Configuring DNS resolver with Wireguard Tunnel on Portable Router?

Installing and Using OpenWrt
1

I currently have an OpenWRT router configured to work as a travel router w/ wireguard tunnel. Essentially I have one Radio acting as a AP for my devices, and the other radio connects to an upstream wireless signal and forwards internet there. I also have attached a wireguard configuration to act as a tunnel. With this config, I can succesfully use my home network as a wireguard tunnel.

Currently the wwan interface uses 1.1.1.1 as a DNS IP, but I would like to use the DNS IP on my home network (192.168.1.1) to send DNS queries. However, when I try to replace the Cloudflare DNS IP resolver with my home network's resolver, none of the queries can be resolved. I also tested this with 8.8.8.8 and the behavior is the same.

# /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:3fa9:619e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        # purposely set at a different IP than 192.168.1.1
        option ipaddr '192.168.1.33'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        # Not using a public DNS resolver causes an issue
        list dns '1.1.1.1'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses 'REDACTED/32'
        list dns '192.168.1.1'

config wireguard_wg 'wgserver'
        option public_key 'REDACTED'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REDACTED'
        option endpoint_port 'REDACTED'

# /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config zone
        option network 'wg'
        option name 'wireguard'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wireguard'

It's weird to me because I know this configuration & the wireguard peer on my homenetwork is working correctly because I have succesfully reproduced connected through a wireguard client on a mobile device, and checked the IPs using dnsleaktest.com.

[Interface]
PrivateKey = REDACTED
Address = REDACTED / 32
DNS = 192.168.1.1

[PEER]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0
Endpoint = REDACTED_IP:REDACTED_PORT

The fact that I can use this wireguard client config on a mobile device makes me think I can apply this to my portable router. Does anyone know how to fix this? Or is it impossible with this configuration?

I used this discussion (Make Travel Router Send All Traffic to Home Wire Guard Server) for reference to route my router traffic.

2

I was looking for similar solutions a while back and it turns out it's just not entirely straightforward to do this. You need an external resolver to get your WG tunnel initiated, but then you could switch to your private (i.e. router) as the DNS server. You could script it, if you wanted, but it's not as easy as just setting a dns entry.

I got some good suggestions when I asked, but I never did explore further because of the fact that it was more effort than I wanted to spend at the time.

Worth remembering -- if you use a DNS server that is public (such as cloudflare or google), the traffic containing those dns requests will actually flow through your home router (which is the other WG endpoint), so the local-to-you (travel router side) network provider would not be able to see your dns requests (but your home ISP could). Further, if you wanted to, it would actually be possible to do a dns hijack/local redirect (on the home router side).

1 Like
3

About reaching your home DNS server 192.168.1.1, I think this is not possible as your travelrouter has the same subnet.
Besides you might run into trouble if the network on the road you connect to can have this same subnet.
So I suggest to use something completely different e.g.:
option ipaddr ' 192,168.113.1'

About the remark of @psherman I have been trying to write a little script which uses the DNS address of the WG interface exclusively after ifup.
So on the (w)wwan interface you set 1.1.1.1 as DNS server and on the WG interface you set 192.168.1.1.
After the WG interface is up (you are connected to your home) the DNS server is set exclusively to 192.168.1.1 so that you will not have a DNS leak.
On ifdown it is reversed.

It is not finished/tested yet, but you can have a look at my github repo.
Suggestion are welcome to improve it.

4

I appreciate the the clarification @psherman & @egc. I'll try experimenting some more over the coming weeks and see if I can get a configuration that works and share my results