Https-dns-proxy taffic going out wan not wg

pluffmud · March 22, 2025, 12:46pm

OpenWrt 23.05.5 r24106-10cc5fcd00
I'm using wireguard,pbr and https-dns-proxy .
Because my vpn provider has dns issues I,m trying to route the doh traffic out the wg interface instead of wan .
The last pbr rule I have specified is

config policy
option name 'VPN1'
option src_addr '0.0.0.0/0'
option dest_addr '0.0.0.0/0'
option interface 'wg2

But all the doh traffic still goes out 'wan'

The vpn is working otherwise
The vpn endpoint is not set as the default route , the wan ip is default

tcpdump shows

08:43:37.646189 IP xx.yy.193.128.56606 > dns9.quad9.net.443

the above src ip is my isp provided ip

egc · March 22, 2025, 1:52pm

Https dns proxy runs on the router so for a PBR policy you need the OUTPUT chain.
Do not set a src_adr but make sure you set a destination address which is the addres of your doh dns server

pluffmud · March 22, 2025, 3:12pm

Ok that seems to work . So what this says is the prerouting chain is for traffic coming to the router from some interface and the output chain is for traffic originating from the router ?
If the last pbr rule was "outputchain , any port from any ip to any port at any ip send to wg/vpn"
would that do the same thing or would I lock myself out ? The first pbr rule is ignore all traffic to local subnets

pluffmud · March 22, 2025, 3:37pm

On 2nd thought that sounds like a really bad idea.

Thanks for your help

system · April 1, 2025, 3:38pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.