This one has me stumped. I have had a wireguard server set up for some time with multiple clients (windows computer, android phone, etc) that access my lan. I want to setup a WG tunnel using another openwrt router. I setup everything as best as I know how and it seems to work well. It (WG openwrt client) has its own DHCP server to connect multiple computers to it. Pinging internal lan ips, external ips, and external DNS addresses works great. The only thing that does not work is local DNS resolution.
I have my WG client openwrt tunnel and everything I know to point on the server to my pihole DNS. when I check what my DNS server is on any of the computers attached to the client WG device, they show the correct DNS ip for my pihole. Any idea's on why this would not be working. I am not sure which information to share to be most helpful with troubleshooting this.
You need to specify the DNS server in the dnsmasq configuration (/etc/config/dhcp). If you are configuring the DNS server within the WG configuration, that will not work on OpenWrt.
Thanks for the reply. Would I be modifying this file on the client router or server router? I presume client? I pulled it up and am not sure what I would change.
I have already done this within pihole to allow all my other WG clients to use my DNS server. It is only my openwrt client that I am having issues with.
Pinging google.com works. Pinging 8.8.8.8 works. Pinging a desktop on my network (10.13.37.5 for example) works fine. Pinging localpc.int does not work (as it is listed in the pihole local dns).
Yes this is from the client. I checked the same file on the openwrt server and it is also 'lan'. I don't see a location in the pihole for this but the pihole is also not my DHCP server.
Keep in mind that you have rebind protection enabled on WG client OpenWrt, so a private address response to a query sent upstream is not allowed. Verify that from: logread -e dnsmasq
Did you run the command after an unsuccessful attempt to resolve an internal hostname?
The resolution is obviously to disable the rebind protection in DNS and DHCP settings.
I attempted to do so but this is beyond my comfort level and I feel I am getting into the range of breaking something that I can fix. I ran the tcpdump and it was a wall of requests. I tried then loading an internal address while it ran and stopped the tcpdump but the packets dropped didn't seem related to the failed dns requests. I'm not even sure if these are related honestly.
Looking at all I could find online for how to log this suggested having to edit the /etc/dnsmasq.conf and /etc/config/dhcp files in ways that I would be blindy following without understanding. I appreciate your help but I suppose this may just be the end of the line for me attempting to use this.
Thanks for the additional detail/clarification. Runing the tcpdump and repeatedly trying to resolve the address, it doesn't seem to catch anything from it. It catches other background requests but not these. I'm not sure the the Dnsmasq would help then. Should I still do it even with this not picking anything up?
Perhaps Dnsmasq is not the client's primary and/or exclusive resolver.
Or maybe your VPN is configured with the point-to-point topology instead of subnet.
I am not sure if this helps at all but the client openwrt router itself also can not ping the local address (i.e., it has the same behavior as those in the lan network of the client WG router). This seems strange since I would think it would act like any of my other devices directly connected to the WG server. I presume the configuration issue is somewhere on the client, not the server then?
EDIT - To further confuse the issue, by chance I noticed upon reboot on the client WG openwrt router, if I quickly ping an internal dns address it works... Moments later it won't. I am thoroughly confused... The below text happened within seconds of one another.
