Hi @bruce
I have some IoT devices connected to Beryl AX - Firmware 4.7.0-op24 09/Dec/2024)
When the VPN Client (surfshark) is ON, all IoT devices keep changing the status to online/offline frequently.
The solution for this is bypassing the VPN based on domain, but your firmware doesn't support wildcards.
Could you please evaluate to add this feature?
I tried adding coolkit.cc on the Policy Mode, but it doesn't bypass the VPN when the domain is eu-apia.coolkit.cc (for example)
Hello,
I'm experiencing an issue with my IoT devices connected to Beryl AX running Firmware 4.7.0-op24 (09/Dec/2024). When the VPN Client (Surfshark) is enabled, the devices frequently switch between online and offline. I believe the solution is to bypass the VPN based on domain, but the current firmware does not support wildcards. Could you please consider adding wildcard support for domain-based VPN bypass in a future firmware update?
Best Regard,
Nima
@admon, is the user above a bot?
It seems she posted the same question as mine, but rewriting it via AI 
I would like to agree, but can't tell for 100% sure.
I'll continue monitoring it.
Hello,
GL firmware supported the wildcards domain, including the op24 firmware you mentioned.
I tested but seems the issue did not reproduce:
MT3000 with 4.7.0-op24, VPN Policy Mode is Based on the Target Domain or IP and Do Not Use VPN, the domain list configured like this:
When I add the "coolkit.cc":
It goes to the WAN of router, it is normal:
When I remove the "coolkit.cc":
Verify the accessible:
Compare test another domain (on the list, not use VPN):
Note: as office has multiple ISP connection, it has done some special split by different WAN IP, and only focuses on whether there are hops. If there are hops, it will go to the router's WAN, and if the hop * * *, it will go to the router's VPN.
(The ICMP package is actually accessing the walk to VPN interface. There is no hop because there is a known problem with the VPN client software design, which is known and is expected may to improve on v4.8.)
Hi @bruce
On your screenshot I noticed you are using OpenVPN.
I'm using Wireguard, Adguard Home is enabled and the VPN Policy Mode Based on the Target Domain or IP ("Do not use VPN") is not working.
Side note: 100.64.0.0/10 is the IP range from Tailscale (it isn't bypassing too)
As you can see, the coolkit.cc is on the policy above, but it's resulting in "Request Timeout" as Google (that isn't in the list), so both are going to VPN.
Can you confirm that your device is using the router as DNS server? AGH isn't allowed to handle client requests directly in this scenario, for example.
DNS Servers are set on "Upstream DNS Servers" on AdGuard Home and the clients are using those DNS.
If I set VPN Policy "Based on the client device", it's bypassing the VPN as supposed to.
Hmm what does dnsleaktest.com say or ipleak.net?
have you flushed dns with ipconfig /flushdns, is ipv6 off?
also a very sneaky one is this i observed with chromium browsers:
If the browser runs 'secure dns', even if set to follow up OS dns settings, and in windows you have explicity disabled DoH/DoT.
Chromium still goes on with a hardcoded list and prefers DoH on 'known resolvers', if DoH was not present it uses DoT, best is to fully disable secure dns.
So the dns overridable setting often in the gl ui gets ignored due to the evasion of the browser, even in unexpected terms if set to follow system dns.
