GL-AXT1800 - Wireguard Client domain based routing issue


I am having an issue with the Wireguard Client + Domain Based Routing. I have the following setting:

  • VPN Policy Base on the Target Domain or IP :white_check_mark:
  • Allow Access WAN :white_check_mark:

When Wireguard Client is off, the ping is normal, but when it is on, the ping is very high, even if the domain isn’t on the Target Domain list. Any thoughts why the ping to a domain that isn’t on the Target domain list is going through the Wireguard connection?

Here are some troubleshooting info:

→ Wireguard Client ON (Very high ping from MacOS and Router ):

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=56 time=259.254 ms
64 bytes from icmp_seq=1 ttl=56 time=328.073 ms
64 bytes from icmp_seq=2 ttl=56 time=255.451 ms

→ Wireguard Client OFF (Normal ping):

➜  ~ ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=59 time=5.010 ms
64 bytes from icmp_seq=1 ttl=59 time=4.948 ms
64 bytes from icmp_seq=2 ttl=59 time=3.877 ms

→ Checking IP from command line.
Screen Shot 2023-07-17 at 6.16.43 pm

→ Target Domain list ( isn’t on the list so I don’t expect it goes through the Wireguard connection)


  • What firmware are you on? 4.2.3 just came out on the 6th.
  • Who’s the DNS provider for your WG Client tunnel?
  • What happens if you switch your DNS over to, say, Cloudflare DOH (GL GUI → Network → DNS → Encrypted DNS → {Mode, Encryption Type, Servers})
    • is another good site for troubleshooting; it also shows IPv6, DNS

Hi bring.fringe18

I am running the latest stable firmware: v4.2.3. I’ve switched the WG tunnel DNS over to (Cloudflare DNS). results

→ WG Client off:

→ WG Client on (can see traffic for having high latency, although it’s not going through WG client):

→ WG Server is in Spain

So you’re using Cloudflare via IPv4. I’d still set Cloudflare via DOH. That way the DNS lookup will be in the closest region to your IP, VPN/WG or not without having to edit the WG Client config. It could even end up that both the VPN & DNS end up connecting to the very same city.

I don’t know why your IPv4 is showing as Australia while the DNS is hitting Spain. I know it’s adding more than a few milliseconds for the lookup though.

I am based in Australia, and the IP of my Wireguard Server is in Spain.

→ CloudFlare DOH

It’s a mystery why the DNS server is being picked up as “Spain” for all the traffic on the router even though my DNS is set to CloudFlare DNS. So for non-VPN traffic it resolve flow through Australia DNS connection and for Wireguard traffic it should resolve through Spain connection.

I may need to contact GL.iNET Support to figure that one out I guess?

Yeah, this looks quite strange. If DOH was set it should be showing the CLOUDFLARENET in the same general region on your ISP or WG IPv4 accordingly regardless of what’s in your WG Client conf.

You don’t have a Domain or IP Policy set for the VPN, do you?

GL reps read these threads; they’ll set it eventually I’m sure.

Wait; are you looking to do ‘Split DNS’ while running an active WG Client session? IDK if that can be done in the current state of the firmware/OpenWrt.