DNS Resolvers with Wireguard over multiple tunnels

I have WG tunnels setup over 3 tunnels wg_ca (50.x), wg_usa (60.x), wg_ind(70.x)

These WG tunnels are from 3 different providers which I'm testing out in first 30 days so that I can finalize on one. I have separate DNSMASQ instances to resolve dns queries pointed to internal IP from the provider. And I've added static route to these internal DNS resolver IP which connects me to internet and the endpoint.

Everyone works fine, IP and DNS is from the country tunnel is connected to. But now that I have narrowed down on the provider, I find DNS resolver ips are same for different servers under the same provider
i.e provider 1: DNS resolver IP 10.128.0.1 across servers, provider 2: DNS resolver IP 10.2.0.1 across servers and so on.

The way I was able to get DNS servers reachable was by adding static routes by following this comment. But since I want to go with just 1 provider and their DNS IP is same irrespective of the server, static route will fail since the same internal IP will be setup towards different tunnels. How can I get around this?

Edit: Essentially all I want to do it, if client is in 50.x and dns ip is 10.2.0.1, route it to wg_ind. if client is in 60.x and dns ip is 10.2.0.1, route it to wg_usa. So on and so forth

One thing I can think about is to use dnsmasq option 6 to handout the dnsservers to the client.
The dns will then follow the client.
See https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#option-6

I have it enabled as 6, 192.168.50.1 where DNS resolver ip is the local dnsmasq instance. Don't want to use public resolvers but want to use VPN provided resolvers

That is already the default.
But you should use e g. 10.2.0.1 the dns resolver from the vpn provider

oh yes. That works as expected! Thank you. This actually solves my problem

But there is small OCD that I have. I'd like to have the gateway IP 192.168.50.1 shown as DNS resolver so that clients (human users) don't see the DNS resolver IP. Any way of achieving the same at at the config level. Not a big deal if not possible but like to see if its an option

Alternative solution is to remove option 6 and use a redirect rule to redirect port 53 traffic to 10.0.2.1
See https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#iptablesnftables

That worked as well. Thank you

For anyone in the same situation here is what I did.

Removed static route and applied either of these solution/s

Solution 1:
Set option 6 on respective DHCP interface as 6,10.2.0.1

Solution 2:
Followed port forwarding rule here to setup dns forwarding. I setup 1 each forwarding rule per tunnel and works as expected.

config redirect
	option dest 'wg_ind'
	option target 'DNAT'
	option name 'DNS-IND'
	option src 'ind'
	option src_dport '53'
	option dest_ip '10.2.0.1'

Thank you @egc!.

Both DNS Resolvers with Wireguard over multiple tunnels - #4 by egc, DNS Resolvers with Wireguard over multiple tunnels - #6 by egc works. Pick your solution

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.