[SOLVED] Wireguard and dns leaks

kris_ini · January 14, 2019, 9:32pm

I think that I have a problem with incorrect configuration of the firewall, because any changes with DNS in the LAN or DHCP section i do not get the result that i need.
Traffic dns goes is bypassing server vpn

/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'WGZONE'
	option network 'WGINTERFACE'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'WGZONE'
	option src 'lan'

lleachii · January 14, 2019, 9:49pm

Firewall settings aren't needed (/etc/config/network and /etc/config/dhcp maybe):

What DNS settings are you giving to your clients?
Have you verified that there a route for those DNS servers IP over the tunnel?
Have you made sure that your WAN DNS servers aren't on the upstream subnet (if so, you'll need to use custom DNS servers on WAN)?

kris_ini · January 15, 2019, 12:08pm

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	list server '10.64.0.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	list dhcp_option '6,10.64.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Any,wireguard dns server, google dns (if i add a google he is visible together with my ISP's dns)

I do not know how to check

I do not know how to check it, but if add custom google dns, it seems solves the problem. But if i want to use only vpn dns server, how to be?
If i add a external vpn dns server ,no internet

kris_ini · January 15, 2019, 12:23pm

and further, can I do it with iptables?
if add iptables rule , i see dns identical to the tunnel

iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 53

and what rule is more correct OUTPUT or PREROUTING ?

trendy · January 15, 2019, 2:48pm

The iptables rules are not needed (and is basically doing nothing)

According to the configuration you are passing to the clients the 10.64.0.1 as nameserver. Is that what you want to do?
You could also not pass any nameserver via DHCP, let dnsmasq act as proxy nameserver for the lan, and add an option dns '10.64.0.1' in the lan interface.

Post also the output of route -n

kris_ini · January 15, 2019, 3:06pm

Yes it is

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 WGINTERFACE
185.44.100.102  192.168.100.1   255.255.255.255 UGH   0      0        0 eth0.1
192.168.99.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0.1

trendy · January 15, 2019, 3:13pm

Alright, do a traceroute or tracepath from the router and from a host connected on the LAN towards the nameserver and some other address, e.g 8.8.8.8

kris_ini · January 15, 2019, 3:26pm

~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  10.64.0.1 (10.64.0.1)  44.903 ms  45.042 ms  44.783 ms
 2  185.62.204.1 (185.62.204.1)  46.003 ms  47.903 ms  46.763 ms
 3  te5-8.fra1-b1.core.citynetwork.se (86.107.242.208)  44.803 ms  43.643 ms  44.782 ms
 4  te-5-16.fra1-02.core.citynetwork.se (86.107.242.199)  57.024 ms  63.483 ms  46.242 ms
 5  te-5-7.sto2-02.core.citynetwork.se (91.123.207.54)  74.465 ms  74.064 ms  74.144 ms
 6  as15169-10g-sk1.sthix.net (192.121.80.47)  74.824 ms  75.645 ms  75.284 ms
 7  108.170.254.33 (108.170.254.33)  76.324 ms  108.170.253.161 (108.170.253.161)  76.565 ms  108.170.254.49 (108.170.254.49)  76.985 ms
 8  66.249.95.235 (66.249.95.235)  75.464 ms  216.239.48.1 (216.239.48.1)  75.384 ms  74.464 ms
 9  google-public-dns-a.google.com (8.8.8.8)  74.644 ms  75.164 ms  75.124 ms

trendy · January 15, 2019, 3:46pm

It is correct, so what is the problem?

kris_ini · January 15, 2019, 3:59pm

my problem is that on the dnsleaktest.com is visible dns of my ISP,obviously.

