[redhawk0]

Hi all...I'm hoping you can help me out here. I have WindScribe VPN (using Wireguard)...it works great...but I can't seem to get certain web pages from bypassing the VPN to use the WAN address.

If I visit Facebook for example....It still shows the Wireguard given IP address. (causes login issues at times) How do I get my list of PBR sites to bypass VPN?

Yes...I have read the Wireguard guide.

This is an XR500 running 51937. (but it's been doing this all along.)


redhawk


[Edited for clarification]

[dale_gribble39]

All sources via VPN would mean all clients in your LAN would use the VPN, regardless of destination, perhaps?

[redhawk0]

The way I understand it...it sets all sources to use the VPN IP address...except when the "Route Selected Destinations via WAN" is selected then the entered addresses are only to be routed through the WAN address.

I also have the line

server=/facebook.com/marlinowners.com/fedex.com/michaels.com/etsy.com/ebay.com/serengetifashions.com/kohls.com/jcpenney.com/usps.com/express-scripts.com/1.1.1.1"

in my DNSMasq Additions section on the Services page. Only because I read that this should be setup from the Wireguard document.

[egc]

To make sure it is not a DNS problem add the interface to the DNSMasq options (your WAN interface is eth0 I assume)

server=/facebook.com/marlinowners.com/fedex.com/michaels.com/etsy.com/ebay.com/serengetifashions.com/kohls.com/jcpenney.com/usps.com/express-scripts.com/1.1.1.1@eth0

Facebook (and amazon/netflix etc.) use a lot of different domains and subdomains so you have to take care you route them all.

Second problem is that the IP addresses change over time (other servers are added etc) and the IP address is only resolved when the tunnel starts so it can be that right after the tunnel starts it will work but after some time not as your client which is resolving facebook.com at that moment gets another IP address.

Both problems can be mitigated by the use of IPSET which dynamically creates a list of resolved IP addresses and routes this list, this also will catch subdomains on the fly.

You can manually implement this (see IPSET documentation a sticky in this forum) or wait till it is added to WireGuard (I have it running already but have to test it , see attachment )

[redhawk0]

Thanx egc....I'll have to wait I guess...I did add "@eth0" to my DNSMasq line...but it didn't help. (yes...eth0 is the correct interface for WAN on the XR500....verified)

This is just a bit frustrating...I'm not proficient with command line rules...if it's in the configuration...I can understand it...but if it's changing the code or manually entering the code....I get lost very quickly.

[EDIT] - I found I missed a quote the first time around...This has fixed it....(see image)

redhawk

[egc]

Great to hear you solved it 👍

[redhawk0]

Well....now its back to not working....so....semi-solved.

I know where the problem is...just haven't been able to get consistent results.

redhawk