Openwrt Wireguard Server (road warrior setup) force clients to use DNS

johnny71 · May 23, 2023, 3:11pm

Hello,

I'm having trouble with a road warrior setup with Openwrt + Wireguard. I am successfully able to handshake and connect to the Wireguard Server that is setup on Openwrt router via my cell phone. DNS leak test shows my OpenWRT router's IP address. Internet works fine....however the DNS server specified in the Wireguard interface settings is being ignored.

How do I force the Wireguard clients to use the unbound/adblock DNS server on my openwrt router? Once again I have 'Use DNS servers advertised by peer' unchecked and specify my router's local ip address (192.168.1.1) under Wireguard interface settings.

If I try to manually add the DNS server on the wireguard client app it doesn't work and no DNS queries process. Is this because of the local IP address I'm trying to use (192.168.1.1)? I have DDNS setup but it will not take a host name for DNS and only IP address.

Your help is much appreciated,
Johnny

lleachii · May 23, 2023, 3:18pm

Welcome to the community!

This is configured on the client (not the OpenWrt), correct?

Specify that in the client config.

johnny71 · May 23, 2023, 3:46pm

Thank you for the welcome!

I'm trying to force DNS via the Network -> Interface section in my openwrt router:

The way I have my home network is that all traffic is hijacked at port 53 and forced through unbound/adblock. I would like to have this same capability when I VPN via wireguard on my cell phone/laptop at a location that is not home.

Is there not a way for the Wireguard Server to force clients, meaning the clients are able to get around any dns filtering they want?

lleachii · May 23, 2023, 3:55pm

OK, I see. That doesn't "force DNS" - it merely says what DNS should be used when the router has a SRC IP of the WG interface.

Did you mean "not get around and DNS filtering"?

If so, see:

Unless your concerned the clients will subsequently change the DNS setting - just properly specifying the desired DNS server on the client's Wireguard config will work too.

johnny71 · May 23, 2023, 4:08pm

Basically what i'm trying to accomplish is this.

The way my openwrt router is setup on my home LAN is perfect. I have unbound/adblock setup to filter ads/junk I don't want to see.

Now I installed Wireguard Server on my openwrt router. I want to be able to have peers that can connect to my home LAN for a 'road warrior' setup, have full internet access and act as a VPN proxy. I was able to setup Wireguard and it is working except...

I want the wireguard peers to be treated just like if they were using the internet on my home LAN, meaning all internet is routed through unbound/adblock. Currently I've not been able to do that. If I set the wireguard server interface settings to use my openwrt router IP as DNS it does NO filtering. If I set the wireguard client settings on my phone to use my openwrt router IP as DNS, it breaks the internet and is not able to query DNS.

My goal is that all peer wireguard traffic is forced to use local port 53 on my openwrt router, therefore using unbound/adblock. If my peer's specifiy a different DNS say 1.1.1.1 I would like my router to hijack that and use my unbound/adblock DNS setup.

lleachii · May 23, 2023, 4:24pm

Setting the IP of the WG interface on the client doesn't accomplish this?
Have you allowed port 53/udp on the firewall from the Wireguard interface?

The DNS Hijack link will do this part.

johnny71 · May 23, 2023, 4:27pm

Setting the DNS IP on the wireguard client app (on my cell) configuration breaks DNS query and is not the solution I'm looking for. I want DNS to be hijacked and routed through my openwrt router port 53 unbound/adblock setup

Do you have any examples of how I could DNS hijack my wireguard interface to use my openwrt routers port 53?

Thanks for your help

lleachii · May 23, 2023, 4:41pm

You mean in addition to the one available at the link above?

