At my home on my Flint 2 wireguard VPN server is running exposed at abc123.glddns.com:3333. When I travel I use Beryl's wireguard client to connect to my Flint 2 at home.
The problem occurs when, Beryl's 'Block Non-VPN Traffic' is toggled on and I reboot Beryl. Since 'Block Non-VPN Traffic' already on, Beryl cannot resolve my home VPN server's IP via the DNS abc123.glddns.com:3333. I have to toggle off 'Block Non-VPN Traffic' for a couple of second so that the VPN can connect. Once the VPN connects I toggle on 'Block Non-VPN Traffic'. These few seconds can potentially cause DNS leak for all the devices connected to Beryl.
Is there a way to whitelist domain names of VPN servers (e.g. abc123.glddns.com:3333) when using 'Block Non-VPN Traffic'?
Does this mean the glddns service is also broken since 4.6.4 if VPN is down? Shouldnt that work fine because of the option Glinet services not using VPN?
The optopn for block non vpn traffic is meant for clients behind the router, not the router itself.
Glinet DDNS service and also Adguard needs to be exluded if you chose Glinet services dont use VPN.
I have submitted to the R&D team, I assume the next version will improve this issue, it did should not affect the VPN connecting process.
DDNS and GoodCloud are not affected.
But I had this issue, that my Flint was not reachable anymore over WG from outside. Glinet DDNS did not work anymore if the OpenVPN was in connecting loop because of DNS issue. Pinging the DDNS of the Flint gave a adress not known.
Sorry. Corrected: When ADG DNS has issues, the built-in GL services will be abnormal.
We are aware of this issue, will be fixed in the next version ASAP.
What about the suggestion I made on the other post, to implement a simple whitelist into the Glinet web interface, under "block non vpn traffic", where you could add the VPN servers for example and a fallback resolver just for that whitelist?
Plus, you need to add an option to allow all traffic for policy based clients you define, that they are always allowed to bypass VPN.
'Services from GL.iNet Use VPN' if this option is disabled, all GL services go to the uplink WAN interface directly by default. After the previous issue will be fixed (next version), the GL services will also be normal.
Is the requirement you mentioned the feature of the following image?
In the client list of 'Do Not Use VPN', traffic does not go through the VPN (go through uplink WAN), if not on the list, traffic goes through the VPN.
For the 'Use VPN', vice versa.
Yes. This is another issue which needs to be changed. The clients you define in the VPN Policy based list for "do not use VPN" also need to be allowed to go through WAN if VPN is off and the option "no vpn traffic" is on. Either make this default, or add an option into that list "always allow clients in the list to bypass vpn".
The other suggestion was for DNS whitelist, so if Adguard or other DNS resolver is not working because of VPN is down, and you dont want any DNS leaks, you define a list of DNS names which are allowed to be resolved even with VPN is down, like the VPN server names for example.
Thanks for your advice, this feature about the DNS traffic packets, in the develop plan to improve it.
The target is improving the interfaces of the DNS diversion, via the WAN (or uplink) and VPN, and without DNS leakage.
Since the DNS involves multiple processes, such as DNSMASQ, ADG and VPN, which require time for the R&D.
