im currently trying to route these three domains with my wg0 tunnel to run iptv services
api-jiotvplus.media.jio.com
content-jiotvplus.media.jio.com
collect.media.jio.com
but when i try to run a traceroute its going through my home network. its a bone stock openwrt with only wireguard pbr https-dns-proxy and adblock-lean installed
If there's a protocol setting somewhere along the way, make sure not only to include TCP and UDP, ping doesn't use those.
protocol is set to all
What PBR are you using?
If using the PBR app have a look at:
Chances are you need a lot more domains to catch all traffic.
Furthermore check that adblock is not blocking these domains.
I'm not sure that a simple traceroute will be diagnostic. As a test, I setup the following for my laptop, then restarted pbr and did traceroute googlevideo.com. The resulting output did not use the wg1 endpoint at all.
config policy
option name 'test'
option src_addr '10.9.8.101'
option interface 'wg1'
option dest_addr 'googleapis.com googlevideo.com youtube.com ytimg.com googleusercontent.com ggpht.com gstatic.com'
However, when I removed the option dest_addr line from that policy (all dest_addrs I think), I did see the vpn endpoint in the traceroute output.
I also have a separate SSID and Interface/network for devices like AppleTV with this:
config policy
option src_addr '10.9.4.0/24'
option interface 'wg1'
option name 'wg1 redirect'
So any device connected to that interface has all of its traffic sent through wg1. I'd like it if I didn't need to do it this way, but I don't know of a foolproof way. In my case, it's YouTubeTV I want going through the vpn.
@egc i run the pbr app. I installed dnsmasq-full and enabled ipv6 support and set Use resolver set support for domains to dnsmasq nft set now it just drops the connection after a single hop. The domains are not in the blocklists
@darksky i tried this setup but it had a weird result in my case where the ipv4 address was getting forwarded to the vpn yet my ipv6 address was of my home networks
If you use an IPv4 address then only IPv4 traffic is routed.
For IPv6 routing your WireGuard must support IPv6 and you must either add the IPv6 address of the client or easier use the MAC address or for whole networks the interface name.
my wg does support ipv6 when i connect to my wg from my pc directly i get routed both ipv4 and ipv6 @egc
my plan is to get those domains to be routed through the wg0 interface regardless of which device so that any device on the network can access iptv
Yes I understand and there are a lot of pitfalls doing that as already linked earlier
Start with using nftsets and clearing DNS cache as described
You can see the sets filled with nft list ruleset | head -80 as the sets are usually on top of the firewall:
root@X86:~# nft list ruleset | head -80
table inet fw4 {
set pbr_wg_ch_4_dst_ip_cfg0b6ff5 {
type ipv4_addr
flags interval
counter
auto-merge
comment "domain-routing"
elements = { 64.226.122.113 counter packets 0 bytes 0,
95.85.16.212 counter packets 0 bytes 0,
142.251.39.142 counter packets 0 bytes 0 }
}
set pbr_wg_ch_6_dst_ip_cfg0b6ff5 {
type ipv6_addr
flags interval
counter
auto-merge
comment "domain-routing"
elements = { 2a00:1450:400e:80b::200e counter packets 0 bytes 0,
2a03:b0c0:0:1010::509:d001 counter packets 0 bytes 0,
2a03:b0c0:3:d0::1a51:c001 counter packets 0 bytes 0 }
}
set pbr_wg_mullv_us_4_dst_ip_cfg0c6ff5 {
type ipv4_addr
flags interval
counter
auto-merge
comment "doman routing 2"
elements = { 95.85.16.212 counter packets 0 bytes 0 }
}
set pbr_wg_mullv_us_6_dst_ip_cfg0c6ff5 {
type ipv6_addr
flags interval
counter
auto-merge
comment "doman routing 2"
elements = { 2a03:b0c0:0:1010::509:d001 counter packets 0 bytes 0 }
}
I use domain routing but not for IPTV, like I said you need all domains and then some
Also add e.g. ipleak.net so that you can easily check with your browser (assuming the browser and client do not use private DNS)
Lots of pitfalls 
Adding wg0 to wan firewall seems to have fixed it. added ipleak.net and now i get ipv4 address of the remote site ipv6 isnt showing but for the purpose of iptv it seems to do the job opens the iptv app on runs smooth. thank you
Great to hear you got it working
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
For the record how to setup a WireGuard client including IPv6 see my notes:
WireGuard Client Setup Guide
IPv6 needs special attention
Glad to hear you got it working. Do you mind sharing the relevant sections of /etc/config/pbr and of /etc/config/firewall
config pbr 'config'
option enabled '1'
option fw_mask '00ff0000'
option ipv6_enabled '1'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
option nft_user_set_counter '0'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '0'
option resolver_set 'dnsmasq.nftset'
option strict_enforcement '1'
option uplink_interface 'wan'
option uplink_interface6 'wan6'
option uplink_ip_rules_priority '30000'
option uplink_mark '00010000'
option verbosity '2'
list ignored_interface 'vpnserver'
list lan_device 'br-lan'
list resolver_instance '*'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option config_compat '25'
option config_version '1.2.2-r14'
option rule_create_option 'add'
option webui_show_ignore_target '0'
config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'routejiotv'
option dest_addr 'api-jiotvplus.media.jio.com'
option interface 'wg0'
config policy
option name 'routejiotv2'
option dest_addr 'content-jiotvplus.media.jio.com'
option interface 'wg0'
config policy
option name 'ipleak'
option dest_addr 'ipleak.net'
option interface 'wg0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
~
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
I also had to filter AAAA records in dnsmasq to only reply with A records for the specific domains so as to not leak through the VPN. Though it is possible to implement ULA to reroute ipv6 address spaces through pbr but since it was a quick hack this does the job