I’d think Base on the Target Domain or IP might be the best case then if there’s the expectation of more general traffic going through the clearnet than the VPN tunnel. You can always put ipleak.net in that same policy list to test & confirm. I usually put https://ipecho.net/plain in there too for the few times I’m trying out experimental/random configs.
Well, Hell, I’d just throw the Global Proxy policy on @ GL GUI → VPN → VPN Dashboard → VPN Client → Global Proxy if that’s the case for that spell of time. IDK but I presume that function is also available in GL’s phone app but I’ve never used the app. I’d imagine it’d be easier than toggling a different connection in ea. device’s WG app but it still may not be exactly what you’re looking for.
I do something quite similar though I offload upstream DNS to a third party host once the request is processed through my local blocklists (handled by dnscrypt-proxy2) on my GL device.
Yeah, your WG Client connected devices (LAN clients) are hitting the dnsmasq process which handles DHCP & DNS forwarding behind the scenes before routing through the WG Client & its conf/specifics. If you head over to DNS via GL GUI → Network → DNS you’ll find a host of options for various configurations. IDK if mere Manual w/ IPv4 would be what you’re looking for but it’s the simplest option. That runs on port 53, as does all traditional, unencrypted, insecure DNS lookups but if you’re shunting it thru a WG tunnel it’s of no matter.
Another option would be setting up DOH or DOT. That way all outbound DNS requests, VPN or no would be encrypted too. I prefer DOH as it uses :443 & no Wi-Fi hotspot/foreign LAN is going to block the very port needed for SSL/TLS.
When you use Encrypted DNS (GL GUI → Network → DNS → DNS Server Settings) dnsmasq forwards all locally originating lookups over to dnscrypt-proxy2 listening on 127.0.0.1#5453. The lists under ‘+ Servers’ are from a local file confs for dnscrypt-proxy2 on the GL device but a custom conf can be uploaded, then symlinked if you wanted your own, strict/custom server to be used. It’ll then be reflected in the GL GUI. Eg:
root@GL-AXT1800:~# ll /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
lrwxrwxrwx 1 root root 40 Jun 28 02:13 /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -> dnscrypt-proxy.my-personal-third-party-doh-provider.locked.toml
I bring this up because I’m of the position all DNS lookups should be encrypted regardless if running a tunnel or over clearnet.
Fortunately on the latest firmware you can configure the wireguard configs in the UI as well.
Yup; & those files are located @ /etc/config/wireguard & /etc/config/wireguard_server, respectively. You should probably make a backup once you’ve got everything as you want it… I hate the idea of anyone losing a perfectly good network configuration.