root@OpenWrt:~# ping rout.int
PING rout.int (10.13.37.1): 56 data bytes
64 bytes from 10.13.37.1: seq=0 ttl=64 time=43.630 ms
64 bytes from 10.13.37.1: seq=1 ttl=64 time=39.461 ms
64 bytes from 10.13.37.1: seq=2 ttl=64 time=49.359 ms
64 bytes from 10.13.37.1: seq=3 ttl=64 time=47.139 ms
64 bytes from 10.13.37.1: seq=4 ttl=64 time=43.143 ms
64 bytes from 10.13.37.1: seq=5 ttl=64 time=36.914 ms
64 bytes from 10.13.37.1: seq=6 ttl=64 time=40.735 ms
64 bytes from 10.13.37.1: seq=7 ttl=64 time=44.529 ms
64 bytes from 10.13.37.1: seq=8 ttl=64 time=40.487 ms
64 bytes from 10.13.37.1: seq=9 ttl=64 time=36.167 ms
64 bytes from 10.13.37.1: seq=10 ttl=64 time=40.042 ms
64 bytes from 10.13.37.1: seq=11 ttl=64 time=39.872 ms
64 bytes from 10.13.37.1: seq=12 ttl=64 time=37.745 ms
64 bytes from 10.13.37.1: seq=13 ttl=64 time=37.522 ms
64 bytes from 10.13.37.1: seq=14 ttl=64 time=39.359 ms
^C
--- rout.int ping statistics ---
16 packets transmitted, 15 packets received, 6% packet loss
round-trip min/avg/max = 36.167/41.073/49.359 ms
root@OpenWrt:~# ping rout.int
ping: bad address 'rout.int'
Better post here the complete configuration to have a thorough view:
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
I presumed you meant the client. I will also note that I wiped the entire image and started with a fresh image and did the basic WG client setup. This means some of the packages pre-installed with the images (this is an orange pi R1 plus). The same issue persists:
root@OpenWrt:~# ubus call system board; \
> uci export network; \
uci expo> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.4.143",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xunlong Orange Pi R1 PLUS",
"board_name": "xunlong,orangepi-r1-plus",
"release": {
"distribution": "OpenWrt",
"version": "21.02-SNAPSHOT",
"target": "rockchip/armv8",
"revision": "2021.09.13",
"description": "Quintus Build@2021.09.13"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7a:f43a:f653::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config device
option name 'eth1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.13.1'
config device
option name 'eth0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'WGTunnel'
option proto 'wireguard'
option private_key 'redacted='
option listen_port '51820'
list addresses '10.6.0.7/32'
config wireguard_WGTunnel
option public_key 'redacted='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'redacted.com'
option endpoint_port '51820'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option filteraaaa '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option fullcone '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'WGTunnel'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'adbyby'
option type 'script'
option path '/var/etc/adbyby.include'
option reload '1'
config rule 'adblock'
option name 'adblock'
option target 'DROP'
option src 'wan'
option proto 'tcp'
option dest_port '8118'
config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'
config rule
option name 'Wireguard'
option src 'wan'
option src_port '51820'
option target 'ACCEPT'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.1.48/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.13.1/24 brd 192.168.13.255 scope global br-lan
valid_lft forever preferred_lft forever
11: WGTunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.6.0.7/32 brd 255.255.255.255 scope global WGTunnel
valid_lft forever preferred_lft forever
default dev WGTunnel proto static scope link
75.166.145.204 via 192.168.1.1 dev eth0 proto static
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.48
192.168.13.0/24 dev br-lan proto kernel scope link src 192.168.13.1
local 10.6.0.7 dev WGTunnel table local proto kernel scope host src 10.6.0.7
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.48
local 192.168.1.48 dev eth0 table local proto kernel scope host src 192.168.1.48
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.48
broadcast 192.168.13.0 dev br-lan table local proto kernel scope link src 192.168.13.1
local 192.168.13.1 dev br-lan table local proto kernel scope host src 192.168.13.1
broadcast 192.168.13.255 dev br-lan table local proto kernel scope link src 192.168.13.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Sep 10 03:21 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 94 Nov 18 00:43 /tmp/resolv.conf
lrwxrwxrwx 1 root root 35 Nov 18 00:43 /tmp/resolv.conf.auto -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 39 Nov 18 00:43 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 39 Nov 18 00:43 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
search lan
nameserver 127.0.0.1
nameserver 127.0.0.1
nameserver ::1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
search lan
nameserver 127.0.0.1
nameserver 127.0.0.1
nameserver ::1
nameserver ::1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.1.1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.1.1
root@OpenWrt:~#