# add to /etc/config/firewall

config redirect
        option target 'DNAT'
        option src 'vpn'
        option proto 'tcp udp'
        option src_dport '53'
        option name 'Intercept-DNS'

(I wrote this from the command line version found on the Wiki at: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#web_interface_instructions and also from threads found here: https://forum.openwrt.org/search?q=dns%20hijacking%20order%3Alatest)

johnny71 · May 23, 2023, 5:09pm

Thanks for the help. I tried adding that to the firewall config, it didn't work. Wireguard_VPN is already assigned to the LAN zone. I have these rules also already in the firewall section:

config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'

config redirect 'adblock_wan53'
option name 'Adblock DNS (wan, 53)'
option src 'wan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'

It works for my home LAN but doesn't work when connected to the WG VPN.

lleachii · May 23, 2023, 5:14pm

@trendy @psherman @vgaetera - Do you have any ideas?

My only suggestions would be to:

Make sure the rule is placed above the ones you listed
Make sure you change zone to lan
Add the following to the rule option src_ip 'xxx.xxx.xxx.0/yy' Where the CIDR is the SRC range of the Wireguard clients - the IP range you assigned to this interface

krazeh · May 23, 2023, 5:54pm

Can you provide the output of the following commands and post it here using the "Preformatted text </> " button.

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Can we get the peer config of the road warrior client as well.

johnny71 · May 23, 2023, 8:20pm

cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ipv6 '0'
        option device 'br-lan'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option ipv6 '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key '*****'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'
        option peerdns '0'
        list dns '192.168.1.1'

config wireguard_wg_lan
        option description 'user1'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key '*****'
        option private_key '*****'

cat /etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_lan'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'

config include
        option path '/etc/firewall.fail2ban'
        option enabled '1'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

[Interface]
Address = 10.0.5.2/32
ListenPort - 51820
PrivateKey = *****
PublicKey = *****
DNS = 192.168.1.1
 
[Peer]
PublicKey = ******
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ex.mydomain.com:51820

trendy · May 24, 2023, 8:20am

What is the output of uci show dhcp.lan ?

johnny71 · May 24, 2023, 9:53am

 uci show dhcp.lan
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcp_option='option:dns-server,0.0.0.0'

trendy · May 24, 2023, 9:55am

This is wrong.
Post also uci show dhcp as there may be more mistakes in there.

johnny71 · May 24, 2023, 10:21am

 uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].port='1053'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].address='/router/192.168.1.1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcp_option='option:dns-server,0.0.0.0'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'

trendy · May 24, 2023, 10:36am

uci set dhcp.@dnsmasq[0].localservice='0'
dhcp.@dnsmasq[0].port='53'
uci del dhcp.lan.dhcp_option
uci commit dhcp
service dnsmasq restart

johnny71 · May 24, 2023, 10:44am

How will this effect Wireguard?

trendy · May 24, 2023, 11:03am

With localservice you allow queries only from 192.168.1.0/24 and the listening port was wrong. Also the dhcp option is wrong.

johnny71 · May 24, 2023, 1:48pm

Thanks for your explanation. I will give it a try.

config dhcp 'lan'
  # dnsmasq may not issue DNS option if not std. configuration
  list dhcp_option 'option:dns-server,0.0.0.0'
  ...

This setting comes from unbound's readme:

github.com

openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md

# Unbound Recursive DNS Server with UCI

## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.

## Package Overview
OpenWrt default build uses [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for DNS forwarding and DHCP. With a forward only resolver, dependence on the upstream recursors may be cause for concern. They are often provided by the ISP, and some users have switched to public DNS providers. Either way may result in problems due to performance, "snoop-vertising", hijacking (MiM), and other causes. Running a recursive resolver or resolver capable of TLS may be a solution.

Unbound may be useful on consumer grade embedded hardware. It is fully DNSSEC and TLS capable. It is _intended_ to be a recursive resolver only. NLnet Labs [NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.

This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw `unbound.conf` level.

## HOW TO: Ad Blocking
The UCI scripts will work with [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.

A few tweaks may be needed to enhance the realiability and effectiveness. Ad Block option for delay time may need to be set for upto one minute (adb_triggerdelay), because of boot up race conditions with interfaces calling Unbound restarts. Also many smart devices (TV, microwave, or refigerator) will also use public DNS servers either as a bypass or for certain connections in general. If you wish to force exclusive DNS to your router, then you will need a firewall rule for example:

**/etc/config/firewall**:
```
config rule

This file has been truncated. show original