[Solved] PBR with netifd question

route66 · November 4, 2023, 12:43pm

I set up nice prioritized routing to WG VPN using this setup.

All is working good with any external DNS resolver (e.g. 1.1.1.1), but my VPN provider's internal DNS IP 10.64.0.1 (to prevent DNS leaks) is not working -> no connectivity. Before implementing prioritized routing, the internal DNS IP has been working.

I will really appreciate advice how to troubleshoot this, the technicalities of routing with netifd is new to me, clueless where to start looking.

For completeness, I should mention I use AGH to set up DNS resolver.

Thank you.

vgaetera · November 4, 2023, 12:49pm

Post your configuration redacting the private parts:

uci show network

egc · November 4, 2023, 12:53pm

As @vgaetera already said we need to see your network config.

But it could be that you are not routing the DNS server (10.64.0.1) via the WG tunnel.
This is an internal DNS server which only works if routed via the tunnel.

route66 · November 4, 2023, 1:17pm

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@device[0].ipv6='0'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.ipaddr='192.168.11.1'
network.lan.device='br-lan.11'
network.lan.ip4table='1'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='REDACTED'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1'
network.wan.hostname='*'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].vlan='11'
network.@bridge-vlan[0].ports='lan1:u*' 'lan2:u*' 'lan3:u*'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='21'
network.@bridge-vlan[1].ports='lan4:u*'
network.GUEST=interface
network.GUEST.proto='static'
network.GUEST.device='br-lan.21'
network.GUEST.ipaddr='192.168.21.1'
network.GUEST.netmask='255.255.255.0'
network.GUEST.delegate='0'
network.GUEST.ip4table='2'
network.WGINTERFACE=interface
network.WGINTERFACE.proto='wireguard'
network.WGINTERFACE.private_key='REDACTED'
network.WGINTERFACE.addresses='REDACTED'
network.WGINTERFACE.force_link='1'
network.WGINTERFACE.ip4table='3'
network.@wireguard_WGINTERFACE[0]=wireguard_WGINTERFACE
network.@wireguard_WGINTERFACE[0].public_key='REDACTED'
network.@wireguard_WGINTERFACE[0].allowed_ips='0.0.0.0/0'
network.@wireguard_WGINTERFACE[0].route_allowed_ips='1'
network.@wireguard_WGINTERFACE[0].endpoint_host='REDACTED'
network.@wireguard_WGINTERFACE[0].endpoint_port='REDACTED'
network.@device[2]=device
network.@device[2].name='WGINTERFACE'
network.GUEST_wg=rule
network.GUEST_wg.in='GUEST'
network.GUEST_wg.lookup='3'
network.GUEST_wg.priority='30000'

vgaetera · November 4, 2023, 1:19pm

uci -q delete network.dns_wg
uci set network.dns_wg="rule"
uci set network.dns_wg.dest="10.64.0.1/32"
uci set network.dns_wg.lookup="3"
uci set network.dns_wg.priority="30000"
uci commit network
service network restart

route66 · November 4, 2023, 1:24pm

Thanks a lot for the quick reply! I will try this suggestion and revert with results later.

route66 · November 4, 2023, 9:15pm

Thank you @vgaetera! WG VPN works now as expected with this extra rule.

route66 · November 5, 2023, 5:36pm

Just wondering is this option must be 1 in the setup above? Perhaps, can be simplified and taken out, given that each interface has a separate routing table?

vgaetera · November 5, 2023, 5:50pm

It is necessary to create the default route.

system · November 15, 2023, 5:50pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.