GL-AXT1800 - Wireguard Client domain based routing not working

tkogx · June 18, 2023, 2:41am

I have a GL-AXT1800 where I setup a Wireguard Client via the GliNet App and when doing “Domain Based Routing” it doesn’t seem to be respecting the domains I added. Here are my configs:

Wireguard Client config:
[Interface]
Address = 10.28.199.95
PrivateKey =
DNS = 10.0.0.243
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 154.16.81.217:1337
PersistentKeepalive = 25
PublicKey =

Router Config (Version: 4.2.1):
Router IP: 192.168.8.1
Router DNS: 192.168.8.174
VPN Dashboard: I’ve set the “VPN Policy Base On The Target Domain Or IP” to “Use VPN” for the domain “ifconfig.me”

Python script used check public IP address

import requests

def get_ip_info(url):
    try:
        response = requests.get(url, timeout=3)
        return response.text.strip()
    except requests.exceptions.Timeout:
        return 'Timeout reached'

def redact_ip(ip):
    parts = ip.split('.')
    if len(parts) == 4:
        parts[2] = parts[3] = 'xx'
    return '.'.join(parts)

ifconfig_result = get_ip_info('http://ifconfig.me')
ipinfo_result = get_ip_info('http://ipinfo.io/ip')

if '.' in ifconfig_result:  # Check if result is an IP, not a timeout message
    ifconfig_result = redact_ip(ifconfig_result)

if '.' in ipinfo_result:  # Check if result is an IP, not a timeout message
    ipinfo_result = redact_ip(ipinfo_result)

print('IFCONFIG:', ifconfig_result)
print('IPINFO:', ipinfo_result)

Results from router (I expected it to get my local ISP address which is 47.182.xx.xx, since it’s not going through Wireguard client):
root@GL-AXT1800:~# ./checkip.py
ifconfig: 154.16.xx.xx
ipinfo: 154.16.xx.xx

Results from machine on LAN (looks like DNS issue as it cant resolve ifconfig?)
user@macbook:~# ./checkip.py
ifconfig: Timeout reached
ipinfo: 45.115.xx.xx

Questions:

Any thoughts on why devices aren’t getting routed through the Wireguard Client?
Why is my Router going through Wireguard VPN network if I have set up Domain Based Routing?

SpitzAX3000 · June 18, 2023, 4:45am

On your MacBook l, what were your DNS servers ?

I think domain based VPN policy applies to clients connected to the modem not the modem itself… you need to further investigate it.

tkogx · June 18, 2023, 6:28am

Thanks for your reply @SpitzAX3000. I have a dedicated DNS device running on 192.168.8.174 (PiHole). It doesn’t seem like an issue with the DNS, since on my Macbook since I was able to resolve ipinfo.io but somehow I wasn’t able to resolve ifconfig.me (timeout). Looks like a DNS resolution issue on the AXT1800.

When I connect the wireless clients to the AXT1800 I expect it to route the traffic through the VPN. However it seems like that isn’t working and even more strange is on the router itself all traffic is being routed through the VPN, which is odd since I am setting this up after complete reset of the device.

SpitzAX3000 · June 18, 2023, 7:03am

I believe in order for the AXT modem to correctly perform domain-based policy, it needs to resolve the domains for you. So, please make sure that the Macbook is resolving domains using the AXT as a nameserver.

tkogx · June 18, 2023, 9:37am

I can confirm the AXT1800 modem is resolving the DNS (by forwarding the requests to the DNS server on my LAN, 192.168.8.174).

It’s only when I turn on the Wireguard Client, that the DNS request to the domain on the domain-based policy will not resolve.

SpitzAX3000 · June 18, 2023, 11:43am

Then the modem might try to reach 192.168.8.174 through the VPN tunnel.

wcs2228 · June 19, 2023, 1:45am

VPN policies only work when domain names are resolved by the dnsmasq on the router, not another nameserver:

I do not work for and I am not directly associated with GL.iNet

alzhao · June 19, 2023, 8:12am

Yes, this should be the case.

If you set manual dns server 192.168.8.174, it will be used by both vpn and non-vpn. The router will first respect the dns settings then dns from vpn.