GL-AXT1800 - Wireguard Client domain based routing issue

Technical Support for Routers VPN, DNS, Leaks
1

Hi

I am having an issue with the Wireguard Client + Domain Based Routing. I have the following setting:

  • VPN Policy Base on the Target Domain or IP :white_check_mark:
  • Allow Access WAN :white_check_mark:

When Wireguard Client is off, the ping is normal, but when it is on, the ping is very high, even if the domain isn’t on the Target Domain list. Any thoughts why the ping to a domain that isn’t on the Target domain list is going through the Wireguard connection?

Here are some troubleshooting info:

→ Wireguard Client ON (Very high ping from MacOS and Router ):

ping news.com.au
PING news.com.au (23.1.4.128): 56 data bytes
64 bytes from 23.1.4.128: icmp_seq=0 ttl=56 time=259.254 ms
64 bytes from 23.1.4.128: icmp_seq=1 ttl=56 time=328.073 ms
64 bytes from 23.1.4.128: icmp_seq=2 ttl=56 time=255.451 ms

→ Wireguard Client OFF (Normal ping):

➜  ~ ping news.com.au
PING news.com.au (23.219.60.108): 56 data bytes
64 bytes from 23.219.60.108: icmp_seq=0 ttl=59 time=5.010 ms
64 bytes from 23.219.60.108: icmp_seq=1 ttl=59 time=4.948 ms
64 bytes from 23.219.60.108: icmp_seq=2 ttl=59 time=3.877 ms

→ Checking IP from command line.
Screen Shot 2023-07-17 at 6.16.43 pm

→ Target Domain list (news.com.au isn’t on the list so I don’t expect it goes through the Wireguard connection)

Screen Shot 2023-07-17 at 6.17.41 pm
Screen Shot 2023-07-17 at 6.17.41 pm1812×1328 155 KB

Settings:

Screen Shot 2023-07-17 at 6.17.54 pm
Screen Shot 2023-07-17 at 6.17.54 pm1034×568 32.5 KB

2
  • What firmware are you on? 4.2.3 just came out on the 6th.
  • Who’s the DNS provider for your WG Client tunnel?
  • What happens if you switch your DNS over to, say, Cloudflare DOH (GL GUI → Network → DNS → Encrypted DNS → {Mode, Encryption Type, Servers})
    • ipleak.net is another good site for troubleshooting; it also shows IPv6, DNS
3

Hi bring.fringe18

I am running the latest stable firmware: v4.2.3. I’ve switched the WG tunnel DNS over to 1.1.1.1 (Cloudflare DNS).

ipleak.net results

image
image2856×1378 362 KB

→ WG Client off:

image
image1920×1139 146 KB

→ WG Client on (can see traffic for news.com.au having high latency, although it’s not going through WG client):

image
image1920×1138 213 KB

→ WG Server is in Spain

4

So you’re using Cloudflare via IPv4. I’d still set Cloudflare via DOH. That way the DNS lookup will be in the closest region to your IP, VPN/WG or not without having to edit the WG Client config. It could even end up that both the VPN & DNS end up connecting to the very same city.

I don’t know why your IPv4 is showing as Australia while the DNS is hitting Spain. I know it’s adding more than a few milliseconds for the lookup though.

5

I am based in Australia, and the IP of my Wireguard Server is in Spain.

→ CloudFlare DOH

image
image1920×1065 192 KB

ipleak.net

image
image2064×1236 281 KB

It’s a mystery why the DNS server is being picked up as “Spain” for all the traffic on the router even though my DNS is set to CloudFlare DNS. So for non-VPN traffic it resolve flow through Australia DNS connection and for Wireguard traffic it should resolve through Spain connection.

I may need to contact GL.iNET Support to figure that one out I guess?

6

Yeah, this looks quite strange. If DOH was set it should be showing the CLOUDFLARENET in the same general region on your ISP or WG IPv4 accordingly regardless of what’s in your WG Client conf.

You don’t have a Domain or IP Policy set for the VPN, do you?

GL reps read these threads; they’ll set it eventually I’m sure.

7

Wait; are you looking to do ‘Split DNS’ while running an active WG Client session? IDK if that can be done in the current state of the firmware/OpenWrt.