I'm trying to use a dns server that belongs to a wireguard peer on Boxpn, and not having much luck. I'm working with openwrt v19.07.2 on a GoFlexNet device. I'm using rule-based routing as described at
https://www.wireguard.com/netns/
This is essentially the same technique that's used by wg-quick that works on my Debian 10 laptop. On the laptop, I use the endpoint address as the DNS server, which works without leaks. I've read that the tunnel IP (startpoint?) address can also be used as a DNS server:
https://wiki.archlinux.org/index.php/WireGuard#DNS
However, that doesn't work when I try it.
I use the /etc/config/network file for the setup, then a hotplug event to add the additional routing and write the nameserver to /tmp/resolv.conf.auto. I also suspend udhcpc processes to avoid overwiting the configuration.
It's curious that when I change the DNS server to point to my lan router, it works fine, 8.8.8.8 also works, but not the peer endpoint. I can't seem to see what the problem is in my setup, also none of the forum questions I can find deal directly with this issue, so I'm at a loss.
By the way, does anyone know how to properly find the peer DNS servers? Is there some way of discovering them? or should the endpoint function as one?
Thanks in advance.
#wg
interface: wg0
public key: =
private key: (hidden)
listening port: 58244
fwmark: 0xca6c
peer: =
endpoint: 31.184.197.6:48020
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 37 seconds ago
transfer: 34.13 MiB received, 499.68 MiB sent
persistent keepalive: every 25 seconds
#ip route
default dev wg0 proto static scope link
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.9
31.184.197.6 via 10.0.1.1 dev br-lan proto static
#ip rule
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 10
32766: from all lookup main
32767: from all lookup default
#ip route show table 10
default dev wg0 scope link
#/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option private_key '='
list addresses '10.120.0.15/32'
config wireguard_wg0 'wgserver'
option public_key '='
option endpoint_host ''
option endpoint_port '48020'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
#/etc/config/firewall
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wg0'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
/etc/hotplug.d/iface/50-vpn
#!/bin/sh
#https://www.wireguard.com/netns/
interface=wg0
fwmark=51820
iptable=10
serv_resolv=/tmp/resolv.conf.auto
if [ "$INTERFACE" = "$interface" ] ; then case "$ACTION" in
ifup)
# rule-based routing
wg set wg0 fwmark "$fwmark"
ip -4 route add default dev wg0 table "$iptable"
ip -4 rule add not fwmark "$fwmark" table "$iptable"
ip -4 rule add table main suppress_prefixlength 0
sysctl -q net.ipv4.conf.all.src_valid_mark=1
for PID in /var/run/udhcpc-*.pid ; do
[ -e $PID ] || continue
PID=$(cat $PID)
# stop dhcp
kill -SIGSTOP $PID
done
# use tunnel ip as DNS server
tunip="$(ip address show dev $interface | sed -n -E -e 's/^ *inet +([0-9.]*).*$/\1/p')"
echo "# wgvpn" > "$serv_resolv"
echo "# nameserver" "$tunip" >> "$serv_resolv"
echo nameserver 8.8.8.8 >> "$serv_resolv"
;;
ifdown)
ip -4 rule delete table "$iptable"
ip -4 rule delete table main suppress_prefixlength 0
for PID in /var/run/udhcpc-*.pid ; do
[ -e $PID ] || continue
PID=$(cat $PID)
# restart dhcp and renew
kill -SIGCONT $PID
kill -SIGUSR1 $PID
done
;;
esac ; fi