Wireguard Server guide is missig DNS information in wiki

I am not sure where else to flag this, so I apologise if this is the wrong place.

I worked through the WireGuard server guide and it seemed to go OK. I could connect my Android phone, get an IP etc. but name resolution failed, it could not contact the DNS server.

I thought may be it was a firewall problem or something else, but no. That was all fine. Turns out is was the way dnsmasq was configured (and I think this might be a default setting). "Local Service Only" was enabled and that mean dnsmasq would not serve any request coming in over the Wireguard VPN. Once I disabled that, all was fine.

As I was a bit paranoid about having a DNS server open to the world should I have something else misconfigured, I added "lan" and "vpn" to the "Listen interfaces" option of dnsmasq.

It might be worth adding something to the wiki pages about the need to check the dnsmasq configuration.

It should work fine when you use the VPN IP address of the server.
There's a script in the extras that creates proper client profiles which you can import on the clients:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#multi-client

2 Likes

Unfortunately not, using "192.168.9.1" the error is the same:
Mon Nov 16 20:14:28 2020 daemon.warn dnsmasq[10215]: Ignoring query from non-local network
I still need to perform the other configurations.

As long as you don't open the dns port on the wan interface, this shouldn't be a problem. The local service in dnsmasq is basically ignoring anything with a hop more than 1

Ah right, good to know.

But my first point remains. The documents as they stand do not let a Wireguard Client use the router's DNS. I am not sure if I am meant to log a defect or something against the wiki page, hence why I made this post.

My problem is solved, but they next person might hit the same thing.

I tried to reproduce the issue, but it didn't occur to me:

onfig dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '0'
	option domain 'mrv'
	option local '/mrv/'
	option rebind_protection '0'
	list server '/elv/10.0.1.1'
	option tftp_root '/tmp/'
	option dhcp_boot 'vmlinux'
	option enable_tftp '1'
	option queryport '5353'
	option filterwin2k '1'
	option sequential_ip '1'
	option quietdhcp '1'
	option cachesize '5000'
	option localservice '1'

I used the IP of the wireguard interface on OpenWrt as nameserver in the Wireguard Android AP.

1 Like

Well, I have no idea what is wrong with my set-up then:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option domain 'domain.local'
        option local '/domain.local/'
        option serversfile '/tmp/adb_list.overall'
        option localservice '0'
        list interface 'lan'
        list interface 'WireG'

I swear I followed the steps as written, but maybe I have some other setting causing interference?

Oh well, thank you for the help.

1 Like

Make sure you can reproduce the issue and post the output redacting the private parts:

ubus call system board; uci show network; uci show firewall; uci show dhcp; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
netstat -l -n -p | grep -e dnsmasq
1 Like