I have two OpenWrt routers connected via a WireGuard VPN, and I have set up DNS forwarding. The DNS forwarding towards the VPN server works with the 'Local Service Only' option enabled by default, but for the DNS forwarding towards the client to work, I need to disable this option. Why does it work in one direction with this option enabled, but in the other direction only without it? And what are the risks of disabling it?
I am talking about the option localservice '1' . By default, it is enabled. The DNS forwarding from the VPN client to the VPN server works this way. However, in the opposite direction, the DNS forwarding from the VPN server to the VPN client only works with localservice '0' . That's the whole difference in configuration. Why does the VPN server consider the VPN network local and provide DNS responses to it, while the client does not? This is the question.
Traffic between the networks is working correctly; all hosts can see each other by IP. The problem is only with DNS forwarding. It works to the server with the default settings, but in the opposite direction, the client needs to set the option localservice '0'
The DNS query forward comes from the server to the client, but the client does not respond to it without this option.
Perhaps it's because the VPN server creates an interface for the entire VPN network, while the client only creates one for its own address. This is where the difference lies. Therefore, the DNS on the server considers the VPN network local, while on the client it does not.
DNS resolution works fine here over Wireguard on 23.05.4 on multiple devices running Wireguard tunnels.
Apologies, if you're unable or unwilling to answer the questions, perhaps we can glean from your config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
So, the difference is that the VPN server uses the 255.255.255.0 for its interface, while the VPN client uses 255.255.255.255, which allows the server to consider the VPN network local and respond on dns request with localservice '1' option, while the client does not consider the VPN network local and only responds with the localservice '0' option, right?