VPN Policy Mode issues with Specified Domain / IP List

Using the Policy Mode of the VPN features with the “Specified Domain / IP List” option I ran into an issue.

When providing a list of domains, the feature doesn’t seem to work. The services are not accessed through the VPN.
There are no issues when providing IP addresses.

When the mode is switched to “Exclude specified Domain / IP List”, then the provided domains are accessed via the VPN.
However, also all other domains that were not specified, are also accessed through the VPN.
It acts the same as “All targets”.

Other VPN connections with lower priority also don’t work. This makes sense, as their domains and IP addresses are also matched by the logic of the “exclude domains” logic of the previous one.

If I make them a higher priority, then they take precedence and it they work.
These rules only contain IP addresses, no domains. So maybe the issue is just with domains.

This issues persists on the Beryl 7 and also on my Opal.

• Beryl 7 (GL-MT3600BE)(Firmware Version 4.8.5)
• Opal (GL-SFT1200)(Firmware Version 4.3.25)

AdGuard is disabled, when using the Beryl 7.

It would be great, if the “Specified Domain / IP List” would just work with the domains provided.
Are there any steps I need to do first, that I could have missed?
Are other people affected by this as well?

Note:

It also impaired my ability to send email over SMTP with my local email client Thunderbird. This happens with Gmail as well as my own mail server.
They don’t block me from sending email when on a VPN, normally. It turned out, that it was an issue with a specific location of my VPN provider. Just switching to another location, fixed the issues somehow.
My connection to the SMTP servers of my email providers should have never been routed through the VPN at all. It just ended up being “captured”, as I had switched to the “exclude” mode, to make it work at all.

Hi

We tested locally with the SFT1200 running v4.3.25, but were unable to reproduce the issue.
The domains in the list are correctly routed through the VPN tunnel.

image1825×895 81.9 KB

In Policy Mode, the VPN requires client devices to use the router’s LAN IP as their DNS server in order to properly apply domain-based routing.

Therefore, please make sure that encrypted DNS is disabled on your client devices/browser, and that they are configured (or obtain via DHCP) to use the router’s LAN IP as their DNS server.

Oh, that makes a lot of sense! I’ve never seen that requirement.

Turning of the custom DNS settings in my OS as well as my browser, restarting, flushing the cache, etc. I got it to work.

As browsers also have a DNS cache, making changes to the list of domains for the VPN policy, doesn’t reflect immediately.
That’s just something to be aware of.

It would be great, if all of these hints would be part of the the UI.
I assume that many other users of GL.iNet devices might run custom DNS configs. Especially, since I am not always connected to a GL.iNet device, I wanted to put my custom DNS config on my devices and in my apps as well, instead of just having it on my GL.iNet device.

Glad to hear it's working fine now.

And thanks for your suggestion.
We'll check with the product team to see if we can place a reminder in a suitable location.