Two Wireguard Clients with PBR - DNS issue

I have setup a Wireguard client connecting to the UK (WG0) and another wireguard client to US (WG1), with WG0 being the default gateway in PBR. WG0 is connected to 'lan' and WG1 is connected to 'lan_new', with each lan having its own ports/wireless interfaces/subnet.

I have also setup split dnsmasq with DHCP option 6 to pass DNS server IP addresses to hosts in 'lan' and 'lan_new'. The issue is, while I get a UK IP with a UK DNS on WG0, I get a US IP but a UK DNS on WG1. The DNS servers from my VPN provider is supposed to point me to a US DNS.

I have been troubleshooting for 2 days with no luck. I hope someone, with a pair of fresh eyes, could point me to the right direction. Many thanks in advance.

etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'eth0.1'

config device
	option name 'br-lanNew'
	option type 'bridge'
	list ports 'eth0.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.8.1'
	option defaultroute '0'

config interface 'lan_new'
	option device 'br-lanNew'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list ipaddr '192.168.9.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option metric '20'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'private key'
	list addresses '10.14.0.2/16'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_WG0
	option description 'UK London'
	option public_key 'public key='
	option private_key 'private key'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option endpoint_host '178.239.163.71'
	option route_allowed_ips '1'

config interface 'WG1'
	option proto 'wireguard'
	option private_key 'private key'
	list addresses '10.14.0.2/16'

config wireguard_WG1
	option description 'US LA'
	option public_key 'public key='
	option private_key 'private key'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option endpoint_host '45.149.173.218'

etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '1'
	option noresolv '1'
	list server '162.252.172.57'
	list server '149.154.159.92'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,162.252.172.57,149.154.159.92'
	option force '1'

config dhcp 'lan_new'
	option interface 'lan_new'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,162.252.172.57,149.154.159.92'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall/

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option masq '1'
	list network 'WG0'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'vpn'

config zone
	option name 'lan_newF'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_new'

config zone
	option name 'vpn1'
	option output 'ACCEPT'
	list network 'WG1'
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'
	option mtu_fix '1'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan_newF'
	option dest 'vpn1'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS UK'
	option src 'lan'
	option src_dport '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS US'
	option src 'lan_newF'
	option src_dport '53'

/etc/config/pbr/

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option interface 'WG0'
	option name 'UK Subnet'
	option src_addr '192.168.8.0/24'

config policy
	option interface 'WG1'
	option name 'US Subnet'
	option src_addr '192.168.9.0/24'


Unless you are supposed to use different DNS servers depending on the region you connect to, it looks like the issue is with your VPN provider.

Did you check with your clients that they have indeed 162.252.172.57,149.154.159.92 as DNS servers and nothing else e.g. your routers IPv4 or IPv6 address?

Edit: another thought , do you have DNS redirect active: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

Thanks for the suggestion. The US client had 162.252.172.57,149.154.159.92 and an IPv6 address as DNS servers. I've since deleted Openwrt's IPv6 and now only 162.252.172.57,149.154.159.92 remain listed. But still, it is still associated with an UK DNS.

I have DNS hijacking setup, but not redirect.

And if I switch PBR default gateway to WG1 (US VPN), I get:
WG1: US IP/US DNS
WG0: UK IP/ but US DNS.

Try removing the DNS hijacking as that will route the DNS via the router which will use the default gateway i.e. the UK route.

1 Like

It works! Thank you so much!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.