VPN Policy Base On The Target Domain not working

i_fin · December 16, 2022, 7:57pm

VPN Policy Base On The Target IP is working nice
But VPN Policy Base On The Target Domain not working

K3rn3l_Ku5h · December 17, 2022, 1:41pm

What device and firmware is this?
Things like Facebook need a number of connections and domains to work, perhaps you are missing one. Wireshark is good to access this, as it shows all traffic and connections

VPN policy will only work for local network and will not be honored by VPN clients connecting to server outside the local network.
I do not work for and I am not directly associated with GL.iNet

i_fin · December 17, 2022, 1:59pm

Axt1800 fw 4.1.0 7 rel
First of all I need yt3.ggpht.com

internet<-axt1800 (for vpn) <-ASUSrouter (dhcp+WiFi)<-devices

xize11 · December 17, 2022, 2:32pm

On the SlateAx you use the default lan interface nothing advanced?

What also could be if I understood correctly:

You need to make sure your asus router gets the dns from your SlateAx, and you also need to make sure your client then uses the dns from the asus router if that makes sense.

However the tricky part is, I believe the domain name you try to bypass is from google, and google has ways to ignore the default dns settings, I noticed this on my android devices aswell, what I did was making a port forward from port 53 udp to the router ip this basicly forces all 53 dns traffic.

Editted I misreaded it for flint

K3rn3l_Ku5h · December 17, 2022, 10:26pm

FYI Both android and apple devices have ways of bypassing the vpn apps on devices, so act accordingly.

wcs2228 · December 17, 2022, 11:15pm

My understanding is that dnsmasq on the router is required for VPN policies to work with domain names. You can try configuring the GL-AXT1800 as the main router and the ASUS router as a wifi access point:

internet<-axt1800 (for dns+dhcp+vpn) <-ASUS router (wifi access point)<-devices

I do not work for and I do not have formal association with GL.iNet.

wcs2228 · December 18, 2022, 12:45am

On the GL-AXT1800, you should turn on the Override DNS Settings for All Clients setting:

There are web posts that state some apps (notably Netflix) and devices (notably Chromecast, Google Home Hub) use hardcoded Google DNS servers (8.8.8.8, 8.8.4.4) to bypass your client device, router and VPN DNS settings. My understanding is the Override DNS Settings for All Clients will intercept such DNS requests and redirect then to your router’s DNS servers.

This technique is only a partial solution because they may have additional ways to detect your location.

alzhao · December 20, 2022, 8:40am

Pls check if your pc is using encrypted dns or not.

For example, in Windows if you set 8.8.8.8 or 1.1.1.1 it will use encrypted dns, so the domain based policy will not work.

i_fin · December 20, 2022, 8:54am

yes it is.
but now everything is working fine, although I haven’t reconfigured anything, except nnmclub.to.