Hi, I'm having some issues with my Wireguard client that are seemingly related to the DNS - when I have a separate WG VPN interface through which I'm forwarding all of the traffic, some of the websites don't load (e.g. stackoverflow.com, duckduckgo.com), while other ones do (e.g. google.com). It's quite troublesome as sometimes I can't reach servers I really need to be able to update some of the apps I run on the LAN of this router.
Now, when I tried putting the WG interface being on the same firewall zone as the WAN, that all worked alright; other clients that I have running on my WG server also work okay. I have been googling for a while, but I've never resolved this so I figured I've spent enough time and need some help
Here are the configs, please let me know if you need any extra information:
#cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'eth0.2'
option macaddr 'XXXX'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'VPN'
option proto 'wireguard'
option private_key 'XXXX'
option delegate '0'
list addresses '10.8.0.3'
list dns 'XXX.XXX.XXX.XXX' # DNS Server of the VPS
config wireguard_VPN
list allowed_ips '0.0.0.0/0'
option description 'VPC Server'
option endpoint_port 'XXXX'
option public_key 'XXXX'
option endpoint_host 'XXX.XXX.XXX.XXX'
option route_allowed_ips '1'
option persistent_keepalive '50'
# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option family 'ipv4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option family 'ipv4'
option log '1'
option log_limit '1/minute'
option forward 'REJECT'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option family 'ipv4'
list network 'VPN'
config forwarding
option src 'VPN'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'VPN'
I actually remember looking at this a while ago, but I thought that's not applicable to my case as when I test my connection for leaks using https://whatsmyipaddress.com and https://dnsleaktest.com/ it shows me the VPS's IP address and lists the company's servers in the results.
Also, if I leave that field blank - then I can't get any DNS resolution - that is, I can't access any websites by their names. So I'm not sure.
I see this part as possibly applicable from the docs and will try it out:
Providing DNS for non-local networks
Answer DNS queries arriving from non-local networks. This can be useful to provide DNS for VPN clients with point-to-point topology.
uci set dhcp.@dnsmasq[0].localservice="0"
uci commit dhcp
/etc/init.d/dnsmasq restart
As I understand it, you are telling me that I shouldn't leave that field blank - is that correct? If yes, then that still doesn't solve my original problem, where I can connect to some websites and not others.
Ah, okay, I see! Got it, that helps a bit more with understanding as to what is what, thank you.
My remark (italicized) at the end of my original post -
was specifically in regards to the custom DNS server field in the WireGuard interface, because @psherman linked a post which shows that the field isn't working as assumed. My experience above, to me, implies that it does work.
I haven't touched much of the DNS and DHCP tab in my router and I'll probably have to look further into this. I entered the commands that I mentioned above, but haven't had the chance to test yet and won't until later today.
I still would like some help with resolving this. I've tried putting the DNS of the VPS into an upstream DNS server on the WAN interface and judging by the system logs, it does exactly the same as the field in the Wireguard interface. I've tried putting it into the DHCP and DNS > General Settings > DNS Forwardings and Addresses and I'm still having the same issue, if I get any DNS resolution at all (specifically, filling the DHCP and DNS page options). I can ping the addresses, nslookup finds the IP address of duckduckgo.com and traceroute can get to the site, albeit after having 5-6 timeouts (3 stars - request timed out). Maybe I just need to increase the number of attempts before timing out?
My other Wireguard clients don't have the same issue, so it's specifically the one on the OpenWrt router. Any tips or methods on troubleshooting this are also welcome. Thanks in advance!
If Allowed IPs for the peer is set to 0.0.0.0/0, then put a DNS = x.x.x.x entry in the [Interface] section of the WG configuration, where x.x.x.x is your VPN provider's DNS server (or another DNS server which is reachable through the VPN). That's all you need to do to ensure DNS continues to work when all traffic is sent down the tunnel.
That what I have had originally and setting up the upstream DNS server to my VPS provider DNS's server works the same according to the logs. The issue isn't that I don't have any DNS resolution in that case, since I can resolve a lot of websites, but the issue is that the resolution is not complete, e.g. I can't access duckduckgo.com or gq.com--it times out. It's a biggie for me, since I host a home automation OSs/containers off of the LAN of this router and over time I've learned that I can't update them thru the WG tunnel since they can't resolve the update server addresses (the connection also times out). To me the fact that I plainly can't resolve some websites simply using my browser gives me hope that if I fix this, I'll be able to fix the root problem (the same websites don't have any issues getting resolved on other WG clients).
The way I understand it, it does not matter under which interface an option dns is placed, they all go into a single list and dnsmasq will use them in a round-robin / failover scheme.
If you want to use a DNS server that can be reached either by VPN or regular Internet, simply place it in the wan section and choose to ignore any servers advertised by the ISP (option peerdns '0').
If the DNS server can only be reached by VPN, it gets more complicated. Other than writing your own script, there isn't a provision to delete and add DNS servers as network status changes. A workaround is to configure the VPN only DNS as the only server, and point the VPN client process at the VPN service by using its numeric IP so the tunnel can be started up without a working DNS.
Some sites working and some not (or with a long delay on initial contact) can be because a client tries to use IPv6 though your network is v4 only. Make sure the dhcpv6 and RA service is turned off.
to add to what mk24 said, both stackoverflow.com and duckduckgo.com are ipv4 only websites and google.com supports ipv6. To me it looks like ipv4 isn't working on the wg interface rather than a DNS issue.
I tried that and it provides the same results as defining a custom server in the WG interface, how @iplaywithtoys described above - I'll assume that's because I'm forwarding all of my traffic thru the VPN.
Do you mind explaining this a bit more in-depth? I thought that's what the custom DNS server field was supposed to be for in the WG interface. My other WG clients use the same DNS provided by the VPS provider and they work fine.
Thank you for this, I went on a search and finally completely disabled IPv6 stuff. The dhcpv6 and RA were already disabled for all of the interfaces. I even went as far as to deleting the IPv6 ULA-Prefix.
I was able to reach stackoverflow.com and it got cached, but if I traceroute it thru the diagnostics, it still times out. Duckduckgo.com never got through. Any other ideas as to what might be going on or how would I check if I'm still having IPv4/6 issues? I'm also wondering if I should include authoritative DNS servers that the provider maintains - if yes, where would I put them?