inet Router, ping google.com is possible and also the traceroute google.com is correct.

Beryl AX MT-3000
4.8.1
The Beryl AX is connected to my home network via wifi. It is intended as travel router, so it will always be connected to another network.
The VPN Server is hosted on a VPS, other Wireguard Clients work without any issue.
Subnet of VPN Server: 10.10.10.0/24
Subnet of Gl inet Wifi: 192.168.8.0/24

Config of Wireguard Client on Beryl AX:

[Interface]
Address = 10.10.10.11/32
ListenPort = 51820
PrivateKey = Private_Key
DNS = 10.10.10.1
MTU = 1200

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = Public_IP_OF_VPS:51820
PersistentKeepalive = 25
PublicKey = Public_Key
Options enabled

DNS Rebinding Attack Protection = On (Auto enables “back” when turned off in the GUI; so can’t be disabled)
Override DNS Settings of All Clients = Off
Allow Custom DNS to Override VPN DNS = Off
DNS Server Settings Mode = Automatic (Below is written: “DNS of VPN Client: 10.10.10.1”, which seems correct)

VPN Client Global Options:
Mode: Global
Services from GL.iNet Use VPN = Off

Are these sufficient information or do you need more?

As already mentioned, this is the third router in total I would like to connect to my WG Server, the two others are opnsense machines and the work like a charm. So DNS on the VPN Server should not be an issue. Connections of mobile devices to the VPN Server also work without any issue.

Thank you for your help Bruce.

lfalonso · February 4, 2026, 1:36pm

Can you try with “allowedIPs=0.0.0.0/0, ::/0" could be that DNS queries are bypassing wg tunnel…

RexBalgor · February 4, 2026, 1:51pm

Neither ping nor traceroute work with “allowedIPs=0.0.0.0/0, ::/0” so unfortunately this doesn’t help.

But: If I do ping and traceroute on the MT-3000 itself, everything works, but not through the wg tunnel. So there seems to be a bypass indeed.

RexBalgor · February 6, 2026, 11:56am

@bruce do you have any updates on this or are you still investigating?

xize11 · February 6, 2026, 1:02pm

It's tricky this topic, may I suggest to verify on https://test.nextdns.io ?

Especially if you might use nextdns, what is reported on their site is not the same it just uses it as client identifier.

To why I say the topic is tricky complex:

If you split tunnel domains, maybe you don't that is better, but things can easily go wrong this is also the disadvantage of split tunnel it poses risks to dns leaks.

Take websites behind cloudflare or amazon aws as example, they often rotate ip so they can hide the real server ip.

The issue with this is that ips get stored in a ipset, but there is no extra domain verification step, meaning if a different site uses a ip in that ipset you leak it over wan, I noticed this because ironically nextdns is behind cloudflare and the site fails if you only would forward traffic to firewall zone wireguard.

So my suggestion is can you try it without any policies or with the certainity its not split routed on one of these clouds?

RexBalgor · February 6, 2026, 1:27pm

@xize11 Are you sure that your comment was intended in this topic? I use a full tunnel, not a split tunnel and also I don’t use nextdns.

xize11 · February 6, 2026, 5:46pm

Sorry, I had to re-read everything again it seem a different issue.

What about the topology is the router having a different router upstream?

Have you tried to disable rebind protection?

This can still help especially in dual nat scenarios in combination with vpn, you can also confirm it in the logs.

RexBalgor · February 7, 2026, 8:07am

I tested different upstream routers in several hospitals, hotels and at home. The problem occurs everywhere.

The problem with the DNS rebind attack protection is, that it automatically re-enables it, whenever I try to turn it off and want to apply the changes. Do you have any ideas, how I can disable it?

xize11 · February 7, 2026, 9:29am

It does that also inside the gl settings? Under network -> dns ?

RexBalgor · February 7, 2026, 9:52am

Yes exactly.

xize11 · February 7, 2026, 9:56am

@bruce do you have any clue why rebind protection gets on by its own?, this is strange what OP says.