OpenWrt OpenClash: Fix Domain Direct Routing in Fake-IP Mode

OpenWrt OpenClash: Fix Domain Direct Routing in Fake-IP Mode

·

Problem Description

In OpenWrt with OpenClash configured in fake-ip mode, certain domains (blog.trippal.asia and ctrip-it.com) were not bypassing the proxy despite having DIRECT rules configured. The domains were receiving fake IP addresses (198.18.x.x range) instead of real IP addresses, causing them to be treated as foreign domains and routed through the proxy.

Root Cause Analysis

The issue occurred because in OpenClash's fake-ip mode, DNS queries are intercepted and assigned fake IP addresses before the routing rules can take effect. Even with DIRECT rules in place, the fake-ip DNS system was overriding the intended behavior.

Solution Implemented

To fix this issue, two configuration changes were made to /etc/openclash/config.yaml:

1. Added domains to fake-ip-filter

Added the domains to the fake-ip-filter section to ensure they receive real DNS resolution:

fake-ip-filter:
  - "*.lan"
  - "*.localdomain"
  # ... existing entries ...
  - blog.trippal.asia
  - ctrip-it.com

2. Added DIRECT routing rules

Ensured DIRECT rules exist in the rules section:

rules:
- DOMAIN,blog.trippal.asia,DIRECT
- DOMAIN,ctrip-it.com,DIRECT
# ... other rules ...

Configuration Steps

  1. SSH into OpenWrt router: ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 11122 root@192.168.1.111
  2. Edit OpenClash config: /etc/openclash/config.yaml
  3. Add domains to fake-ip-filter section
  4. Add DIRECT rules to rules section
  5. Restart OpenClash service: /etc/init.d/openclash restart

Verification Results

After applying the changes:

  • blog.trippal.asia now resolves to real Cloudflare IPs (104.21.52.152, 172.67.200.225)
  • No more fake IP addresses (198.18.x.x) assigned
  • Direct connection bypasses the proxy successfully
  • Ping shows real IP resolution and direct connectivity

Key Takeaway

In OpenClash fake-ip mode, domains requiring direct access need to be configured in both locations:

  • fake-ip-filter - for real DNS resolution
  • rules with DIRECT action - for routing control

This dual configuration ensures domains are treated as domestic and bypass the proxy entirely.