Flint 2 - DoT does not work while VPN (4.7.0)

Hello, Today I would like to mention there is a bug currently on beta 4.7.0

WGCLIENT - Unsupported protocol type.

(how it affects me)
I use a vpn with my own fine tweaked dns called control D with a vpn azirevpn and currently I am not able to use my dns with my vpn like I did on none beta build, My vpn will not work with my control dns enabled, I have done some investigation and it seems that (WGCLIENT) is missing in Luci

I have then attempted to install & update which did not fix this bug

I am by no means an amateur with these sort of things so I know for certain the issue is WGclient protocol is not being supported.

That isn't a bug, and with all firmware.

The GL integration of wgclient is custom, that's why it's not „supported“ in luci.

I assume the „bug“ you encounter is more with the DNS resolution itself - the way how it works with VPN was changed a few weeks ago.

VPN should not care about the DNS. May you post some log files? Try to enable Allow Custom DNS to Override VPN DNS, see DNS - GL.iNet Router Docs 4

I have already done that, and still encountered the same issue. I had to downgrade back to 4.6.4

Could you please describe more in detail what the actual issue is?
Does DNS not work at all?

My dns works fine I have encountered issues that I have not had on my none beta version.

I am using azirevpn and basically it works fine, but when I enable my encrypted dns over tls the vpn will stop working, funny thing is I had to enable ipv6 nat6 with the dns over tls enabled otherwise I get (RTNETLINK answers: Permission denied) when i enable ipv6 nat6 it fixes it but still cannot connect to the vpn, I have tried it on automatic and also manually.

I have Allow Custom DNS to Override VPN DNS setting enabled by default

vpn connection logs

(Sun Oct 27 13:29:54 2024 daemon.notice netifd: Network device 'wgclient' link is down
Sun Oct 27 13:29:54 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Sun Oct 27 13:29:54 2024 daemon.notice netifd: Interface 'wgclient' is now down
Sun Oct 27 13:29:56 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Sun Oct 27 13:30:17 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Sun Oct 27 13:30:17 2024 daemon.notice netifd: wgclient (30269): RTNETLINK answers: Permission denied
Sun Oct 27 13:30:17 2024 daemon.notice netifd: Network device 'wgclient' link is up
Sun Oct 27 13:30:17 2024 daemon.notice netifd: Interface 'wgclient' is now up
Sun Oct 27 13:30:17 2024 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=2 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Hideme IPVanish Mullvad NordVPN PIA Surfshark FromApp group_3360 group_6327 group_5646 group_8612 group_1579 group_898 group_3864 group_6831 peer_4695 peer_7661 peer_628 peer_9947 peer_2913 peer_5880 peer_5198 peer_8165 peer_1132 peer_450 peer_3417 peer_6384 peer_5702 peer_8669 peer_1636 peer_954 peer_3921 peer_6888 peer_6206 peer_9173 peer_2140 peer_1458 peer_4425 peer_
Sun Oct 27 13:30:17 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Sun Oct 27 13:32:12 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Sun Oct 27 13:32:12 2024 daemon.notice netifd: Network device 'wgclient' link is down
Sun Oct 27 13:32:13 2024 daemon.notice netifd: Interface 'wgclient' is now down
Sun Oct 27 13:32:13 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Sun Oct 27 13:32:18 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Sun Oct 27 13:32:18 2024 daemon.notice netifd: wgclient (1127): RTNETLINK answers: Permission denied
Sun Oct 27 13:33:17 2024 daemon.notice netifd: Interface 'wgclient' is now down
Sun Oct 27 13:33:17 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Sun Oct 27 13:34:37 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Sun Oct 27 13:34:37 2024 daemon.notice netifd: wgclient (3686): RTNETLINK answers: Permission denied)

After i enable ipv6 the logs shows something different.

Sun Oct 27 13:39:16 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Sun Oct 27 13:39:17 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Sun Oct 27 13:39:26 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Sun Oct 27 13:39:30 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Sun Oct 27 13:39:32 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Sun Oct 27 13:39:32 2024 user.notice nat6: Found firewall zone_name="wgclient" with zone_masq6="1" zone_masq6_privacy="1".
Sun Oct 27 13:39:32 2024 user.notice nat6: Setting up masquerading nat6 for zone_name="wgclient" with zone_masq6_privacy="1"
Sun Oct 27 13:39:32 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgclient_postrouting" contains our MASQUERADE.
Sun Oct 27 13:39:32 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgclient_input" contains our permissive DNAT rule.
Sun Oct 27 13:39:32 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgclient_forward" contains our permissive DNAT rule.
Sun Oct 27 13:39:32 2024 user.notice nat6: Done setting up nat6 for zone="wgclient" on devices:

Maybe the encrypted dns causing the wireguard endpoint not resolving.

MT6000 with 4.7.0 beta6, DNS over TLS (control D), disabled the IPv6.

Switch the VPN node from the Japan to Chicago to NYC, the process works ok.

May try disabling the VPN, nslookup to check the domain name of the endpoint.

So I ended up having to manually configure ipv4 and ipv6 dns resolver instead of using my SSH command sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl)" -s redacted forced'

so far I am using my vpn while using my controlD dns as I type this and by looking at my dns queries / logs it seems DoH is now working with my vpn. the fact I did not needed to do this before until now seems a bit of an odd change.

1 Like