Wireguard client on individual wifi only - where to specify DNS server?

jrn · February 15, 2023, 8:20pm

Hi,

I am trying to setup a wifi which is always connected via wireguard.
I also have other wifis setup which are not be connected via wireguard.

Running wg show I am getting a valid handshake:

interface: wg0
  public key: ***redacted***
  private key: (hidden)
  listening port: 43604

peer:  ***redacted***
  preshared key: (hidden)
  endpoint: ***redacted-IPv6***:54321
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 26 seconds ago
  transfer: 255.79 KiB received, 496.99 KiB sent
  persistent keepalive: every 25 seconds

This is what my network looks like:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd01:c001:cafe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'bat0.3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option ip6assign '64'
	option ip6hint 'a'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.133.1'
	option netmask '255.255.255.0'
	option device 'br-iot'
	option ip6assign '64'
	option ip6hint 'c'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.33.1'
	option netmask '255.255.255.0'
	option device 'br-guest'
	option ip6assign '64'
	option ip6hint 'b'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option bridge_loop_avoidance '1'
	option gw_mode 'server'
	option hop_penalty '30'

config interface 'batmesh'
	option proto 'batadv_hardif'
	option master 'bat0'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'bat0.133'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'bat0.33'
	option bridge_empty '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '***redacted***'
	list addresses '192.168.16.253/24'
	option defaultroute '0'
	option peerdns '0'
	list dns '192.168.16.2'
	list dns '192.168.16.1'

config wireguard_wg0
	option public_key '***redacted***'
	option preshared_key '***redacted***'
	option endpoint_host '***redacted***'
	option endpoint_port '54321'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config device
	option type 'bridge'
	option name 'br-vpn'
	list ports 'bat0.233'
	option bridge_empty '1'

config interface 'vpn'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'br-vpn'
	option ip6assign '64'
	option ip6hint 'd'
	option ipaddr '192.168.233.1'

This is my firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'IOT DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	list proto 'udp'
	option src 'iot'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '192.168.3.2'
	list dest_ip '192.168.3.22'
	list dest_ip 'fd01:c001:cafe:a::2'
	list dest_ip 'fd01:c001:cafe:a::22'
	option name 'IOT AdGuard Access'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	list proto 'udp'
	option src 'guest'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '192.168.3.2'
	list dest_ip '192.168.3.22'
	list dest_ip 'fd01:c001:cafe:a::2'
	list dest_ip 'fd01:c001:cafe:a::22'
	option name 'Guest AdGuard Access'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'OpenVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.3.3'
	option dest_port '1194'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Vaultwarden'
	option src 'wan'
	option src_dport '42931'
	option dest_ip '192.168.3.5'
	option dest_port '4443'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'wireguard'
	list network 'wg0'
	option input 'REJECT'
	option masq '1'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'
	option input 'REJECT'

config rule
	option name 'VPN DNS'
	option src 'vpn'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'VPN DHCP'
	list proto 'udp'
	option src 'vpn'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'VPN AdGuard Access'
	option src 'vpn'
	option dest 'lan'
	list dest_ip '192.168.3.2'
	list dest_ip '192.168.3.22'
	list dest_ip 'fd01:c001:cafe:a::2'
	list dest_ip 'fd01:c001:cafe:a::22'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'wireguard'

This is what the wifi looks like which is supposed to run with wireguard:

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'VPN'
	option key '***redacted***'
	option encryption 'psk2+ccmp'
	option ieee80211r '1'
	option mobility_domain '1233'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'vpn'

With the above configuration all my wifis work as expected except the VPN wifi. Once I connect to it, I can no longer access any site.

Here is what I have found out already:

If I am using the same wireguard config on my desktop or phone it does work fine. I am getting a connection BUT as soon as I remove the DNS (namely 192.168.16.2 and 192.168.16.1) parameter from that connection it no longer works on neither desktop nor phone. I cannot connect to the internet anymore. I tried adding these DNS values to wireguard's custom DNS servers but it did not do the trick for me. I am not sure if this is all I need to figure out or if there is something else completely wrong in my setup.

trendy · February 16, 2023, 11:51am

You need to do Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for each internet connection.

jrn · February 16, 2023, 2:55pm

Thank you very much for your response @trendy

I like the idea of just having a set of rules/routes. Would this here make any sense with my current setup?

config rule
        option in 'vpn'
        option src '192.168.233.1/24' <-- Would I use the IP range of my VPN interface here?
        option lookup '100'

config route
        option interface 'wg0'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

So, I am trying to create a route/rule to route traffic from my vpn interface (which is connected to my VPN wifi) and send it to the wg0 interface.

--- Edit ---
I tried the above snippet in /etc/config/network but after connecting to my VPN wifi I was still not able to open any website, so I guess my rule/route is not correct. Any ideas what I could try next or any pointers where the issue could be?

trendy · February 17, 2023, 10:12am

You can omit the option src, or use the correct value 192.168.233.0/24

jrn · February 17, 2023, 3:27pm

Thank you very much @trendy
I ended up removing option src.

After adding the DNS records 192.168.16.2 and 192.168.16.1 as custom DNS servers to the VPN interface as well as 6,192.168.16.2,192.168.16.1 as the DHCP-Option in the DHCP Server's advanced settings tab I am now able to connect to the internet through the wifi connecting via wireguard. I am not sure if I need to specify the DNS servers in both sections. I will do some more testing.

Thanks a lot for your help @trendy !!!

system · February 27, 2023, 3:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.