Home Network CommunityDecoWireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled
Deco

WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled

WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled

WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled
WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled
a week ago
Tags: #Feature Request
Model: Deco BE11000  
Hardware Version: V1
Firmware Version: 1.3.1

Hello TP-Link team and community,

 

I'd like to submit a feature request related to WireGuard client DNS handling on the Deco BE13000, though I suspect this applies equally to other TP-Link devices with WireGuard client support.

 

---

Background

When "Allow DNS" is toggled on in the WireGuard client settings, the router automatically assigns the tunnel's gateway IP (e.g., 10.5.5.1) as the DNS server. While that default is reasonable, it introduces two issues that I'd like to see addressed.

 

Issue 1 – No UI Option to Override the DNS Server

There is currently no way to specify a custom DNS IP through the interface. The only workaround is to manually edit the .conf file, which is neither persistent across firmware updates nor a practical option for most users.

 

Issue 2 – The VPN Gateway DNS Bypasses DoH Settings

When the tunnel's gateway IP is used as the DNS server, the router ignores any DoH (DNS-over-HTTPS) configuration set at the router level and falls back to the WAN DNS instead. This silently undermines privacy and filtering rules that users have deliberately configured — without any indication that it's happening.

 

Proposed Solutions

 

Two improvements would address both issues:

 

1. Add an optional custom DNS IP field that becomes available when "Allow DNS" is toggled on. This gives users the flexibility to specify any DNS server they choose — for example, the router's own LAN gateway IP — so that router-level DoH and DNS filtering remain in effect even when tunneling traffic through WireGuard.

 

2. When no custom DNS is specified and the tunnel's gateway IP is used by default, the router should route that DNS traffic through its configured DoH resolver rather than falling back to the WAN DNS. This would make the default behavior consistent with the rest of the router's DNS policy.

 

Together, these changes would close a meaningful gap for users who rely on router-level DNS filtering and encryption, and bring WireGuard DNS handling in line with the router's broader DNS configuration.

 

Thank you for considering this request.

  0      
0
#1
Options
3 Reply
Re:WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled
a week ago

  @Costanzo 

Hi,
When configuring the WireGuard VPN in the Deco app, as shown in Step 5 of the following instructions, you can set up a DNS server in the Interface section.
How to set up WireGuard VPN Client on Deco APP
Best Regards

>> Check What's Currently Going on With Deco >> Deco X50/X50Pro/X50-PoE Pre-Release Firmware 1.7.0 Introduces DoH/DoT, Channel Selection, and More! >> Deco XE75/XE5300/XE75Pro V1 Pre-release Firmware 1.5.0 Introduces DoH/DoT, WireGuard VPN, and More!
  0  
0
#2
Options
Re:WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled
a week ago

  @Costanzo 

Thank you for the reply and the detailed client setup instructions.

 

However, my question is specifically about the WireGuard VPN Server configuration on my TP-Link BE1300 (via the Deco app), not the client side. The guide focuses on client settings where a custom DNS can be specified, but in the BE1300’s WireGuard VPN Server options there is no field or setting to define or push a custom DNS server to connecting peers/clients. Peers are simply receiving the router’s default DNS.

 

Since there doesn’t appear to be any way to configure this on the server side, I’d like to submit the following as a feature request:

Feature Request: WireGuard VPN Server – Option to Specify Custom DNS for Peers

Hello TP-Link team and community,

 

When configuring the WireGuard VPN Server in the Deco app on the BE1300 (and similar models), there is currently no option to specify a custom DNS server that gets pushed to connecting peers. As a result, clients receive the router’s default DNS.

 

Please consider adding an optional DNS Server field in the WireGuard VPN Server settings. This would allow admins to define the DNS (e.g., the router’s LAN IP or a custom resolver) that is included in the generated peer configurations.

 

This would align the server feature with the existing client-side DNS options and greatly improve flexibility.

 

Thank you for considering this request!

  0  
0
#3
Options
Re:WireGuard Client – Custom DNS Support and DoH Compliance When "Allow DNS" Is Enabled
Wednesday

  @Costanzo 

Hi,
Thank you for your feedback and feature request. I'll log it and forward it to the relevant team for evaluation.
Best Regards

>> Check What's Currently Going on With Deco >> Deco X50/X50Pro/X50-PoE Pre-Release Firmware 1.7.0 Introduces DoH/DoT, Channel Selection, and More! >> Deco XE75/XE5300/XE75Pro V1 Pre-release Firmware 1.5.0 Introduces DoH/DoT, WireGuard VPN, and More!
  0  
0
#4
Options

Information

Helpful: 0

Views: 152

Replies: 3

Tags

Feature Request