I'm having trouble with a road warrior setup with Openwrt + Wireguard. I am successfully able to handshake and connect to the Wireguard Server that is setup on Openwrt router via my cell phone. DNS leak test shows my OpenWRT router's IP address. Internet works fine....however the DNS server specified in the Wireguard interface settings is being ignored.
How do I force the Wireguard clients to use the unbound/adblock DNS server on my openwrt router? Once again I have 'Use DNS servers advertised by peer' unchecked and specify my router's local ip address (192.168.1.1) under Wireguard interface settings.
If I try to manually add the DNS server on the wireguard client app it doesn't work and no DNS queries process. Is this because of the local IP address I'm trying to use (192.168.1.1)? I have DDNS setup but it will not take a host name for DNS and only IP address.
The way I have my home network is that all traffic is hijacked at port 53 and forced through unbound/adblock. I would like to have this same capability when I VPN via wireguard on my cell phone/laptop at a location that is not home.
Is there not a way for the Wireguard Server to force clients, meaning the clients are able to get around any dns filtering they want?
OK, I see. That doesn't "force DNS" - it merely says what DNS should be used when the router has a SRC IP of the WG interface.
Did you mean "not get around and DNS filtering"?
If so, see:
Unless your concerned the clients will subsequently change the DNS setting - just properly specifying the desired DNS server on the client's Wireguard config will work too.
The way my openwrt router is setup on my home LAN is perfect. I have unbound/adblock setup to filter ads/junk I don't want to see.
Now I installed Wireguard Server on my openwrt router. I want to be able to have peers that can connect to my home LAN for a 'road warrior' setup, have full internet access and act as a VPN proxy. I was able to setup Wireguard and it is working except...
I want the wireguard peers to be treated just like if they were using the internet on my home LAN, meaning all internet is routed through unbound/adblock. Currently I've not been able to do that. If I set the wireguard server interface settings to use my openwrt router IP as DNS it does NO filtering. If I set the wireguard client settings on my phone to use my openwrt router IP as DNS, it breaks the internet and is not able to query DNS.
My goal is that all peer wireguard traffic is forced to use local port 53 on my openwrt router, therefore using unbound/adblock. If my peer's specifiy a different DNS say 1.1.1.1 I would like my router to hijack that and use my unbound/adblock DNS setup.
Setting the DNS IP on the wireguard client app (on my cell) configuration breaks DNS query and is not the solution I'm looking for. I want DNS to be hijacked and routed through my openwrt router port 53 unbound/adblock setup
Do you have any examples of how I could DNS hijack my wireguard interface to use my openwrt routers port 53?
Thanks for the help. I tried adding that to the firewall config, it didn't work. Wireguard_VPN is already assigned to the LAN zone. I have these rules also already in the firewall section:
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config redirect 'adblock_wan53'
option name 'Adblock DNS (wan, 53)'
option src 'wan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
It works for my home LAN but doesn't work when connected to the WG VPN.
Make sure the rule is placed above the ones you listed
Make sure you change zone to lan
Add the following to the rule option src_ip 'xxx.xxx.xxx.0/yy' Where the CIDR is the SRC range of the Wireguard clients - the IP range you assigned to this interface