On my AX-1800 I have the same WG tunnel defined in two different ways, identical except for the “AllowedPs” beng 0.0.0.0 for the “Full” version, and only my personal WG server’s subnet (192.168.124.0/24) for the “Local” version. In both config files the DNS is set up to my personal WG server’s DNS server (192.168.124.1, which is routed to CloudFlare via DoH).
If I use the “Full” version, everything works as expected. If I use the “Local” version, I can pass traffic thru OK to the personal WG server’s subnet, with outside traffic (apparently) going thru the default route set up by the WAN, but DNS doesn’t work; I can’t resolve queries.
In the “Full” version, I can go to dnsleaktest.com and see that all DNS is routed (via the tunnel) to CloudFlare, as expected.
What I guess is happening is the AXT is trying to use the default route to contact the DNS server, and not using the routing table (? guess?) and seeing that the .124.1 address should be routed to the WG tunnel at 124.0/24 .
… huh. I just tested this- it turns out that NO non-AllowedIPs traffic passes. I’m getting DNS OK, I just can’t get to them.
So now I guess the issue is WG Client Split Tunnels don’t work? (I swear this used to work before, though. I’m currently on 4.0.2-release 1, but it was also failing on the previous version)
FWIW, using the “Local” config file on my Linux laptop does as expected; only traffic in “AllowedIPs” goes thru the tunnel, everything else goes out thru the WAN’s “native” connection.