Problem with DNS after power failure

I had a power failure at home and since the power was restored I have not been able to make DNS queries. I tried changing the dns in the general settings for forwarding to 8.8.8.8, then under advanced settings for the lan interface to change the dns setting to 8.8.8.8, and then for the wan interface the same but I still had errors and I could not get the dhcp to give a dns address other than the routers own address.

I thought maybe it was changes that vpn-policy-routing made to dnsmasq, but I stopped that and disabled it and reverted the changes I made in my attempt to pointing dns to 8.8.8.8 and I still have this issue.

From the router I have:

root@OpenWrt:/tmp# nslookup msn.com
;; connection timed out; no servers could be reached
root@OpenWrt:/tmp# nslookup msn.com 8.8.8.8
;; connection timed out; no servers could be reached

On a client I get:

bryan@mcmpi:/data/backups% nslookup msn.com 151.202.0.84
Server:         151.202.0.84
Address:        151.202.0.84#53

Non-authoritative answer:
Name:   msn.com
Address: 13.82.28.61

bryan@mcmpi:/data/backups% nslookup msn.com
Server:         10.192.168.1
Address:        10.192.168.1#53

** server can't find msn.com: REFUSED

bryan@mcmpi:/data/backups% host -a msn.com
Trying "msn.com"
Host msn.com not found: 5(REFUSED)
Received 25 bytes from 10.192.168.1#53 in 2 ms

I don't know if it is still helpful but I found a post saying to run the commands below and paste the results, the results are at https://pastebin.com/0xAGyW1J

ubus call system board; uci show network; uci show dhcp; uci show firewall; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
nslookup openwrt.org; nslookup openwrt.org 8.8.8.8

My next step if I don't get any suggestions from here is to restore to defaults, then reapply files from an earlier backup in a piecemeal fashion.

Thanks.

1 Like

This should solve the routing issue:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#dynamic_connection

Then temporarily stop the VPN to sync time over WAN.

Thanks, unfortunately that didn't solve it. Which, I wasn't too hopeful as my normal configuration is everything out on the wan interface, then using the vpn policy routing it would intercept the request and route matching hosts across the vpn. Once I removed this, then I would have thought everything would have been routed across the wan interface.

I did restore to default and that resolved the issue. I restored a bunch of my host settings and dhcp settings and it looks good. I have not reinstall wireguard yet.

One strange thing is that luci only shows one radio, the 5GHz one. I don't know why it is not showing the 2.4GHz entry. I don't know if that died with the power outage? I was thinking that I would upgrade from the 21.0.2 rc2 to rc4 before going too much further.

Ok, there's something screwy with my wireguard vpn configuration. I'm not sure why, it seemed to work fine before and maybe the interface coming back up highlighted the issue. I have the credentials to the 'server' and when I use those in windows, the vpn work fine.

On the remote server it assigns 192.168.5.11 to this vpn connection. In the windows client, it has a place to assign this address and the dns servers for the tunnel - I don't see this on openwrt, is it needed? Do I have the 192.168.5.11 ip address in the wrong place on openwrt (on the general settings page of the wireguard interface)?
Ideally I want all traffic by default to go the wan interface. Any addresses on the 192.168.5.0 subnet would go on the wireguard vpn tunnel. I then would use vpn policy routing to additionally send any specific domains across the wireguard vpn tunnel.
With 0.0.0.0/1 as the allowed ips, all nslookup requests fail. If I replace that with 192.168.5.0/24, nslookup works fine. On the router if I ping the interface (192.168.5.11) it works fine. If I try to to ping 192.168.5.1 I get 'ping: sendto: Operation not permitted'

It's probably something stupid I've done, but I can't see it currently. I have firewall rules, I'm not sure all are needed ... I have a bunch of port forwards but I don't see how they would effect things. The only other thing I have done is replace dnsmasq with dnsmasq-full

network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxxxxxxxxxxxxxxxxx'
network.wg0.listen_port='57913'
network.wg0.addresses='192.168.5.11'
network.wg0.auto='0'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='water'
network.@wireguard_wg0[0].public_key='xxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wg0[0].endpoint_host='water.com'
network.@wireguard_wg0[0].endpoint_port='57914'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/1'

image

1 Like

According to your explanation, it should be like this:

uci set network.wan.metric="512"
uci set network.wg0.addresses="192.168.5.11/24"
uci -q delete network.wg0.auto
uci -q delete network.wg0.listen_port
uci -q delete network.@wireguard_wg0[0].route_allowed_ips
uci -q delete network.@wireguard_wg0[0].allowed_ips
uci add_list network.@wireguard_wg0[0].allowed_ips="0.0.0.0/0"
uci commit network
/etc/init.d/network restart

Also remove the client side port openings and the client endpoint port from the server config.
If the issue persists, we will need more diagnostics and troubleshooting.

DNS can be configured on the VPN interface, but it will be round-robin with other interfaces.
And you cannot remove other DNS if you want to reach the VPN server by its domain name.
See DNS forwarding in the wiki as the simplest method to enable split-DNS.

1 Like

Thanks, this fixed it. Now I need to go back and try to understand why :slightly_smiling_face:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.