[Solved] Issues with Setting Up Custom DNS Server with WireGuard VPN Tunnel on OpenWRT

jjdekroon · May 17, 2023, 1:03pm

Hello everyone,

I am experiencing some problems while attempting to set up a "Custom DNS" server in combination with a WireGuard VPN tunnel. I have followed the guide provided by MullVad, which can be found here: Link to the guide.

My goal is to have a setup where I can use OpenDNS for content filtering (To prevent loading the device RAM too much with adblock) and utilize OpenWRT's luci-app-adblock as a small additional DNS adblocker. Here's the configuration I have tried so far:

Setting "Use custom DNS servers" to OpenDNS (208.67.220.220 & 208.67.222.222) under Interfaces » wan » Advanced Settings.
Setting "Use custom DNS servers" to OpenDNS (208.67.220.220 & 208.67.222.222) under Interfaces » WireGuard » Advanced Settings.
Setting "Use custom DNS servers" to OpenDNS (208.67.220.220 & 208.67.222.222) under Interfaces » lan » Advanced Settings.
Setting "DNS forwardings" to OpenDNS (208.67.220.220 & 208.67.222.222) under Network » DHCP and DNS.

With these configurations, I intended to have DNS requests from devices on the network first go to 192.168.98.1 (which is OpenWRT's own IP address, hosting its built-in DNS server with Adblock). From there, the OpenWRT router should forward the requests to OpenDNS outside of the WireGuard tunnel. However, I have encountered a problem: the DNS requests always get tunneled through the WireGuard tunnel to the Mullvad DNS, instead of being forwarded to OpenDNS.

I have verified that the enforcement of the 192.168.97.1 DNS is functioning correctly, as the Adblock application is working as intended. The issue lies in the forwarding of DNS requests to OpenDNS outside of the WireGuard tunnel.

I would appreciate any insights or suggestions on how to resolve this problem. Ideally, I would like the DNS requests from devices on the network to be sent to 192.168.98.1, the OpenWRT router's built-in DNS server with Adblock, and then forwarded to OpenDNS.

Thank you in advance for your help!

trendy · May 17, 2023, 1:23pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

jjdekroon · May 17, 2023, 1:35pm

Of course, here is the requested information:

root@Hydra:~# ubus call system board;
{
	"kernel": "5.10.176",
	"hostname": "Hydra",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v4",
	"board_name": "tplink,archer-c7-v4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}

root@Hydra:~# uci export network;
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3b:c7f8:4524::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.97.1'
	option delegate '0'
	list dns '208.67.220.220'
	list dns '208.67.222.222'

config device
	option name 'eth0.2'
	option macaddr '70:4f:57:15:57:e9'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '208.67.220.220'
	list dns '208.67.222.222'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'ZeroTier'
	option proto 'none'
	option device 'ztugawgjal'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key '8DSkZXt3jl+Zu2pOfLc+n4iI9K34exuKfNoF7ix6O38='
	list addresses '10.65.224.132/32'
	option force_link '1'
	option delegate '0'
	list dns '208.67.220.220'
	list dns '208.67.222.222'

config wireguard_WireGuard
	option description 'nl-ams-wg-001'
	option public_key '=Redacted='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '193.32.249.66'
	option endpoint_port '51820'

config device
	option name 'WireGuard'
	option ipv6 '0'

root@Hydra:~# uci export dhcp;
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list server '208.67.220.220'
	list server '208.67.222.222'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@Hydra:~# ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /e
tc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
lrwxrwxrwx    1 root     root            16 Apr 27 22:28 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May 17 15:29 /tmp/resolv.conf
-rw-r--r--    1 root     root           210 May 17 15:29 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           210 May 17 15:29 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface WireGuard
nameserver 208.67.220.220
nameserver 208.67.222.222
# Interface lan
nameserver 208.67.220.220
nameserver 208.67.222.222
# Interface wan
nameserver 208.67.220.220
nameserver 208.67.222.222

egc · May 17, 2023, 2:05pm

Might also be interesting to see:
ls -l /tmp/etc/dnsmasq.conf.* | head -n -0 /tmp/etc/dnsmasq.conf.*

To have a look where the DNS forwarding goes, I think that is hardcoded as server= ?

At least there is no doubt of what DNS forwarders you want to use

I think Mullvad is hijacking your DNS if that is going through the tunnel (to protect you)

So maybe just make a static route for the OpenDNS servers out via the WAN?

jjdekroon · May 17, 2023, 2:35pm

Currently I'm away trom the computer, had to boring my daughter to swimming lessons.
I'll run that command as wel when I get home again in about half an hour.
How would you set up this static routing for OpenDNS?
I've never worked with that before.

egc · May 17, 2023, 2:53pm

Been there, done that

I am just a beginner @trendy is the more knowledgeable so wait till he chimes in.

But setting a static route is easy and can be done with Luci. Network>Routing>Static IPv4 routes
But just wait for @trendy

trendy · May 17, 2023, 2:57pm

So far there is no sign of any Mullvad dns in your configuration, so it is more likely that Mullvad is hijacking them.
As a sidenote you don't need the OpenDNS servers in lan interface or in the server section of the dnsmasq. We add them in the interface where they are reachable.
For the static routes you can go to the Luci and add it. Fill in target, interface, and gateway.

dkay · May 17, 2023, 3:16pm

@jjdekroon just as a sidenote, you should regenerate your wireguard private key, you forgot to redact it in your configs above.

jjdekroon · May 17, 2023, 4:09pm

@dkay,

Whoops indeed, stupid mistake.
When @egc was talking about DNS Hijacking I searched it some more.
Indeed MullVad is normally Hijacking DNS and tunnel it's traffic through MullVad.
In the MullVad app on Android you have to option to use custom DNS is you want to.
This is where I found the following article: Use Custom DNS Servers With Mullvad And Any WireGuard Client
I'm going to try this, and report back my results.
I 'll have to re-setup the WireGuard interface anyhow, so generating a new priv.key in the proces.

jjdekroon · May 17, 2023, 4:41pm

The guide which I found in the post above seems to do the trick

system · May 27, 2023, 4:42pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.