I've successfully configured Wireguard site-to-site link but now I'm having trouble with local DNS. My idea was that both sides would run their default DNS server and I'll add a custom DNS address for the Wiregurad interface. Therefore I will be able to use local DNS records from the other side.
Configuration
Let's say I have site A and site B. Site A has IPs 10.0.0.0/16 and Wireguard interface 10.0.5.1/24. Site B has IPs 10.1.0.0/16 and Wireguard interface 10.1.5.1/24.
Then I open LuCI -> Network -> Interfaces -> Wireguard interface -> Add peer ->
add the other site public key,
add the other site IP subnet to allowed IPs,
select Route Allowed IPs, and
add the other site endpoint (public IP address).
This will create a VPN link that allows device in site A's LAN (let's say 10.0.0.111) contact device in site B's LAN (let's say 10.1.0.112).
Now I'll add in LuCI -> Network -> DHCP and DNS -> Static Leases a new record for 10.1.0.112. Let's name it device.lan and select the Forward/reverse DNS option. Now other devices in site B's LAN can ping device.lan.
Problem
When I open LuCI -> Interfaces -> Wireguard interface -> Advanced Settings and set Use custom DNS servers to 10.1.0.1 (site B DNS server) I won't be able to find device.lan record.
When I use nslookup on site A's router I can't communicate with site B's DNS server.
nslookup device.lan 10.1.0.1
;; connection timed out; no servers could be reached
I'm not shure where to look next. There is probably some security setting that I'm missing. Is there a way to configure this correctly? I can also add DNS records manually for both sites but it would be nice to have this happen automatically.
If you want to resolve local DNS from both side the see my notes about this not very well redacted but maybe those are helpful
For a proper setup if both sides are OpenWRT routers four things are important
The first is to make sure that the DNS server from the other side can actually process your queries.
DNSmasq has to listen on all interfaces so also on the WG interface, by default this is the case but if you changed that then you have to add the WG interface as listen interface.
The second is that DNSMasq of the other side has to answer non local request.
For this disable Local Service only (DNSMasq: -local-service):
Luci DNS-DHCP > Filter >Local service only : untick/disable,
or in /etc/config/dhcp:
config dnsmasq
option localservice '0'
The third is that the client side is now using a DNS server with a local RFC1918 address.
DNSmasq has rebind protection which shield you from using local addresses as that can be used to spoof DNS so on the client side you have to disable Rebind Protection:
Luci DNS-DHCP > Filter > Rebind protection untick/disable
/etc/config/dhcp:
config dnsmasq
option rebind_protection '0'
instead of disabling Rebind protection you can also whitelist the domain of the other side
Luci DNS-DHCP > Filter >Domain Whitelist "set name of domain of other side"
/etc/config/dhcp:
config dnsmasq
list rebind_domain 'set name of domain of other side'
The fourth is that you have to instruct DNSMasq which server it has to use to resolve the domain of the other side, this assumes you have set a different domain name for each side e.g. home1 (router is 192.168.1.1) and home2 (router is 192.168.2.1)
On home1 you add: server=/home2/192.168.2.1
For openwrt, /etc/config/dhcp > config dnsmasq:
list server '/home2/192.168.2.1'
On home2 : server=/home1/192.168.1.1
For openwrt, /etc/config/dhcp > config dnsmasq:
Thank you for the fast response. To be honest, I've seen your notes before (at least the first paragraph), but for some reason I didn't pay much attention to them. That was a mistake. Everything works correctly now.
This solved my first issue. Now the second side gets answer for nslookup.
Is there a way to have the same domain for both sides (e.g. lan)? I can see some pros and cons.
+ I wouldn't have to remember where the device is located.
- I would need to check for duplicate entries (which isn't a problem for my small network).