[GL-AR750 & GL-MT300N-V2] Is this GLDDNS behaviour normal with Wireguard?

I am using a GL-AR750 as the main router, and a GL-MT300N-V2 on another room as an AP (connected to the GL-AR750 trough cable). The 2 devices are using the latest firmwares.
The GL-AR750 is using Wireguard (Azire VPN), has VPN polices ON (every device use the VPN except a Chromecast V3 and a Chromecast with Google TV), and also the option to use the VPN for all the process on the router is checked.
Remote Access is ON on both the devices.
Let’s say GL-AR750 ddns is “creta.glddns.com” and GL-MT300N-V2 is “mango.ddns.com”.
If I try to acces “creta.glddns.com” I cant’ because I am using Wireguard and I am also using “use VPN for all processes on the router”. That’s expected, but, and here it comes the intresting thingh: if I try to acces “mango.ddns.com” I am redirected to the “creta.glddns.com” page and I can access it from everywhere If I am connected to wireguard with the same server as the GL-AR750. Is this behaviour normal? It seems not to me, because if I can’t access “creta.glddns.com”, why it it reachable trough “mango.ddns.com”?

Can you check if both the ddns point to the same wireguard server of Azirevpn?

On AR750 Wireguard client page do you see the option to allow local accessing? If you have that option make sure it is turned off.

Hi and thanks for your answer.
Yes, both the ddns point to the same wireguard server IP. And no, I never checked the option to allow local accessing on WG client page.

But I found what was causing this particular behaviour: In the GL-AR750 VPN policy page I had previously setted the GL.MT300N-V2 to NOT use Wireguard. Even if I removed it from the policies long time ago the settings did’nt refresh for some reason (not even after several reboots).
But something still seems not right: even if I configure GL.MT300N-V2 to not use Wireguard on GL-AR750’s VPN policies page, all devices connected to it are in fact using Wireguard (even glddns is pointing to the WG server), and the side effect is that I can reach GL-AR750 page trough GL.MT300N-V2’s DDNS.

Need a little more info to do further check. If possible you can just reset both routers and try again.

Tried, but the iussue is still present and easily repruducible.
To recap: GL-AR750 is the main router, GL.MT300N-V2 is connected to it trough cable and it’s working as an AP, Remote access is on on both devices. GL-AR750 is using VPN policies (MAC addres) with “use VPN for all processes” checked and to NOT use Wireguard on the GL.MT300N-V2: even if VPN policies are configured to NOT use WG on the GL.MT300N-V2, any devices connected to it are in fact using WG. But this way VPN policies are affecting GL.MT300N-V2’s DDNS, as they are pointing to my real ISP IP like if it’s not using WG. So this way accessing GL.MT300N-V2 ddns address automatically redirect me to GL-AR750 main page as long as I am connected to the same WG server as the GL-AR750. Just tried trough mobile data on my smartphone using Azire VPN app, no problem reaching GL-AR750 page trough GL.MT300N-V2 DDNS.

Hello, I am not an expert but maybe an opinion can be good or change your way of seeing the problem.

Is the MT300N-V2 connected to the AR750 from the WAN or from the LAN port? I think there are some GL.iNet firewall rules on the WAN port.
I have a similar configuration to yours, 1 AR70S connected by LAN to 2 AR750 but connected to LAN ports, no WAN and also Firewall and DNSMask disabled on both AR750s. I also have luci-app-ddns installed on all routers so I can see what IP they have when they use VPN or Wireguard on Luci’s overview page.


Maybe first to solve this problem. This does not relate to ddns.

If you are using the latest firmware on AR750, which should be 3.203, at least the vpn policy should work normally. can you post screenshot?

Firmware is 3.203-0701 on AR750, 3.203-0805 on MT300N-V2.
So, if VPN policies are configured as you see on the screenshot below, enabling DDNS on MT300N-V2 makes the registered DDNS IP the same as the Wireguard server. This way I can’t reach either AR750 and MT300N-V2 DDNS page, and that’s expected.

But if VPN policies are configured as the next picture, enabling DDNS on MT300N-V2 makes the registered DDNS IP the same as my ISP IP. You say that’s not related, but that’s what is happening everytime: sometimes this does not happens imediately, but after an hour or so (after DDNS update). Also VPN policies doesn’t work on the AP, every device connected to the MT300N-V2 are in fact using Wireguard and this behaviour was the same in every firmware version I tried in the last year.

And if VPN policies are configured as in the next picture, and remote access is OFF on MT300N-V2, I can still reach AR750 page trough MT300N-V2’s DDNS:

As you can see, DDNS is disabled on MT300N-V2:

But I can still reach AR750 page trough MT300N-V2’s DDNS:

I hope I was clear enough, english is not my native language and I find a little difficult to explain this kind of things :slight_smile:

First about vpn plicy:

If you configure MT300N-V2 as AP (bridge mode), all the clients connected to it is bridged to the main router (AR750). In your vpn polices, these client are connected to the wireguard server. So this part is correct.

Second about ddns.

In your luci page, the ddns is displayed not enabled. Pls note, this is not related to the ddns in the default UI. Luci has its own ddns script.

In your policy settings, MT300N-V2’s ddns is point to your ISP IP. So when you use this ddns, it will forward you to AR750’s WAN IP, as it use the same ISP IP. If you AR750’s WAN access is enabled, you will be able to access it. So it is also expected.

Pls note, ddns is just IP redirection. So if you enable both ddns on AR750 and MT300N-V2, they will redirect to the same ISP IP, if we do not consider the vpn connection.