Wireguard policy "VPN Policy Base on the Target Domain or IP" is being ignored

mackhax · February 13, 2024, 6:33pm

Hi!

I’m currently using the GLX3000 router on T-Mobile Home Internet. I’m using the Wireguard client, connected to a self-hosted wireguard server.

It works great, however, the VPN policy is NOT working. As I come across various websites that are blocked by my VPN’s IP address, I add them to the list to NOT use the VPN.

I have IP addresses and domains added. However, no matter what, traceroute shows that the domains / IP Addresses are ignoring the rules completely. For instance, imgur.com is added to the list:

root@GL-X3000:~# traceroute imgur.com
traceroute to imgur.com (199.232.192.193), 30 hops max, 46 byte packets
 1  10.10.10.1 (10.10.10.1)  51.230 ms  39.093 ms  39.828 ms

My wireguard config:

[Interface]
Address = 10.10.10.2/24
PrivateKey = (removed)

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = [ipv6address]:port
PersistentKeepalive = 25
PublicKey = (removed)

At one point this was working, and it stopped recently. I am not sure what changed. I am currently using the settings below:

Remote Access LAN: OFF
IP Masquerading: OFF
MTU: 1420
Block Non-VPN Traffic: OFF
Allow Access WAN: ON
Services from GL.INET Use VPN: OFF
Proxy Mode: Based on the Target Domain or IP

Do Not Use VPN

204.2.29.0/24
t-mobile.com
tmobile.com
reddit.com
imgur.com
::/0
DNS Mode: Encrypted DNS
Encryption Type: DNS over TLS
DNS Provider: Cloudflare
DNS Rebinding Attack Protection: OFF
Override DNS settings for all clients: ON

I noticed this after IPv6 stopped working (I am only routing IPv4 over the VPN to bypass the CGNAT). I’m not sure what changed to cause this feature to just stop working.

I’m thinking it’s related to AllowedIps, but that’s a requirement.

Any suggestions are appreciated!

goher2000 · February 13, 2024, 9:48pm

Add following under [Interface]

DNS = 1.1.1.1
MTU = 1420

mackhax · February 13, 2024, 10:01pm

Man, I was really hopeful, but it looks like there is no change.

root@GL-X3000:~# traceroute imgur.com
traceroute to imgur.com (199.232.196.193), 30 hops max, 46 byte packets
 1  10.10.10.1 (10.10.10.1)  66.018 ms  40.888 ms  49.527 ms

goher2000 · February 14, 2024, 4:32am

sometime the domain/webiste have multipal ip addresses and dns server resolve to one that is not in your list could cause this… I am not sure how to find all ip addresses for the domain/site

Screenshot 2024-02-13 232610

mackhax · February 14, 2024, 6:38pm

Yes, t-mobile.com uses a WAF from Imperva. It uses a lot of IP addresses. That’s why I was excited when I saw that I could filter based on domain instead, because I don’t think it would be easy to find all the random IP addresses like you said.

The one thing I failed to mention, it’s not even working for IP addresses. I added 1.1.1.1, and some other IPs that I own, and it still routes through the firewall. It must be a configuration issue, I just can’t figure out what.

admon · February 14, 2024, 6:47pm

Commands on the router may bypass the VPN policy, you should always test from a connected device.
The device must use the DNS server of the router. Is this the case?

goher2000 · February 14, 2024, 7:04pm

I have used specific dns for specific site with dnsmasq in the past not on router, it should be same if you want to try with luci or ssh

mackhax · February 16, 2024, 8:54pm

I don’t know what changed, but it’s working again!