Wireguard: "DNS not defined" when generating client configuration

As the title says. If I define the DNS manually at the host, the wireguard server works though.

The service is setup using luci, using OpenWrt version 23.05.2.

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'xxx'
	list addresses '192.168.11.1/24'
	option delegate '0'
	option listen_port '51820'
	list dns '192.168.10.1'

config wireguard_client0
	option description 'My Device'
	option public_key 'xxx'
	option private_key 'xxx'
	option preshared_key 'xxx'
	option route_allowed_ips '1'
	list allowed_ips '192.168.11.2/32'
	option persistent_keepalive '25'

Is that the routers IP address?
If so remove it

WireGuard does not push/send a DNS address to the clients you have to set the DNS manually on every client

1 Like

Yes, that is the router's IP. When defining that IP manually at the client, everything works.

[Interface]
PrivateKey = 
Address = 192.168.11.2/32
# ListenPort not defined
# DNS not defined

It says "DNS not defined", strange message if it cannot be defined at all. Why have it there? :stuck_out_tongue:

If your goal is to generate a client config file with the DNS set then you have to set the DNS address in the Generate Configuration window see example were I set the DNS address to 192.168.9.1

3 Likes

I see, would be awesome to supply that value as a default as well, so one doesn't have to manually type it.

Also, I do not have the option to add DNS Servers. It's simply not present in the GUI.

1 Like

How do you determine the default value?

You probably need to update luci-proto-wireguard.

DNS servers that the router uses should be set on the wan interface. If --and only if-- wireguard is being used as the router's wan, the upstream through tunnel DNS servers would be set on the main interface page (Advanced tab). It is not a peer setting.

So many beginners like to sprinkle extra list dns everywhere hoping to solve something. In reality there is only one list that dnsmasq uses, no matter what interface you set them on.

It works with my secondary browser, Safari, but not with Firefox. I do have plenty of ad-blocks, etc. installed in Firefox though. I haven't had any issues using Firefox with luci though, outside of this.

My WAN is setup using DHCP, and DNS is setup with the ISP's DNS servers.

However, if I do not specify a DNS server manually for the client, the tunnel is setup without a DNS. I just tested, after having deleted list DNS from the Wireguard interface.

You can simply specify it on the interface, all client configurations using this interface should get DNS server a.b.c.d

The peer DNS is just a convenience to encode into the QR code to help set up the peer application. It isn't a part of what the OpenWrt side of the tunnel does at all.

I don't like the QR code in the first place since it contains the peer's private key, and security good practice is to never have a private key exist outside of the device that encrypts with it.

2 Likes

In my 23.05.3 that option is present, so start with clearing your browser cache and if that does not help upgrade to 23.05.3 (which is good idea regardless)

Look at @mk24 response better not add a list dns server to the WG interface especially not the routers address itself.
The list dns server is used as upstream DNS server by DNSmasq and if you point it to itself you could create a loop.

Depending on the platform used the WG client needs a DNS server in its config file ( I think iOS devices do not work without a DNS server, windows uses its own DNS server if not specified one), so in the WG client config file specify a DNS server if there is not one already.
To be clear the DNS server needs to be set on the WG client and has nothing to do with the WG server other than that you use it to make the WG client config

1 Like

That is a valid point.

1 Like

I get that. So any such option should then be under a client config generation tab or something.

But as you said, it depends on the OS. For iOS DNS is required, for Windows not. So perhaps best to leave it as is... Another discussion though.

1 Like

There's a long discussion on this (and many hearty debates on disagreements and Feature Requests to subsequently alter).

It could be broken?

Most people don't use the generator for what it's seems to be designed for.

I haven't had time to really review all use cases aside from those I participated in discussions.

FYI, I don't intend to debate its use. Just providing historical references.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.