Traceroute & VPN policy

I’ve set up a VPN policy, based on target domain/IP: every request towards a list of domains gets tunnelled via the Wireguard VPN, all the others don’t.
Everything seems to work correctly: I can see traffic on target endpoint coming from the VPN server.

However, when I want to test this behaviour via a traceroute command, everything seems passing through the VPN, no matter of the policy and the target endpoint.
What am I doing wrong?

VPN policies work only if you use the router as the DNS server.

As soon as a device is using some different DNS settings, the policies won’t work anymore.
Are you sure your device uses the DNS server of your router?

Hi @admon,
Actually the traceroute commands are being sent from the router (Mango) so I would exclude dns as a problem.
For avoidance of doubts, all ip/udp traffic from lan respect the vpnpolicy.
My only issue is with traceroute performed from the router.
Maybe icmp can bypass vpn policies?

Ping and traceroute on the router itself will not be handled by VPN. That’s intentional, as far as I know.

Hm, just checked it with my router - it works there :confused:
But I am using AdGuard Home, might be the difference here.