Wireguard home server DNS

FL2 · March 22, 2025, 9:31pm

Hey,

I want to connect to my Wireguard server on my home server.

To prevent DNS leaks, I have specified the DNS server of my home network as WAN DNS server. This also works.

So that Openwrt can query the Dyndns of my home server before the Wireguard tunnel is established, I have specified my Dyndns and 8.8.8.8 in Dnsmasq as DNS Forwarding.

This does not work somehow:

In the system log I get the message

Wireguard_monitor: VPN endpoint Dyndns is Not responding, trying to reresolve

In addition, I cannot ping my Dyndns. Nevertheless, the tunnel works strangely enough

psherman · March 22, 2025, 9:51pm

This suggests that your tunnel isn't working.... but...

Pings depend on the configuration of the wan firewall, so that may or may not be expected... but you said the tunnel is working, so that seems to contradict the above message.

All that said, let's see your configs so we can start to understand the details:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

FL2 · March 28, 2025, 5:45pm

This is provided by the commands mentioned:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-860L B1",
        "board_name": "dlink,dir-860l-b1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddc:2c84:bf6f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'e4:6f:13:2e:b0:08'

config device
        option name 'lan2'
        option macaddr 'e4:6f:13:2e:b0:08'

config device
        option name 'lan3'
        option macaddr 'e4:6f:13:2e:b0:08'

config device
        option name 'lan4'
        option macaddr 'e4:6f:13:2e:b0:08'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.206.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'e4:6f:13:2e:b0:0b'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'secret'
        list addresses '10.79.52.2/24'
        list dns 'Here is the DNS server of my home network'

config wireguard_vpn 'wgserver'
        option public_key 'secret'
        option preshared_key 'secret'
        option endpoint_host 'Here is the dyndns to my home ip'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'vpn'
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

config forwarding 'lan_vpn'
        option src 'lan'
        option dest 'vpn'

root@OpenWrt:~# wg show
interface: vpn
  public key: secret
  private key: (hidden)
  listening port: 56060

peer: secret
  preshared key: (hidden)
  endpoint: Here is the plain text IP of my home network:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 7.37 KiB sent
  persistent keepalive: every 25 seconds

egc · March 28, 2025, 5:58pm

Instruct DNSMasq to resolve your DDNS endpoint and your time servers with an alternate DNS server.

You can add this in /etc/config/dhcp as:

list server '/DDNS-endpoint/9.9.9.9'
list server '/openwrt.pool.ntp.org/9.9.9.9'

psherman · March 28, 2025, 6:07pm

FL2:

peer: secret
  preshared key: (hidden)
  endpoint: Here is the plain text IP of my home network:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 7.37 KiB sent
  persistent keepalive: every 25 seconds

This indicates that you do not have a handshake. So in addition to @egc's guidance regarding DNS, you need to figure out why you are not getting a handshake.

FL2 · April 2, 2025, 10:07am

I added the DNS Servers, but there is still no connection.

I have two suspicions. Either it is because I have removed the default DNS for all interfaces and only entered the IP of my DNS in the home network for the WG and WAN interface. Or it is because the WG client cannot access my home network because the WG server is missing a route to the home network.

egc · April 2, 2025, 10:32am

Just add 9.9.9.9 as DNS server on the WAN interface, reboot and check again this is how it looks for my router

FL2 · April 5, 2025, 10:16am

Still doesnt work. I think I broke the DNS Settings. I think I'll Set it up from scratch again

FL2 · April 8, 2025, 8:12am

I have successfully reinstalled my openwrt wireguard client. I used these instructions for this: https://openwrt.org/docs/guide-user/services/vpn/wireguard/all-traffic-through-wireguard

The only problem is with the DNS server. According to the instructions, the following should be specified in Dnsmasq:

list server '<DNS_server_to_forward_request_to_(peer_internal_wg0_ip)>'

I don't understand what I have to enter here. It's not the IP of my router/DNS server in the home network, it doesn't work. If I enter 8.8.8.8, it works. But then I have potential DNS leaks.