Wireguard with PBR DNS Leak

I would assume yes, but since it is PBR it could also be the case you have to re-add the routes manually.

I believe but im not sure in the pbr documentation it even stated that its better to disable the default gateway behaviour though ive tried this on the lan interface once and I can't recommend it, also there is a ignore target for a reason in PBR to ignore the killswitch.

If PBR is routing everything else gets blocked within the pbr killswitch, it could be likely the case that somehow its blocking it via the killswitch.

If you look to my own PBR image my gateways the second row, I also used the ignore rule otherwise my clients where not able to see these devices even with a traffic forward through zones it could be very well something like this.

Going through my config, I totally forgot to mention that I'm using AdGuard Home and to install it I needed to move my dnsmasq to port 54, so my DNS resolver is ADGH, is there any way of using them together? (I'm sorry, I totally forgot on how the installation process of ADGH changed the DNS settings)

Well it is possible but difficult, when I had to test it myself I had to disable nextdns because nextdns basicly replaced the full dns I hope not adguard does this aswell.

So aslong adguardhome is working standalone from dnsmasq and can have a different port you could forward ports to the correct way or maybe use it as a dhcp forwarder.

My guess is to use the hijack way as demonstrated in this thread the only thing you have to change is the internal port to reflect that from adguard.

From what I got from the installation guide (this part is explaning about moving the dnsmasq port), the dnsmasq is moved to port 54, and ADGH is bound to 53.
Would this be right?

Only the external port needs to be kept on port 53 all other is fine :+1:

But now it makes me confused, you want adh on wireguard?, Because I still see mullvads tunnel ip and destination zone.

If so isn't it better then to add adguardhome as forwarder in dnsmasq and then use default gateway as dns?

If not destination zone should be wan and destination ip empty.

Honestly, at first I totally forgot about ADH when setting up wireguard yesterday, ADH can come or go, I like it because of the filters, if they both can be used I would gladly do it.

I'm not sure what you meant, but I think ADH is already being forwarded as a first DNS Resolver (not sure about the default gateway as dns part):
image

I see, however if you want dnsmasq to forward to port 54.

You need to put it like 127.0.0.1#54 or 0.0.0.0#54 if it doesn't work its probably the different one I forgot if 0.0.0.0 is valid as forwarder entry, one of these two must work 100% :yum:

Yea, still not working :confused:, I'm going to try to tweak some stuff and see what happens, if you have any more advice, I would gladly hear it, thanks for your help so far

1 Like

FINALLY, I GOT IT WORKING!
At the end of this day, I got looking again for some clues on why this wasn't working.
After reading through some posts thoroughly, I found tag/mac classification, which at first was not working, but after thinking a while I remembered that I had set up DNS Hijacking earlier, and that was making it not work.
So, after disabling the DNS Hijacking port forward on the firewall, it worked.
At the end, this was my configuration for anyone unfortunate enough that may come across this:

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd57:ea44:8dd8::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr 'a2:a8:cc:95:fb:2d'

config device
        option name 'wan'
        option macaddr 'a2:a8:cc:95:fb:2d'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'
        option peerdns '0'
        option metric '1024'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'x'
        list addresses 'x'
        list addresses 'x'
        option force_link '1'
        list dns '10.64.0.1'

config wireguard_WGINTERFACE
        option public_key 'x'
        option endpoint_host 'x'
        option endpoint_port '51820'
        option description 'WireGuard Peer'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '10.64.0.1'
        list server '192.168.1.1'
        option strictorder '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        list dns 'fd57:ea44:8dd8::1'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

# This is where the tag is defined
config tag 'tag1'
        option dhcp_option '6,10.64.0.1'

# Then you need to set your device static, and add the tag option to it, you can do it on luci then add 
# the tag though the cli
config host
        option name 'Notebook'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.118'
        option tag 'tag1'
cat /etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

...

config policy
        option name 'Route to WG'
        option interface 'WGINTERFACE'
        option src_addr '192.168.1.x 192.168.1.x 192.168.1.x 192.168.1.118'
...
 cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

... # Default rules, I'' not show them because I did not mess with them at all

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'

config forwarding
        option src 'lan'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

...
# This was the problem after setting the tag on my device, if you have this and you are not sure on 
# what's it's doing just disable it to see if it solves
config redirect
        option target 'DNAT'
        option name 'Hijack-DNS'
        option src 'lan'
        option src_dport '53'
        option src_ip '192.168.1.118'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

And I think that's all, just keep in mind that when using this type of configuration, you'll need to manually change the tags every time you are going to use the device without a VPN, otherwise it'll not connect to anything without the VPN connection.
And I'm not sure if this is a correct configuration, but it works for me.
Thanks, @xize (and @trendy since his answer on this post).

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.