WG client cannot query DNS running on 192.168.1.1

When doing search with "dns wireguard", I got lots of hits, mainly concern about "DNS leaking".

I am not there yet - my question is more basic.

My OpenWRT router is freshly installed, using default configs (only Wireless SSIDs added and working), fully updated.

I created WG interface, and mobile client can connect, and access websites using IP address.
(And confirmed the Internet access is indeed via the tunnel)

When I put 8.8.8.8 as the DNS in the client side, then using hostnames are also OK.

But if I put 192.168.1.1 as DNS in the client side, then DNS queries will always timeout.

How can I make 192.168.1.1 accessible to WG clients for DNS queries?

  • WG interface is in the LAN zone
  • LAN clients can use 192.168.1.1 as DNS without issues
  • OpenWRT's wg0 is using 192.168.11.1, mobile WG client is using 192.168.11.9
  • No IPv6 allowed in the tunnel. Mobile client do not have IPv6 address when using LTE
  • Mobile WG client can ping LAN clients in 192.168.1.0/24 and vice versa

That depends on your routing/ firewall settings, but DNS for your wireguard clients should be available ftom 192.168.11.1.

2 Likes

My firewall rules are defaults, plus allowing SSH and WG connections to the router itself.

LAN/WG in default LAN zone
WAN in default WAN zone

Thus I assume when LAN clients in 192.168.1.0/24 can query DNS@192.168.1.1, mobile WG clients also can.

But obviously, I am missing something.

/etc/firewall.user is empty

/etc/config/firewall listed below:

Content of /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'

config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wg vl7 vl1 vl6'

config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option log '1'

config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port 'XXXXX'

config rule
option dest_port '22'
option src 'wan'
option name '22'
option target 'ACCEPT'

While learning on the main DNS/DHCP page, I toggled one options and Mobile WG client now can use DNS at 192.168.1.1

Local Service Only
(Limit DNS service to subnets interfaces on which we are serving DNS.)

By default, "Local Service Only" is enabled. Then Mobile WG client cannot do DNS query to 192.168.1.1

Once it is disabled, mobile WG clients can do DNS query to 192.168.1.1

What is the implication of disable this option? Do I need to define extra Firewall Rules, or change other options, to prevent DNS queries coming from the WAN zone?

BTW, if this mean you ran opkg update - see: https://openwrt.org/meta/infobox/upgrade_packages_warning

Then use this address, it's the same device...but 1.1 should work too.

I've never had to disable this option...interesting...

I think we need to see the WG config (omit keys).

If I remember correctly it sets the TTL of response to 1 so if the client is not on the same subnet, the answer will not reach it.
Change the NS to 192.168.11.1 and it should work with Local Service.

So, it is better not to do updates then. I mainly update via Luci's Updates.

Config at OpenWRT

config interface 'wg'
option proto 'wireguard'
option private_key 'PrivateKey='
list addresses '192.168.11.1/32'
option delegate '0'
option listen_port 'Port#'

config wireguard_wg
option public_key 'PublicKey='
option description 'mobile'
list allowed_ips '192.168.11.29/32'
option route_allowed_ips '1'
option persistent_keepalive '25'

Config at Mobile

Config at Mobile

interface
PrivateKey: PrivateKey
PublicKey: PublicKey
Addresses: 192.168.11.29/24
Listen Port: random
DNS: 192.168.1.1
MTU: Auto

config Peer
PublicKey: PublicKey
allowed_ips: 0.0.0.0/0, ::/0
persistent_keepalive '25'
EndPoint: Openwrt:Port

Remove the IPv6 address on your mobile peer config allowed_ips -- you are not using IPv6 on the OpenWrt side, so no reason to include it anywhere.

Let's take a look at your complete /etc/config/network file as well as the firewall (/etc/config/firewall). Please remove your keys and anything else sensitive, but don't change/hide any RFC1918 addresses. Also, when you post these files, please enclose them in the </> code block.

With "Local Service" in DNS settings enabled, none of 192.168.11.1 nor 192.168.1.1 worked as DNS on the Mobile side.

When disabled, both worked.

Thanks for your hints.

Removed ::/0 from mobile's WG config. No difference.

My Router has IPv6 uplink. I can disable or remove it if needed.

File contents included below.

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg vl7 vl1 vl6'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option log '1'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port 'WGPort'

config rule
	option dest_port '22'
	option src 'wan'
	option name '22'
	option target 'ACCEPT'

cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfb:1967:88eb::/48'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'MACAddr'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '0t 5t 1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2t 3t 4t 5t'
	option vid '6'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 2t 3t 4t 5t'
	option vid '7'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'PrivateKey='
	list addresses '192.168.11.1/32'
	option delegate '0'
	option listen_port 'WGPort#'

config interface 'vl1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option type 'bridge'
	option ipaddr '192.168.1.1'
	option ifname 'eth0.1'

config interface 'vl6'
	option ifname 'eth0.6'
	option proto 'static'
	option ip6assign '63'
	option ip6hint '6'

config wireguard_wg
	option public_key 'PublicKey='
	option description 'mobile'
	list allowed_ips '192.168.11.29/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

Does this mean that the problem is solved?

I need to disable "Local Service" in Router's DNS setting.

@lleachii think it is not needed.

You must have overlooked the post after mine.

And to be clear, I said:

And that may be because of the TTL...but on my device, I have a TTL of 64 - so I cannot guess.

Yea something's odd...and you didn't provide DHCP config.

These aren't the default networks...and interface LAN is complexity missing. And you're doing some complex tagging...could even be (guessing) some kinda loop.

My apologies, I only endeavored to assist assuming the OP honestly had the default configs.

Of course it won't work, you have subnet mask /32

Make it /24 or something bigger than just a host.

Does the subnet mask affect the TTL? I think the subnet mask on pointopoint links, such as WireGuard, only affects the routes.

DNS works for me when using a /32 mask anyway.

Generally speaking, yes. TTL is reduced each time a packet passes a router.
In this case, having a /32 mask limits dns service to the host only.

Do you have enabled local service only too?

1 Like

I see, sorry for the noise.

I am sorry for the confusions.

After I posted, I have further modified my router for the VLANs I needed. That's why they are further away from defaults.

To clear up my own mind, I just reset my router to default configs, and started over again.

Result:
And it works without touching any DNS settings, especially the "Local Service Only" setting.

Here is what I have done:

  1. Once reset done, set root passwd, add ssh key, define 2.4G SSID and 5G SSID.
  2. Install wireguard modules via Luci
  • wireguard 1.0.20200506-1
  • wireguard-tools 1.0.20191226-1
  • kmod-wireguard 4.14.171+0.0.2090702-1
  • luci-app-wireguard git-20.138.63234-ccd9d67-1

When asked, I choose overwrite files from other packages.

  1. Add wg0 interface
  • Interface IP is 192.168.11.1/24
  1. Add peer
  • Allowed IP is 192.168.11.29/24
  1. Add firewall rule to allow wg port to reach the device
  2. Reboot router
  3. Add wg tunnel to mobile
  • IP is 192.168.11.29/24
  • DNS is 192.168.1.1
  • Allowed IP is 0.0.0.0/0
  1. Reboot mobile
  2. Test.
  • it worked with DNS resolving OK.

Thank you very much for your inputs!

1 Like

Thank you for the hints. Yes, /32 and /24 of the Router WG Interface IP is the reason.

There are 2 places in the Router and 1 place in the Mobile to enter a network mask. So six combinations in total.

I tested all of them, and as long as Router WG Interface IP is using /24, DNS resolving by the mobile client works.

Thank you very much and sorry for the confusions caused!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

2 Likes