I am having an issue with the Wireguard Client + Domain Based Routing. I have the following setting:
- VPN Policy Base on the Target Domain or IP
- Allow Access WAN
When Wireguard Client is off, the ping is normal, but when it is on, the ping is very high, even if the domain isn’t on the Target Domain list. Any thoughts why the ping to a domain that isn’t on the Target domain list is going through the Wireguard connection?
Here are some troubleshooting info:
→ Wireguard Client ON (Very high ping from MacOS and Router ):
PING news.com.au (126.96.36.199): 56 data bytes
64 bytes from 188.8.131.52: icmp_seq=0 ttl=56 time=259.254 ms
64 bytes from 184.108.40.206: icmp_seq=1 ttl=56 time=328.073 ms
64 bytes from 220.127.116.11: icmp_seq=2 ttl=56 time=255.451 ms
→ Wireguard Client OFF (Normal ping):
➜ ~ ping news.com.au
PING news.com.au (18.104.22.168): 56 data bytes
64 bytes from 22.214.171.124: icmp_seq=0 ttl=59 time=5.010 ms
64 bytes from 126.96.36.199: icmp_seq=1 ttl=59 time=4.948 ms
64 bytes from 188.8.131.52: icmp_seq=2 ttl=59 time=3.877 ms
→ Checking IP from command line.
→ Target Domain list (news.com.au isn’t on the list so I don’t expect it goes through the Wireguard connection)
I am running the latest stable firmware: v4.2.3. I’ve switched the WG tunnel DNS over to 184.108.40.206 (Cloudflare DNS).
→ ipleak.net results
→ WG Client off:
→ WG Client on (can see traffic for news.com.au having high latency, although it’s not going through WG client):
→ WG Server is in Spain
So you’re using Cloudflare via IPv4. I’d still set Cloudflare via DOH. That way the DNS lookup will be in the closest region to your IP, VPN/WG or not without having to edit the WG Client config. It could even end up that both the VPN & DNS end up connecting to the very same city.
I don’t know why your IPv4 is showing as Australia while the DNS is hitting Spain. I know it’s adding more than a few milliseconds for the lookup though.
I am based in Australia, and the IP of my Wireguard Server is in Spain.
→ CloudFlare DOH
It’s a mystery why the DNS server is being picked up as “Spain” for all the traffic on the router even though my DNS is set to CloudFlare DNS. So for non-VPN traffic it resolve flow through Australia DNS connection and for Wireguard traffic it should resolve through Spain connection.
I may need to contact GL.iNET Support to figure that one out I guess?
Yeah, this looks quite strange. If DOH was set it should be showing the CLOUDFLARENET in the same general region on your ISP or WG IPv4 accordingly regardless of what’s in your WG Client conf.
You don’t have a Domain or IP Policy set for the VPN, do you?
GL reps read these threads; they’ll set it eventually I’m sure.
Wait; are you looking to do ‘Split DNS’ while running an active WG Client session? IDK if that can be done in the current state of the firmware/OpenWrt.