Local vpn dns troubles on fw 4.8

xize11 · August 7, 2025, 12:57pm

Hi,

So I'm fiddling around with the new vpn dashboard on my MT3000.

To my surprise I noticed a bottleneck and I'm not so sure if I'm doing it right or wrong.

So I added a local wireguard client, and ensured the DNS section has been specified to 10.6.7.1, this will ignore GL dns settings but that is my intention, I base this of the pre configurated mullvad configs.

Of course this wil not give me internet to the dns, because in the older firmware I had to check:

But after this change I see that every try to dns has been dropped, this is unexpected because the expected behaviour should be that lan access was allowed, is this a bug?

Anyway, as soon when I change the global proxy to policies and use 10.6.7.1 to bypass to wan it works fine.

Now I haven't tested this on a external other network, so maybe something masquarading related with inner zones on my main router blocks it although I doubt this since bypassing the tunnel on the MT3000 magicly worked in the end it is just a route, but I found this confusing, this was not previously before the dashboard change.

The config in my MT3000:

[Interface]
Address = 10.6.7.2/32
PrivateKey = snip
DNS = 10.6.7.1
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = snip.ddns.net:4443
PersistentKeepalive = 25
PublicKey = snip

Edit
Just tested the direct config on my phone connected to the MT3000, I see no issue, something in the gl kill switch is blocking it.

The firmware is:

4.8.0 release 3 (2025-07-23 12:47:20 (UTC+00:00))

Edit 2:
adding 10.6.7.1/32 to allowedips don't work either, neither on the server which then forces a route, I can however perfectly fine connect to 10.6.7.1 even without it defined in allowedips and reach the gateways web interface, but 53 traffic don't want to work, I'm 100% certain it must be a kill switch problem.

bruce · August 8, 2025, 3:33am

Hi,

Is this IP your own VPN server IP or Mullvad server node IP?

If it is own VPN server IP, I try to reproduce.

xize11 · August 8, 2025, 10:22am

It is own ip

bruce · August 9, 2025, 6:24am

Thanks, just wonder why you mentioned the "mullvad"?

xize11 · August 9, 2025, 6:52am

These configs by mullvad use by default the dns entry, however in alot of configs this entry doesn't exist, not by default.

I found out when using this setting in my own vpn config I have no issues with the dns options in the gl ui, like leaking wan dns over wgclient or wg dns over wan, I have been told this was intended design, however with this dns section I can bypass this behaviour to the older behaviour, I still think that is best because wgclient dns over wan is not good it invites unexpected blocking on many iptv devices or netflix blocking when policies are set.

^ I haven't verified if something changed on the dns settings though.

I took mullvad as a example to base of my own config.

bruce · August 9, 2025, 10:02am

Hi,

Sorry about I could not quite understand your mentioned issue.

What issue did you mention about VPN (client) DNS?

How to reproduce this issue?

I just tried to understand what you mentioned and then I tested it locally, it seems like there is no problem with client to server for DNS 53

Simulate VPN server and add custom domain to hosts (192.168.50.0/24 are the LAN clients under the server)

MT3000 as VPN client, connect to VPN server and set profile DNS to server tunnel IP (64.6.64.6 removed)

The client PC under MT3000, ping the domain and reachable, indicating that the VPN client can obtain DNS resolution from the VPN server, so 53 DNS has no exceptions.

xize11 · August 9, 2025, 11:52am

this issue is not about fixing the dns workaround.

this issue is about the kill switch blocking the gateway 10.6.7.1.

C:\Users\xize>ping 10.6.7.1

Pinging 10.6.7.1 with 32 bytes of data:
Reply from 10.6.7.1: bytes=32 time=1ms TTL=63
Reply from 10.6.7.1: bytes=32 time=1ms TTL=63
Reply from 10.6.7.1: bytes=32 time=2ms TTL=63
Reply from 10.6.7.1: bytes=32 time=1ms TTL=63

Ping statistics for 10.6.7.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\xize>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

this happens on global mode settings.

even when this settings has been set active:

when I observe the fw rules I see this:

would this be a remnant of the vpn policies which otherwise should be deleted?, I unchecked the lan_drop_leaked_dns and it works.

bruce · August 13, 2025, 7:22am

Hi,

My test network topology:

The server have not changes, like last one reply.

The client is MT3000 v4.8.0 r3, tested with the Global and Policy mode, and Kill Switch both enabled.

DNS is the server (BE9300) tunnel IP

The PC (LAN client) under the Travel router (VPN client):

C:\Users\itwuh>ping 192.168.6.1

Pinging 192.168.6.1 with 32 bytes of data:
Reply from 192.168.6.1: bytes=32 time=3ms TTL=63
Reply from 192.168.6.1: bytes=32 time=4ms TTL=63
Reply from 192.168.6.1: bytes=32 time=8ms TTL=63
Reply from 192.168.6.1: bytes=32 time=8ms TTL=63

Ping statistics for 192.168.6.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 8ms, Average = 5ms

C:\Users\itwuh>ping 10.1.0.1

Pinging 10.1.0.1 with 32 bytes of data:
Reply from 10.1.0.1: bytes=32 time=6ms TTL=63
Reply from 10.1.0.1: bytes=32 time=5ms TTL=63
Reply from 10.1.0.1: bytes=32 time=9ms TTL=63
Reply from 10.1.0.1: bytes=32 time=6ms TTL=63

Ping statistics for 10.1.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 9ms, Average = 6ms

C:\Users\itwuh>nslookup NAS
Server:  console.gl-inet.com
Address:  192.168.8.1

Name:    NAS.lan
Address:  192.168.6.164


C:\Users\itwuh>ping NAS

Pinging NAS.lan [192.168.6.164] with 32 bytes of data:
Reply from 192.168.6.164: bytes=32 time=24ms TTL=62
Reply from 192.168.6.164: bytes=32 time=5ms TTL=62
Reply from 192.168.6.164: bytes=32 time=5ms TTL=62
Reply from 192.168.6.164: bytes=32 time=6ms TTL=62

Ping statistics for 192.168.6.164:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 24ms, Average = 10ms

C:\Users\itwuh>nslookup google.com
Server:  console.gl-inet.com
Address:  192.168.8.1

Non-authoritative answer:
Name:    google.com
Address:  142.250.64.110


C:\Users\itwuh>nslookup gl-inet.com
Server:  console.gl-inet.com
Address:  192.168.8.1

Non-authoritative answer:
Name:    gl-inet.com
Address:  3.0.226.225

I never reproduce your issue. Could you please share your router backup configuration with me in PM?