How to configure Dnsmasq for Wireguard Lan2Lan?

joba-1 · September 1, 2024, 9:16pm

Hi,

I configured 2 OpenWrt routers to connect their local wlans (192.168.[12].0/24) with wireguard. Both routers alone work fine, including their standard dnsmasq local and internet dns services and clients.
With wireguard I can now reach services on lan 2 from lan 1 hosts and services on lan 1 from lan 2 hosts.
What does not work is dns. How can I configure dnsmasq so hostnames can be resolved between the lans?

I disabled the "Non-wildcard" and "Local service only" options in luci to bind dnsmasq to all devices. I also configured different local domains as .lan1 and .lan2. That enables nslookup host.lan1 lan1DnsIp on lan2 and nslookup host.lan2 lan2DnsIp on lan1. So dns communication is not blocked by firewall settings.

I defined forwards /*.lan1/lan1DnsIp on router 2 and /*.lan2/lan2DnsIp on router 1.
But host.lan1 still does not resolve on router 2 and host.lan2 does not resolve on router 1. Also not on other hosts on the respective lans.

Any hints? What else do I need to configure?

brada4 · September 1, 2024, 9:33pm

Asterix between slashes is wrong.

joba-1 · September 1, 2024, 11:51pm

Thanks!
I first removed the asterisks and then also the dots.
Still no resolves
Anything else?

brada4 · September 2, 2024, 12:27am

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

egc · September 2, 2024, 8:24am

Disable rebind protection or make an exempt for the domains on the other side

I think you covered the basics, below my own notes so not really redacted

For a proper setup if both sides are OpenWRT routers four things are important

The first is to make sure that the DNS server from the other side can actually process your queries.
DNSmasq has to listen on all interfaces so also on the WG interface, by default this is the case but if you changed that then you have to add the WG interface as listen interface.

The second is that DNSMasq of the other side has to answer non local request.
For this disable Local Service only (DNSMasq: -local-service):
Luci DNS-DHCP > Filter >Local service only : untick/disable,
or in /etc/config/dhcp:
config dnsmasq
	option localservice '0'
The third is that the client side is now using a DNS server with a local RFC1918 address.
DNSmasq has rebind protection which shield you from using local addresses as that can be used to spoof DNS so on the client side you have to disable Rebind Protection:
Luci DNS-DHCP > Filter > Rebind protection untick/disable
/etc/config/dhcp:
config dnsmasq
	option rebind_protection '0'
instead of disabling Rebind protection you can also whitelist the domain of the other side
Luci DNS-DHCP > Filter >Domain Whitelist "set name of domain of other side"
/etc/config/dhcp:
config dnsmasq
	list rebind_domain 'set name of domain of other side'
The fourth is that you have to instruct DNSMasq which server it has to use to resolve the domain of the other side, this assumes you have set a different domain name for each side e.g. home1 (router is 192.168.1.1) and home2 (router is 192.168.2.1)
On home1 you add: server=/home2/192.168.2.1
For openwrt, /etc/config/dhcp > config dnsmasq:
	list server '/home2/192.168.2.1'
On home2 : server=/home1/192.168.1.1
For openwrt, /etc/config/dhcp > config dnsmasq:
	list server '/home1/192.168.1.1'

joba-1 · September 2, 2024, 5:35pm

That was it, thanks! Security sucks

system · September 12, 2024, 5:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.