No internet connectivity in OpenWrt router when using mullvad DNS in Wan interface

plmdie · March 7, 2022, 11:50pm

Hi there,

Recently installed OpenWrt on a TD-8980.
Installed Wireguard and Vpn-Policy-Routing and everything works fine but i don't have internet connectivity in the router when Mullvad DNS is set in the Wan interface.
No ping, no opkg update, no DDNS update.
If i disable Mullvad DNS everything comes back to normal.

Tried to set up DNS in lan interface but same results.

I would love if someone can point me in the right direction to solve this issue/help me in troubleshooting this.

Thanks in advance

psherman · March 8, 2022, 12:34am

You've setup a chicken or egg situation... by setting the mullvad DNS for the WAN, it is not possible for the DNS to work unless the tunnel is up. The tunnel cannot be established because the specified dns server is not available to resolve the IP address to connect and bring up the tunnel.

Your WAN DNS should be something accessible all the time -- a public one like google, cloud flare, opendns, etc. would be a good option. You can then set the preferred DNS for your LAN(s) in the dnsmasq configuration.

plmdie · March 8, 2022, 12:44am

Thanks for the quick reply.
To clarify things, i can access internet in devices that aren't using Mullvad tunnel.
It's only the router that can't access internet.

I'm a newbie here so i hope you can help me out.

So, if i understand correctly, i have to go to DHCP and DNS option in Network and set Mullvad DNS to Dns forwarding?
Is that it?

psherman · March 8, 2022, 12:47am

Ok... so then the solution is simple... use a public DNS on the WAN and the router will have internet access again.

Exactly.

plmdie · March 8, 2022, 12:50am

I tried that, but then i have DNS leaks on the devices that are routed through
the tunnel,

If i set this up this way, can i still be able to access local domain names assigned to my devices?

lleachii · March 8, 2022, 12:51am

Use the IP for the VPN server instead of its hostname. No DNS lookup, no chicken-or-the egg problem.

psherman · March 8, 2022, 12:52am

As long as your devices use your router as their DNS (if using DHCP, assuming no overrides, this will be the case), your router will resolve whatever it can (local stuff), and it will forward DNS to the upstream forwarder as needed for everything else.

plmdie · March 8, 2022, 12:58am

I'm using the ip, not the hostname.

plmdie · March 8, 2022, 12:59am

I must have conflicting config, because setting up dnsmasq this way, i can longer access my local domains.
I have my router set as DHCP server.

psherman · March 8, 2022, 1:01am

let's see your config files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp

Also, please verify that the client devices (i.e. your phones, computers, etc.) are all using the router as the DNS server and not some override locally specified on the device.

plmdie · March 8, 2022, 1:08am

Just an observation, i can access local domains in devices not using the tunnel,
but on the devices routed through the tunnel i can't access local domains.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 'off'

config device
	option name 'dsl0'
	option macaddr 'REDACTED'

config interface 'wan'
	option proto 'pppoa'
	option encaps 'vc'
	option atmdev '0'
	option vci '35'
	option vpi '8'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option peerdns '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 2 4 5 6t'

config interface 'WLAN'
	option proto 'static'
	option device 'wlan0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option device 'wlan0-1'

config interface 'mullvad'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list dns 'REDACTED'
	list addresses 'REDACTED'
	option listen_port '51820'
	option peerdns '0'

config wireguard_mullvad
	option public_key 'REDACTED'
	option description 'REDACTED'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'REDACTED'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'REDACTED'
	option local '/REDACTED/'
	list address '/REDACTED/192.168.1.23'
	list address '/REDACTED/192.168.1.62'
	list server 'REDACTED'  //mullvad DNS server
	list server '/REDACTED/192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.23'
	option name 'REDACTED'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.62'

config dhcp 'WLAN'
	option interface 'WLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config domain
	option name 'REDACTED'
	option ip '192.168.1.23'

config domain
	option name 'REDACTED'
	option ip '192.168.1.62'config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'REDACTED'
	option local '/REDACTED/'
	list address '/REDACTED/192.168.1.23'
	list address '/REDACTED/192.168.1.62'
	list server 'REDACTED'  //mullvad DNS server
	list server '/REDACTED/192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.23'
	option name 'REDACTED'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.62'

config dhcp 'WLAN'
	option interface 'WLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config domain
	option name 'REDACTED'
	option ip '192.168.1.23'

config domain
	option name 'REDACTED'
	option ip '192.168.1.62'

psherman · March 8, 2022, 1:12am

Your dhcp file seems to be messed up... specifically, it appears that it is doubled up and the formatting might have gotten messed up (unless this was simply a mistake aas it was pasted into the forum).

see this section about half way thorough the file... can you check to see if this is what really exists inside the dhcp file?

plmdie · March 8, 2022, 1:17am

Sorry, must have done something wrong,
here is the correct version:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'REDACTED'
	option local '/REDACTED/'
	list address '/REDACTED/192.168.1.23'
	list address '/REDACTED/192.168.1.62'
	list server 'REDACTED'  //mullvad DNS
	list server '/REDACTED/192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.23'
	option name 'REDACTED'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.62'

config dhcp 'WLAN'
	option interface 'WLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config domain
	option name 'REDACTED'
	option ip '192.168.1.23'

config domain
	option name 'REDACTED'
	option ip '192.168.1.62'

psherman · March 8, 2022, 1:36am

Here is an example of the dnsmasq section that is working exactly as intended:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list address '/test/192.168.1.5'
	list address '/test2.lan/192.168.1.6'
	list server '8.8.8.8'

psherman · March 8, 2022, 1:37am

You don't need to list the local server... I think that is your issue. Remove that and it should work.

plmdie · March 8, 2022, 1:46am

Yes, local domain names works now after removing that line, but i still have DNS leaks on the devices routed through the tunnel.

One separate questions:

What is the difference on these two lines?
Why one have .lan appended and the other don't?

psherman · March 8, 2022, 1:47am

I was just testing to prove that it would resolve test and test2.lan properly. This shows that you can include your local domain or just leave it as hostnames only, either way it works.

plmdie · March 8, 2022, 1:49am

Thanks for the answer, and thanks for troubleshooting this with me.

But my initial problem it's still there, the DNS leak problem, do you have an idea why this is happening?

psherman · March 8, 2022, 1:50am

Where is the DNS leaking? From your clients or from your router? Where is the the DNS leaking to?

plmdie · March 8, 2022, 1:51am

Dns is leaking from the devices routed through the wireguard tunnel (mullvad client), is the leaking to the openDNS servers that i added to WAN interface. But it states my country.