VPN Policy Base On The Target Domain not working

i_fin · 2022-12-16T19:57:29.875Z

VPN Policy Base On The Target IP is working nice
But VPN Policy Base On The Target Domain not working

2022-12-16 — копия748×603 29.2 KB

K3rn3l_Ku5h · 2022-12-17T13:41:06.860Z

What device and firmware is this?
Things like Facebook need a number of connections and domains to work, perhaps you are missing one. Wireshark is good to access this, as it shows all traffic and connections

VPN policy will only work for local network and will not be honored by VPN clients connecting to server outside the local network.
I do not work for and I am not directly associated with GL.iNet

i_fin · 2022-12-17T13:59:55.132Z

Axt1800 fw 4.1.0 7 rel
First of all I need yt3.ggpht.com

internet<-axt1800 (for vpn) <-ASUSrouter (dhcp+WiFi)<-devices

xize11 · 2022-12-17T14:32:40.889Z

On the SlateAx you use the default lan interface nothing advanced?

What also could be if I understood correctly:

You need to make sure your asus router gets the dns from your SlateAx, and you also need to make sure your client then uses the dns from the asus router if that makes sense.

However the tricky part is, I believe the domain name you try to bypass is from google, and google has ways to ignore the default dns settings, I noticed this on my android devices aswell, what I did was making a port forward from port 53 udp to the router ip this basicly forces all 53 dns traffic.

Editted I misreaded it for flint

K3rn3l_Ku5h · 2022-12-17T22:26:54.624Z

FYI Both android and apple devices have ways of bypassing the vpn apps on devices, so act accordingly.

wcs2228 · 2022-12-17T23:15:09.802Z

My understanding is that dnsmasq on the router is required for VPN policies to work with domain names. You can try configuring the GL-AXT1800 as the main router and the ASUS router as a wifi access point:

internet<-axt1800 (for dns+dhcp+vpn) <-ASUS router (wifi access point)<-devices

I do not work for and I do not have formal association with GL.iNet.

wcs2228 · 2022-12-18T00:45:40.810Z

On the GL-AXT1800, you should turn on the Override DNS Settings for All Clients setting:

image1672×624 54.1 KB

There are web posts that state some apps (notably Netflix) and devices (notably Chromecast, Google Home Hub) use hardcoded Google DNS servers (8.8.8.8, 8.8.4.4) to bypass your client device, router and VPN DNS settings. My understanding is the Override DNS Settings for All Clients will intercept such DNS requests and redirect then to your router’s DNS servers.

This technique is only a partial solution because they may have additional ways to detect your location.

alzhao · 2022-12-20T08:40:19.590Z

Pls check if your pc is using encrypted dns or not.

For example, in Windows if you set 8.8.8.8 or 1.1.1.1 it will use encrypted dns, so the domain based policy will not work.

i_fin · 2022-12-20T08:54:44.061Z

alzhao:

pc is using encrypted dns

yes it is.
but now everything is working fine, although I haven’t reconfigured anything, except nnmclub.to.