[Solved] Wireguard dns leak on the mobile device

lestat70 · May 20, 2018, 4:27pm

I have installed the wireguard server on the router, I also have dnscrypt installed and everything works perfectly for the devices of the local network, if I perform a test at https://www.dnsleaktest.com/ I have no loss of DNS.

With the mobile device, through my mobile operator, I connect to the local server and the local network without problems (from outside the local network) the problem is that when I perform a test at https: // www .dnsleaktest. com I see that I have leaks dns

If I modify the configuration file of the client of the mobile device adding a DNS, I can connect to the wireguard server and the local network but I can not access the Internet because it does not solve the DNS

How can I make requests from outside the local network resolved by my router?

thank you very much

lleachii · May 21, 2018, 2:42am

You will need to fix the mobile clients. Have you used an app that will allow you to edit the DNS servers?

lestat70 · May 21, 2018, 9:51am

Thank you very much for helping me one more time.

No, I thought it could be done as in openvpn (redirect-gateway def1) or maybe redirect dnscrypt requests to the 192.168.200.xxx network, but I do not have the necessary knowledge.

Therefore, if I do not want the DNS leaks into connected devices from outside my local network, do I need to use an Opendns DNS, for example, on each device?

Thanks for the help

lleachii · May 21, 2018, 2:04pm

No, you do not. Any DNS server you choose can be used. As I already stated in another thread you created:

For example, if your Wireguard server is an OpenWRT router, simply use the router's Wireguard endpoint IP as the DNS server. You may have to change the assigned IP from a /32 to the actual size of the subnet, so the appropriate route will be made on the mobile device.

Hope this helps.

lestat70 · May 21, 2018, 5:15pm

Sorry, I'm using Google translate and it may be that some instructions I do not understand them well.

My wireguard server is an OpenWRT router ( OpenWrt SNAPSHOT r6906-87c254c)

I do not have a fixed IP address and I need to use a DDNS service to access my Wireguard server with Openwrt from outside my local network

On my OpenWRT router with the wireguard server would it have to be configured like this?

config interface 'wg0'
        option proto 'wireguard'
        option private_key '0...............='
        option listen_port '51720'
        list addresses '192.168.200.1/28'

Do I have to change / 32 to / 28 (192.168.200.1 - 192.168.200.14)?, I do not need more
the rest would be the same?

config wireguard_wg0
        option public_key 'g.........'
        list allowed_ips '192.168.200.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '23'

I'm using dnscrypt on my router, what DNS should I put?
The Wireguard server ip 192.168.200.1?

The configuration files of the client that are connected from outside my local network using a DDNS service, should be configured like this?

[Interface]
 
Address = 192.168.200.5/32

PrivateKey = ...............=

DNS = 192.168.200.1
 
[Peer]

PublicKey = T................=
 
AllowedIPs = 0.0.0.0/0

Endpoint = domain.com:51720

Thank you again for your time and your help.

lleachii · May 21, 2018, 5:17pm

Yes. This should be all you need to do.

lestat70 · May 21, 2018, 5:52pm

Sorry, I made the changes and it does not work.

From the termux program on the mobile device, from outside my local network, I have a ping to the address 8.8.8.8 and it does not work

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56 (84) bytes of data.
^ C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2002ms


ip a
.......
......
47: tun0: <POINTOPOINT, UP, LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link / none
    inet 192.168.200.2/32 global scope tun0
       valid_lft forever preferred_lft forever

The client connects to the server but does not have access to the internet,


Public Key: ..................... =
Endpoint: 84.XX.XX.XX: 50695
Allowed IPs:
  • 192.168.200.0/28
Persistent Keepalive: 23s
Latest Handshake: Mon, 21 May 2018 17:34:02 GMT (Aug. 5)
Data Received: 10 KiB
Data Transmitted: 13 KiB

It's what happened to me in the thread I opened earlier, I have to leave the DNS field blank in the client configuration file

lleachii · May 21, 2018, 6:06pm

Why are you using 8.8.8.8??? I thought you wanted to STOP the leak and use 192.168.200.1.

Are you changing the DNS before, OR AFTER you connect???

If your Wireguard endpoint is a hostname (and not IP), you'll need a working DNS server in order to initiate the connection, otherwise you must use the endpoint's IP address instead to establish the VPN connection.

lestat70 · May 21, 2018, 6:42pm

I do not use 8.8.8.8, I just ping the google DNS server to see if I had access to internet

I change the DNS before and then I connect

Finally I have solved it, since I am using dnscrypt I have had to redirect all DNS requests to the server with IP 192.168.200.1

On the client I have set the address 192.168.200.1 as DNS

[Interface]
 
Address = 192.168.200.5/32

PrivateKey = ...............=

DNS = 192.168.200.1

Thank you very much for the help, I found it hard to understand it but it finally works without DNS leaks.

tmomas · May 27, 2018, 6:42pm

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.