trendy · January 15, 2019, 4:04pm

It is not obvious from what you have posted here, so run all the tests I asked you, not just one out of four.
Also verify the nameserver that your pc is using: nslookup www.google.com

kris_ini · January 15, 2019, 5:01pm

I apologize for being rude.
I'm at a loss , dns leaks has on the android tablet and pc

root@OpenWrt:~# traceroute 10.64.0.1
traceroute to 10.64.0.1 (10.64.0.1), 30 hops max, 38 byte packets
 1  10.64.0.1 (10.64.0.1)  44.721 ms  44.601 ms  48.342 ms

pc - lan

kris@pc:~$ traceroute 10.64.0.1
traceroute to 10.64.0.1 (10.64.0.1), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.99.1)  0.523 ms  0.534 ms  0.671 ms
 2  10.64.0.1 (10.64.0.1)  45.753 ms  46.303 ms  46.533 ms

kris@pc:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.99.1)  0.487 ms  0.540 ms  0.565 ms
 2  10.64.0.1 (10.64.0.1)  47.151 ms  47.191 ms  47.402 ms
 3  185.62.204.1 (185.62.204.1)  48.394 ms  48.399 ms  52.361 ms
 4  te5-8.fra1-b1.core.citynetwork.se (86.107.242.208)  47.295 ms  47.396 ms  47.471 ms
 5  te-5-16.fra1-02.core.citynetwork.se (86.107.242.199)  84.973 ms  84.987 ms  85.029 ms
 6  te-5-7.sto2-02.core.citynetwork.se (91.123.207.54)  76.896 ms  74.672 ms  74.789 ms
 7  as15169-10g-sk1.sthix.net (192.121.80.47)  75.560 ms  75.641 ms  75.662 ms
 8  108.170.254.49 (108.170.254.49)  76.990 ms 108.170.253.161 (108.170.253.161)  77.290 ms 108.170.254.33 (108.170.254.33)  77.351 ms
 9  216.239.58.37 (216.239.58.37)  76.898 ms 74.125.37.129 (74.125.37.129)  76.937 ms 216.239.58.43 (216.239.58.43)  77.287 ms
10  google-public-dns-a.google.com (8.8.8.8)  74.472 ms  74.341 ms  75.764 ms

kris@pc:~$ nslookup www.google.com
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
Name:	www.google.com
Address: 216.58.206.4

lleachii · January 15, 2019, 5:24pm

Have you disabled IPv6 on LAN when using the VPN!?!?

Perhaps the DNS is coming from your IPv6 LAN IP on the router. After all, you are still using the DNS servers on the WAN interface.

Hope this helps.

trendy · January 15, 2019, 5:35pm

Ipv4-wise everything is fine and you use the tunnel towards the internet. If your provider offers IPv6, you would need to either disable it or set lower priority so that it doesn't interfere, as @IIeachii suggested.
What does ifconfig | grep inet give in openwrt?

kris_ini · January 15, 2019, 5:48pm

root@OpenWrt:~# ifconfig | grep inet
          inet addr:10.99.197.255  P-t-P:10.99.197.255  Mask:255.255.255.255
          inet addr:192.168.99.1  Bcast:192.168.99.255  Mask:255.255.255.0
          inet6 addr: fe80::1b31:bfff:fe63:2b80/64 Scope:Link
          inet6 addr: fd58:ea32:27da::1/60 Scope:Global
          inet6 addr: fe80::1b31:bfff:fe63:2b80/64 Scope:Link
          inet addr:192.168.100.7  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::1b31:bfff:fe63:2b81/64 Scope:Link
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          inet6 addr: fe80::1b31:bfff:fe63:2b80/64 Scope:Link
root@OpenWrt:~#

trendy · January 15, 2019, 6:09pm

Looks like both are enabled.
Try this page to verify that you use the tunnel for ipv4 and your provider for IPv6.
http://whatismyip.host/

kris_ini · January 15, 2019, 7:12pm

result N/A

trendy · January 15, 2019, 7:17pm

N/A for IPv6 or both?

Okay let's take a step back.
I tried this dnsleak page that you posted earlier but it was stuck in a loop so I never understood what information does it provide.
From what it looks, your connections go through VPN. What did you get there that proves otherwise?

kris_ini · January 15, 2019, 8:51pm

for IPv6

on PC

last line this vpn ip

on tablet

as said @lleachii

pc with changes in Interfaces - WAN ,uncheck Use DNS servers advertised by peer
Use custom DNS servers
for example OpenDNS 208.67.222.222 , 208.67.220.220
on PC

on tablet

lleachii · January 15, 2019, 8:59pm

So...it's working now?