Wireguard setup via UCI

endreszabo · May 9, 2025, 2:23pm

Hi all,

I'm developing a project that generates WireGuard configs for various device platforms. I did my best to create one for OpenWRT but for weird reasons my openwrt installation in a VM fails to establish peerings due to apparent DNS resolution problems. The configured resolver (cloudflare) works and I can ping my peer endpoints from CLI.

Takes this example config:

# Configure interface
uci -q delete network.wiredns
uci set network.wiredns='interface'
uci set network.wiredns.proto='wireguard'
uci set network.wiredns.private_key='OM4VoekMZa86DXaWTXry+EPcki8UGixC4JvxkLlNUEU='
uci set network.wiredns.nohostroute='1'
uci set network.wiredns.defaultroute='0'
uci set network.wiredns.delegate='0'
# Add sensors
uci -q delete network.wiredns_eu_de_ipv6
uci set network.wiredns_eu_de_ipv6='wireguard_wiredns'
uci set network.wiredns_eu_de_ipv6.description='WireDNS.org IPv6 sensor in Frankfurt, DE, EU'
uci set network.wiredns_eu_de_ipv6.public_key='w06+NP8TsDkmzSgRq/jNklZ62c5DZ1xQS8sJa+ve5WQ='
uci set network.wiredns_eu_de_ipv6.endpoint_host='sensor0-ipv6.wiredns.org'
uci set network.wiredns_eu_de_ipv6.endpoint_port='51820'
uci set network.wiredns_eu_de_ipv6.persistent_keepalive='120'
uci set network.wiredns_eu_de_ipv6.route_allowed_ips='0'

uci -q delete network.wiredns_eu_nl_ipv6
uci set network.wiredns_eu_nl_ipv6='wireguard_wiredns'
uci set network.wiredns_eu_nl_ipv6.description='WireDNS.org IPv6 sensor in Droten, NL, EU'
uci set network.wiredns_eu_nl_ipv6.public_key='w16+fF2NME4XhIS28IvZN3pfCuS629b415kyUhmaUgc='
uci set network.wiredns_eu_nl_ipv6.endpoint_host='sensor1-ipv6.wiredns.org'
uci set network.wiredns_eu_nl_ipv6.endpoint_port='51820'
uci set network.wiredns_eu_nl_ipv6.persistent_keepalive='120'
uci set network.wiredns_eu_nl_ipv6.route_allowed_ips='0'

uci -q delete network.wiredns_us_ca_ipv6
uci set network.wiredns_us_ca_ipv6='wireguard_wiredns'
uci set network.wiredns_us_ca_ipv6.description='WireDNS.org IPv6 sensor in San Francisco, CA, US'
uci set network.wiredns_us_ca_ipv6.public_key='w26+DLuFjdy3R3bmwBpVJQHJ32wtZt7oTotHelYBhjQ='
uci set network.wiredns_us_ca_ipv6.endpoint_host='sensor2-ipv6.wiredns.org'
uci set network.wiredns_us_ca_ipv6.endpoint_port='51820'
uci set network.wiredns_us_ca_ipv6.persistent_keepalive='120'
uci set network.wiredns_us_ca_ipv6.route_allowed_ips='0'

uci -q delete network.wiredns_us_ga_ipv6
uci set network.wiredns_us_ga_ipv6='wireguard_wiredns'
uci set network.wiredns_us_ga_ipv6.description='WireDNS.org IPv6 sensor in Atlanta, GA, US'
uci set network.wiredns_us_ga_ipv6.public_key='w36+AWKalQD7d/PRnLXvz8bKHAcgpYc/nA7RlLzdzlI='
uci set network.wiredns_us_ga_ipv6.endpoint_host='sensor3-ipv6.wiredns.org'
uci set network.wiredns_us_ga_ipv6.endpoint_port='51820'
uci set network.wiredns_us_ga_ipv6.persistent_keepalive='120'
uci set network.wiredns_us_ga_ipv6.route_allowed_ips='0'

uci commit network
service network restart

# your hostnames will be:
#
# 5gaz6y159ee4iydkoke7go01nri9kbsu489hx36uwxyyt2tjxj.wiredns.org
# 5gaz6y159ee4iydkoke7go01nri9kbsu489hx36uwxyyt2tjxj.ldns.net
# 5gaz6y159ee4iydkoke7go01nri9kbsu489hx36uwxyyt2tjxj.vpnho.me
#

after this I can see the following packet exchange happening on the wire:

14:18:20.970273 eth0  In  IP 1.1.1.1.53 > 44.128.4.99.55254: 41202 ServFail 0/0/0 (42)
14:18:20.970273 br-lan In  IP 1.1.1.1.53 > 44.128.4.99.55254: 41202 ServFail 0/0/0 (42)
14:18:20.970283 br-lan Out IP 44.128.4.99.55254 > 1.1.1.1.53: 41202+ A? sensor0-ipv6.wiredns.org. (42)
14:18:20.970283 eth0  Out IP 44.128.4.99.55254 > 1.1.1.1.53: 41202+ A? sensor0-ipv6.wiredns.org. (42)

in the very same openwrt instance the dig command from bind-tools works:

# dig -t aaaa sensor0-ipv6.wiredns.org.
14:19:44.631977 br-lan Out IP 44.128.4.99.43129 > 1.1.1.1.53: 12003+ AAAA? sensor0-ipv6.wiredns.org. (42)
14:19:44.631978 eth0  Out IP 44.128.4.99.43129 > 1.1.1.1.53: 12003+ AAAA? sensor0-ipv6.wiredns.org. (42)
14:19:44.636573 eth0  In  IP 1.1.1.1.53 > 44.128.4.99.43129: 12003 1/0/0 AAAA 2a03:f80:49:aad3::1 (70)
14:19:44.636576 br-lan In  IP 1.1.1.1.53 > 44.128.4.99.43129: 12003 1/0/0 AAAA 2a03:f80:49:aad3::1 (70)

; <<>> DiG 9.20.4 <<>> -t aaaa sensor0-ipv6.wiredns.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5145
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sensor0-ipv6.wiredns.org.	IN	AAAA

;; ANSWER SECTION:
sensor0-ipv6.wiredns.org. 237	IN	AAAA	2a03:f80:49:aad3::1

;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri May 09 14:19:44 UTC 2025
;; MSG SIZE  rcvd: 81

So what on Earth is going on here? The generic 'libc' resolution library creates a misformatted DNS query package?

Meanwhile I'll create a pcap dump to look into the packets.

endreszabo · May 9, 2025, 2:24pm

btw the same happens if I import the classic WireGuard-format configuration on the GUI.

endreszabo · May 9, 2025, 2:31pm

for added confusion in the tcpdump snippet above I pasted only A-type queries, whereas there are some AAAA queries as well, that returns the correct address, yet the connection will not get established.