How do domain-based VPN exceptions work?

In firmware 4.x, how are domain-based VPN exceptions implemented, technically? Where do I find the exceptions in the file system?

This seems difficult to answer. I don’t know untile I set up some policy and check what changed in the file system. But it should not be difficut to do so.

Do you want to modify settngs directly?


But I would recommend to utilize uci for changes here.

Did you mean LuCi? I looked in LuCi but couldn’t find the relevant section.

I am just trying to understand how domain exceptions work for local clients in order to better guess why they don’t work for tailscaled clients.

No, I was talking about uci the OpenWrt configuration tool while using SSH.

I guess because they don’t use the routers DNS?

They do. Tailscale default setting is for devices to use the DNS of the exit node. I should be configured to be external, but I have done that already. It is set to Cloudflare in the GL firmware.

Could you explain how domain exceptions work for local clients and do you have an idea why they might not be working for tailscaled clients?

They work by resolving the DNS entry using the local dnsmasq server on the router itself.
So as soon as a device is not requesting an DNS entry from the routers DNS server itself, they won’t work.

Is this so even if I have configured DNS over TLS from Cloudflare on the router? I am not familiar with dnsmasq and how it is used in the GL firmware. Does it, like, forward DNS requests to whatever server is configured as the DNS server in the GL firmware, then apply the routing rule (exclusion or inclusion) on the IP obtained?

Yep, that should be how it works since it even work with AGH enabled or DNS-over-TLS.