Wireguard policy "VPN Policy Base on the Target Domain or IP" is being ignored

Hi!

I’m currently using the GLX3000 router on T-Mobile Home Internet. I’m using the Wireguard client, connected to a self-hosted wireguard server.

It works great, however, the VPN policy is NOT working. As I come across various websites that are blocked by my VPN’s IP address, I add them to the list to NOT use the VPN.

I have IP addresses and domains added. However, no matter what, traceroute shows that the domains / IP Addresses are ignoring the rules completely. For instance, imgur.com is added to the list:

root@GL-X3000:~# traceroute imgur.com
traceroute to imgur.com (199.232.192.193), 30 hops max, 46 byte packets
 1  10.10.10.1 (10.10.10.1)  51.230 ms  39.093 ms  39.828 ms

My wireguard config:

[Interface]
Address = 10.10.10.2/24
PrivateKey = (removed)

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = [ipv6address]:port
PersistentKeepalive = 25
PublicKey = (removed)

At one point this was working, and it stopped recently. I am not sure what changed. I am currently using the settings below:

Remote Access LAN: OFF
IP Masquerading: OFF
MTU: 1420
Block Non-VPN Traffic: OFF
Allow Access WAN: ON
Services from GL.INET Use VPN: OFF
Proxy Mode: Based on the Target Domain or IP

Do Not Use VPN

204.2.29.0/24
t-mobile.com
tmobile.com
reddit.com
imgur.com
::/0
DNS Mode: Encrypted DNS
Encryption Type: DNS over TLS
DNS Provider: Cloudflare
DNS Rebinding Attack Protection: OFF
Override DNS settings for all clients: ON

I noticed this after IPv6 stopped working (I am only routing IPv4 over the VPN to bypass the CGNAT). I’m not sure what changed to cause this feature to just stop working.

I’m thinking it’s related to AllowedIps, but that’s a requirement.

Any suggestions are appreciated!

Add following under [Interface]

DNS = 1.1.1.1
MTU = 1420

Man, I was really hopeful, but it looks like there is no change.

root@GL-X3000:~# traceroute imgur.com
traceroute to imgur.com (199.232.196.193), 30 hops max, 46 byte packets
 1  10.10.10.1 (10.10.10.1)  66.018 ms  40.888 ms  49.527 ms

sometime the domain/webiste have multipal ip addresses and dns server resolve to one that is not in your list could cause this… I am not sure how to find all ip addresses for the domain/site

Screenshot 2024-02-13 232610

Yes, t-mobile.com uses a WAF from Imperva. It uses a lot of IP addresses. That’s why I was excited when I saw that I could filter based on domain instead, because I don’t think it would be easy to find all the random IP addresses like you said.

The one thing I failed to mention, it’s not even working for IP addresses. I added 1.1.1.1, and some other IPs that I own, and it still routes through the firewall. It must be a configuration issue, I just can’t figure out what.

Commands on the router may bypass the VPN policy, you should always test from a connected device.
The device must use the DNS server of the router. Is this the case?

I have used specific dns for specific site with dnsmasq in the past not on router, it should be same if you want to try with luci or ssh

I don’t know what changed, but it’s working again!