Use PIA WireGuard DNS on WAN interface

otnert · July 19, 2020, 1:48am

I've put together a script to use PrivateInternetAccess's (PIA) 'next generation WireGuard network' which uses their own wireguard DNS 10.0.0.242 10.0.0.244 once connected successfully.

I believe I may be experiencing DNS issues, webpages are taking longer to load. If I run leak tests they're successful. I require assistance on how the script should be formatted (not sure if I've done this properly).

ATM my WAN DNS is pointing to PIA's own DNS 209.222.18.222 & 209.222.18.218 which works fine when connecting to their 'current generation WireGuard network', however if they're not changed to their 10.0.0.x DNS for their 'next generation WireGuard network', DNS leaks occur to the 209.x.x.x addresses.

This is what I've put together so far in changing the WAN to PIA DNS:

ifdown $PIA_INTERFACE

	# add PIA WireGuard next generation DNS's to WAN
CURRENT_DNS1=$(uci show network | grep "wan.dns" | cut -d "'" -f 2)
CURRENT_DNS2=$(uci show network | grep "wan.dns" | cut -d "'" -f 4)
uci del_list network.wan.dns="$CURRENT_DNS1"
uci del_list network.wan.dns="$CURRENT_DNS2"
uci add_list network.wan.dns="$DNS1"
uci add_list network.wan.dns="$DNS2"
uci commit >/dev/null 2>&1

ifup $PIA_INTERFACE

I notice when the WireGuard (PIA_INTERFACE) is brought back up, I've got corresponding system log entries which show both WAN & WireGuard interfaces using the same 10.0.0.x DNS:

Sat Jul 18 23:00:55 2020 daemon.notice netifd: Interface 'WireGuard' is setting up now
Sat Jul 18 23:00:55 2020 daemon.notice netifd: Interface 'WireGuard' is now up
Sat Jul 18 23:00:55 2020 daemon.notice netifd: Network device 'WireGuard' link is up
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: reading /tmp/resolv.conf.auto
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain test
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain onion
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain localhost
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain local
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain invalid
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain bind
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using local addresses only for domain lan
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using nameserver 10.0.0.242#53
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using nameserver 10.0.0.244#53
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using nameserver 10.0.0.242#53
Sat Jul 18 23:00:55 2020 daemon.info dnsmasq[2594]: using nameserver 10.0.0.244#53
Sat Jul 18 23:00:55 2020 user.notice firewall: Reloading firewall due to ifup of WireGuard (WireGuard)

Not sure if by bringing up the wireguard interface is the only requirement after the changes are committed, or if other steps are required to make sure the transition from old WAN DNS to new WAN DNS is done smoothly?

vgaetera · July 19, 2020, 3:37am

uci add_list network.wg0.dns="${DNS1}"
uci add_list network.wg0.dns="${DNS2}"
uci commit network
/etc/init.d/network restart

cat << "EOF" > /etc/hotplug.d/iface/00-toggle-wan-dns
NET_IF="wan"
if [ "${INTERFACE}" = "wg0" ]
then if [ "${ACTION}" = "ifup" ]
then for IPV in 4 6
do
uci -q delete network.${NET_IF}${IPV%4}.dns
uci set network.${NET_IF}${IPV%4}.peerdns="0"
done
elif [ "${ACTION}" = "ifdown" ]
then uci revert network
fi
fi
/etc/init.d/network reload
EOF

https://openwrt.org/docs/guide-user/base-system/hotplug

otnert · July 19, 2020, 9:37am

Thankyou @vgaetera !

I've determined that I don't need the hot-plug script perse, however I've obtained valuable information from the information you have provided.
I've picked out what I required and settled for this:

	# add PIA WireGuard Next Generation/Current DNS's to WAN

change_WAN_DNS () {
  . /lib/functions/network.sh
  network_flush_cache
  uci delete network.wan.dns
  uci add_list network.wan.dns="$1"
  uci add_list network.wan.dns="$2"
  uci commit network
  /etc/init.d/network reload
}
change_WAN_DNS $DNS1 $DNS2

Grommish · July 19, 2020, 9:44am

Where did you find the Public keys used in the Wireguard connection for PIA?

This is what I received from them when I inquired about the WG information

Thank you for getting back to PIA Support.

Currently, Wireguard only works on our clients, so we do not have public keys or PSK. You can control the client using the CLI. This is not available of the FOSS repo.

Please let us know if you would like to use the main client.

Regards

Thomas W.
Customer Support Agent

otnert · July 19, 2020, 11:50am

Thanks to triffid_hunter on Reddit.com, I found a bash script which contains the code to derive this information!

Alternatively, if you're using Windows 10 and using the PIA app, you can run a simple batch file to derive it too!

@echo off
::	run this batch file THEN the Windows PIA app!
::	obtains PIA WireGuard config from *.conf file written to disk
::	opens up the *.conf file in notepad with config info
::	NOTE: the default PIA app installation directory

set DIRECTORY=C:\Program Files\Private Internet Access
set PC="a.conf"
set PIA="%DIRECTORY%\data\w*.conf"

start "PIA" "%DIRECTORY%\pia-client.exe"
timeout /t 2 /nobreak
"%DIRECTORY%\piactl.exe" disconnect
"%DIRECTORY%\piactl.exe" connect

if exist %PC% del %PC% > nul
:START
	echo .
	if exist %PIA% copy %PIA% %PC% > nul
	if exist %PC% notepad %PC%
	if exist %PC% goto END
	goto START
:END
	if exist %PC% del %PC% > nul

system · July 29, 2020, 11:50am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.