At my home on my Flint 2 wireguard VPN server is running exposed at abc123.glddns.com:3333. When I travel I use Beryl’s wireguard client to connect to my Flint 2 at home.
The problem occurs when, Beryl’s ‘Block Non-VPN Traffic’ is toggled on and I reboot Beryl. Since ‘Block Non-VPN Traffic’ already on, Beryl cannot resolve my home VPN server’s IP via the DNS abc123.glddns.com:3333. I have to toggle off ‘Block Non-VPN Traffic’ for a couple of second so that the VPN can connect. Once the VPN connects I toggle on ‘Block Non-VPN Traffic’. These few seconds can potentially cause DNS leak for all the devices connected to Beryl.
Is there a way to whitelist domain names of VPN servers (e.g. abc123.glddns.com:3333) when using ‘Block Non-VPN Traffic’?
Your travel Beryl should just be set to DNS > Automatic. You should want the router to get online as easily as possible and connect to DNS. The only thing it needs to be able to do is resolve the IP for the endpoint address in your VPN client config.
Whatever connection the host router uses does not matter to the VPN client. As soon as the router is online and connects to the endpoint, then it will use the DNS provided in the wireguard config profile for the clients and send all that traffic through the tunnel.
The Ddns IP of your server only has to be resolved by your client once in order to set up the connection. After that it’s irrelevant. Traffic from the router to the local gateway and DNS will work regardless of the “block non DNS traffic” settings. You do not have to whitelist it.
Also. Is this a new ddns domain client you just registered? If so, there seems to be some issue with new registration after the recent GL server upgrade… and unfortunately China is on vacation this week.
It isn’t resolving for me. I have to toggle ‘Block Non-VPN Traffic’ off/on to get the internet. To me it seems like Beryl cannot resolve VPN server’s IP when ‘Block Non-VPN Traffic’ is turned on.
Block non VPN option works perfectly fine on my slate ax router. All my Wi-Fi clients don’t get internet until VPN tunnel is established.
If VPN tunnel is broken clients don’t have access to Internet.
I am starting to learn about this DNS thing from 0. So if the settings go as you said, first and third off, second on, can I still turn on Adguard? It blocks all the ads I don’t want to see with just a toggle, very convenient.
Check out my response above. I spent an hour trying to help someone tonight on this, and it turns out that the Glddns server seems to be having a legit issue with new registrations.
We re-registered the same device twice and while everything seemed good on the client end, there was no public DNS propagation. I tried to query from my private clients and several commercial servers.
It seems we found a new outage with the recently upgraded glddns, and unfortunately China is on vacation this week.
With this turned on, your GL router will make itself the authoritative DNS server to all the clients that connect to it.
Any client that connects to your router will ask for an IP and DNS via DHCP. With the above option turned on, the authoritative DNS will be the IP of your router.
Your router will then decide the fate of all DNS queries for those clients.
So the “block -non VPN traffic” setting by itself should stop the router from being able to get online. The routers DNS cllinet runs on the WAN interface and is not affected by that firewall rule.
All traffic on the LAN (internal) side of the router is proxied through localhost port 8053 and filtered/directed based on the firewall and VPN rules… so the "block traffic’ rule should only stop clients from being able to connect to the internet, not block the router itself from connecting.
Adguard changes things a bit though, so it can cause issues with the router itself being able to resolve, which is why I was suggesting you may want to turn it off and use Automatic for testing purposes.
If you want Adguard working for your clients connected through the VPN tunnel, you would want to run adguard on the server router (not client router) and then put the server’s internal Wireguard IP (10.0.0.1 by default) in the DNS portion of the WG client configs. This way, once connected to the tunnel, your client machines will send DNS queries to your server router, which will filter them through adguard on the server side.
Running adguard on the client side router with wireguard can lead to DNS leaks.
Edit. I also recommend changing the default Wireguard IP from 10.0.0.1/24 to something else (eg. 10.71.0.1/24) and recreating your client config profiles as 10.0.0.x is a commonly used default range and could end up giving you IP conflicts with local networks when traveling that will cause you all kinds of issues.
i half follow - if you are using a travel router and have the the kill switch on, traffic will go through your home vpn server wouldnt it? so why does it matter? wouldnt the end dns be determined by the home server?
im looking at this from the viewpoint of a website or services, since my primary use is for remote work (secret nomading)
I did it!!! After spending hours reading this DNS thing over and over, I understand it a bit more and got courage to follow instructions of yours and another mod’s. Now when I go on dns leak test, all DNS servers show location very close to my home.
However, Adguard doesn’t work any more. I disabled it on the client router because you said that might leak my location and enabled it on the server but it didn’t change. I then turned it off on sever and enabled it on client to test but it still doesn’t work. And all DNS servers still show location to my home though.
Question 2, where do you change the default IP to 10.71.0.1/24?
Let’s take adguard completely out of the equation.
If you set up your VPN client properly, then all queries will go through your VPN server (at home) when connected to the VPN tunnel.
Based on the DNS set in your WG client profile, your client will either be sending DNS queries to your server router, or directly past that to Cloudflare. Nearly 100% of the time this should be the same resolution IP unless you’ve done some detailed DNS setup of your own.
All of that said… the DNS settings on your travel router will use the local gateway and local DNS no matter what other “block non-vpn traffic” settings you have. This is core router functionality and the VPN client is only frosting on top.
Yes, for those religious zealots, this includes 0.0.0.0. routing, as demonstrated here:
If you’re running Adguard on the server and using the WG server IP as the only DNS= entry on the WG client configs then it *should* work (disclosure" I don’t usually run Adguard on VPN setups so don’t test this much - just personal preference).
The setting is in VPN > Wireguard Server > Configuration. You’ll need to stop the WG server to edit it, and then recreate all your WG client profiles after changing it.
