Wireguard Client Not Able to Perform DNS Lookup

I have setup Wireguard on the snapshot OpenWrt SNAPSHOT r25858-501ef81040.
I am able to connect and get to any device on the LAN subnet via IP, but DNS lookups are failing.
I am using AdguardHome as my DNS server (installed on OpenWRT). In the logs I can see the DNS requests hitting AdguardHome but DNS lookups are failing. Easiest proof is using nslookup, which results in timeout. I have tried using the DNS IP of the Router and wireguard, both hit Adguard but both timeout.

Any ideas on where to look at, as it doesn't seem like routing or firewall.
Firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'http'
	option family 'ipv4'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.23'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	option family 'ipv4'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.23'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wireguard'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.1.1'
	option dest_port '51820'
	list proto 'udp'

config redirect
	option target 'DNAT'
	list proto 'udp'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.1.1'
	option dest_port '53'
	option name 'DNS Hijack'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block WAN by MAC'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'
	list src_mac '5C:E5:0C:E0:57:B5'
	option enabled '0'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	list network 'wg0'
	list network 'wireguard'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:ab05:4f8c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option disabled '1'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config device
	option name 'eth0'

config device
	option type 'bridge'
	option name 'Guest'

config interface 'guest'
	option proto 'static'
	option ipaddr '10.10.10.1'
	option netmask '255.255.255.0'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'redacted'
	option listen_port '51820'
	list addresses '172.22.0.1/24'
	list dns '172.22.0.1'

config wireguard_wireguard
	option description 'device-9831'
	option public_key 'redacted'
	option preshared_key 'redacted='
	list allowed_ips '172.22.0.3/32'
	option private_key 'redacted'
	option endpoint_host 'redacted'
	option endpoint_port '51820'
	option persistent_keepalive '25'


Why not start by optimizing the configuration.

Transform this to a traffic rule.

Remove all that and just assign the wireguard interface to the lan firewall zone. For reference:

https://openwrt.org/docs/guide-user/services/vpn/wireguard/server#firewall

Remove the dest_ip option. This way requests will be redirected to the address of the incoming interface.

If it still doesn't work, check the contents of /etc/adguardhome.yaml, especially bind_hosts and allowed_clients/disallowed_clients.

2 Likes

In addition to the excellent advice of @pavelgl remove list dns '172.22.0.1'

A DNS server added to an interface will wind up in the resolv.conf so either it is doing nothing or in the worst case you are creating a loop.

The DNS server has to be set on the client so in the WG config of the client you have to set under [Interface]:
DNS = 192.168.1.1

2 Likes