GL-MT3000 - DNS Split tunnel does not work

I have got this problem on a GL.iNet GL-MT3000 running version 4.6.2. This is a huge issue for my setup. My config works flawlessly on other client devices (Linux, Android, etc.)

VPN mode is set to "Auto Detect".
For the split tunnel client config, it seems the "DNS =" WireGuard setting is completely ignored.

It will only route requests to the specified DNS with the full tunnel config. I need it to work with the split tunnel one too, like in OP's use case.

Not sure what else to do besides completely switching to vanilla OpenWRT.

Hi,
Do you want to split DNS requests into multiple parts and go out through different interfaces? Currently, auto-detect mode does not support such a policy. With respect to wgclient, if the allowed-ips in the configuration is not '0.0.0.0/0',DNS is configured to be sent over the wan. If you do not need to create more than one VPN instance, selecting the policy base on domain or the policy base on vlan may suit your needs.

1 Like

Thanks a bunch for your reply.

That seems to be the issue. Judging by some of the past posts on this forum, it sounded like that setup has worked for other people. Why did it work for the person in the linked thread?

It can also be expected from a user point of view, that the "DNS =" setting in my WireGuard client config isn't ignored.

I have a bunch of different WG client configs, all except DNS in the split tunnel scenario is working as expected and switching between profiles is easy. I would prefer a solution that doesn't involve maintaining a custom policy or having to manually set the DNS server on my client devices.

On the Network -> DNS page, the DNS mode is set to "Automatic". I can see both resolver IPs ("DNS from Repeater/Ethernet" and "DNS from WireGuard"). The one from my WAN uplink and that of my split WireGuard tunnel. Shouldn't it prefer the tunnel DNS?

When I change the DNS mode to "Manual DNS" and set the IP to the one reachable through the tunnel, it won't use it for DNS lookups.

Why would it not adhere to the settings in my WireGuard config? Seems like a horrible design choice.
While it might be common to have AllowedIPs set to all IPs, there are still people that want to use their own DNS behind a WireGuard tunnel (for local hostnames) and still use their normal WAN uplink.

Thanks for your reply.
We discussed what you proposed and thought it reasonable. Better than the way we handle it now. We may change the DNS policy in Auto-detect mode to: based on configuration option.

  1. If the DNS configuration option exists, all DNS requests are forwarded to the server by the VPN.
  2. Otherwise, it is processed through the wan interface.

What do you think of this approach?

2 Likes

That sounds excellent.

This way users will have the same WireGuard experience, as they do on other devices. If they would prefer to not use the DNS from the config, they can uncomment it in the config through the UI and it will go the usual route (Encrypted DNS through WAN, etc.).

Thank you again for your time.

1 Like