DNS forwarding to Unbound on Wireguard server

Hello all, I have some issue on how to make what I want.

I have a router (192.168.1.1) and remote wg-server (192.168.3.1) with unbound. Wg-interface (192.168.3.3) works well, I can route one my client throught wg-server with vpn-policy-routing, but I can't understand how to forward all DNS queries from my router to wg-server? I can do nslookup to 192.168.3.1 from client, but when I tried to write 192.168.3.1 on the router as a DNS forwarding ip it wasn't work.

Check out the following:

# OpenWrt
ping -w 3 192.168.3.1
nslookup openwrt.org 192.168.3.1

you mean on the client or the router?

on the client

PS C:\Users\roma> ping -w 3 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=42ms TTL=63
Reply from 192.168.3.1: bytes=32 time=42ms TTL=63
Reply from 192.168.3.1: bytes=32 time=42ms TTL=63
Reply from 192.168.3.1: bytes=32 time=42ms TTL=63

Ping statistics for 192.168.3.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 42ms, Maximum = 42ms, Average = 42ms

and

PS C:\Users\roma> nslookup openwrt.org 192.168.3.1
Server:  UnKnown
Address:  192.168.3.1

Non-authoritative answer:
Name:    openwrt.org
Addresses:  2a03:b0c0:3:d0::1af1:1
          139.59.209.225

on my router (as may expected)

root@tik:~# ping -w 3 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes

--- 192.168.3.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@tik:~# nslookup openwrt.org 192.168.3.1
;; connection timed out; no servers could be reached

1 Like

Post your configs omitting the WG keys:

uci show network; uci show firewall
1 Like
root@tik:~# uci show network;
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.delegate='0'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
network.wan.password='del'
network.wan.ipv6='0'
network.wan.delegate='0'
network.wan.username='del'
network.wan.peerdns='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.welcome=interface
network.welcome.proto='static'
network.welcome.ipaddr='192.168.2.1'
network.welcome.netmask='255.255.255.0'
network.welcome.delegate='0'
network.wg=interface
network.wg.proto='wireguard'
network.wg.delegate='0'
network.wg.addresses='192.168.3.3/32'
network.wg.private_key='del'
network.@wireguard_wg[0]=wireguard_wg
network.@wireguard_wg[0].public_key='del'
network.@wireguard_wg[0].description='azure'
network.@wireguard_wg[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg[0].endpoint_host='del'
network.@wireguard_wg[0].endpoint_port='51820'

I have two wi-fi networks, the second one for guests

root@tik:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].drop_invalid='1'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-IGMP'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='igmp'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.welcome=zone
firewall.welcome.name='welcome'
firewall.welcome.network='welcome'
firewall.welcome.input='REJECT'
firewall.welcome.output='ACCEPT'
firewall.welcome.forward='REJECT'
firewall.welcome_wan=forwarding
firewall.welcome_wan.src='welcome'
firewall.welcome_wan.dest='wan'
firewall.welcome_dns=rule
firewall.welcome_dns.name='Allow-DNS-welcome'
firewall.welcome_dns.src='welcome'
firewall.welcome_dns.dest_port='53'
firewall.welcome_dns.proto='tcpudp'
firewall.welcome_dns.target='ACCEPT'
firewall.welcome_dhcp=rule
firewall.welcome_dhcp.name='Allow-DHCP-welcome'
firewall.welcome_dhcp.src='welcome'
firewall.welcome_dhcp.dest_port='67'
firewall.welcome_dhcp.proto='udp'
firewall.welcome_dhcp.target='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].network='wg'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].name='wgzone'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].masq='1'
firewall.@zone[3].mtu_fix='1'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='wgzone'
firewall.@forwarding[2].src='lan'

WG allowed IPs on the server side should list 192.168.3.3/32 and 192.168.1.0/24.

1 Like

it's allowed, but router can't forward DNS to wg-server,

Check the firewall settings on the server side.
Try to optimize MTU on the client side.

1 Like

sorry, but it's pretty common advices, the client works well throught wireguard (it's mean MTU is ok) and from client I can ask wg-server nslookup any domain and it responce (it's mean firewall is ok too). But when I use 192.168.3.1 (wg-server ip) on the router as DNS-forwarding nothing happen. I can't understand how to make wg-server visible from the router.

Merely, I guess, I need to write on openwrt a route to 192.168.3.0/24 throught wg-connection, but can't understand how

dohhhh, i'm idiot, it has static routes, i just need to add target 192.168.3.0/24 through wg-connection

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.