OPNsense Forum

English Forums => General Discussion => Topic started by: rsbonini on October 28, 2022, 07:08:33 am

Title: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: rsbonini on October 28, 2022, 07:08:33 am

I have a Wireguard server up and running and multiple clients are able to connect to it and rest of the LAN reliably.
 The clients are not able to reach the internet when connected to the tunnel.  I think it's a failure to get DNS resolutions.

I would like connected clients to be forced to use the UnBound DNS service running on OPNSense.  I've gone through the OPNSense Wireguard documentation and double checked interface names, NAT rules, IP address formatting, DNS Access Control Lists, etc, and I'm just not seeing where I've gone wrong.

Anyone mind taking a look and letting me know if they have some suggestions?

Here's the Wireguard config as a starting point:

Code: [Select]

    <wireguard>
      <general version="0.0.1">
        <enabled>1</enabled>
      </general>
      <server version="0.0.2">
        <servers>
          <server uuid="######">
            <enabled>1</enabled>
            <name>WGVPN</name>
            <instance>0</instance>
            <pubkey>######=</pubkey>
            <privkey>######=</privkey>
            <port>######</port>
            <mtu/>
            <dns/>
            <tunneladdress>10.10.2.1/24</tunneladdress>
            <disableroutes>0</disableroutes>
            <gateway/>
            <peers>######</peers>
          </server>
        </servers>
      </server>
      <client version="0.0.6">
        <clients>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C1</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.104/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C2</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>######</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C3</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.105</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C4</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.107/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C5</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.110</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
        </clients>
      </client>
    </wireguard>

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: RamSense on October 28, 2022, 07:32:51 am

Hi rsbonini,

I think you have added wireguard with wg interface added.
In the client wg config have you added dns: ip of wireguard interface? 10.10.2.1?

I used this guide when I set wg up on my opnsense:

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/ (https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: tiermutter on October 28, 2022, 09:18:22 am

Looks like there is nothing configures for DNS...

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: rsbonini on October 29, 2022, 02:57:38 am

So I did go through that guide for Wireguard setup, and couldn't find anything missing, everything seems to match.

Quote from: tiermutter on October 28, 2022, 09:18:22 am

Looks like there is nothing configures for DNS...

What in the configuration needs to be set for DNS?  As far as I can tell I only need to set the DNS address (the server's tunnel address) on the client side.  I've got UnBound applied to the Wireguard interface and I have the server's tunnel address on the UnBound Access list.  Is there something in the Wireguard config I am missing?

Also, this should clearly be in the VPN sub-forum, if a mod wants to move that over there it'd be great appreciated.

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: tiermutter on October 29, 2022, 07:32:39 pm

I am not using unbound, so can´t say anything about how to configure for this situation.
You told that you´re not sure if it is a DNS problem...
Is there a query log in unbound to check whether the requests are reaching unbound or not?
There is an interface assigned to WG and a FW rule allowing WG to any/WAN?
Can you provide scrennshots of WG config, FW rules, ...?

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: Taunt9930 on October 29, 2022, 09:57:18 pm

@rsbonini - In Services > Unbound > General, Network Interfaces has your wireguard interface been selected, or 'All'? Either needs to be the case.

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: tiermutter on October 29, 2022, 10:04:17 pm

As said: I do not use unbound and never used it before...
You should check if it is really a DNS problem or if there is generally no WAN connection for your WG.
Can you ping e.g. 8.8.8.8 from WG?

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: rsbonini on October 31, 2022, 01:59:27 am

Quote from: tiermutter on October 29, 2022, 07:32:39 pm

There is an interface assigned to WG and a FW rule allowing WG to any/WAN?

I think so:
(https://i.ibb.co/TbgnVVz/fw-rules.png)

Quote from: tiermutter on October 29, 2022, 10:04:17 pm

Can you ping e.g. 8.8.8.8 from WG?

Yes, I can ping 8.8.8.8 as well as other IPs I know on the internet from my machine while connected remotely to the WG server.  This would seem to confirm that it's a DNS issue.

Quote from: Taunt9930 on October 29, 2022, 09:57:18 pm

In Services > Unbound > General, Network Interfaces has your wireguard interface been selected, or 'All'? Either needs to be the case.

Yep:
(https://i.ibb.co/tMmjNtL/image.png)

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: Greelan on October 31, 2022, 09:38:58 pm

Have you restarted unbound after adding the WG interface?

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: rsbonini on November 01, 2022, 12:45:27 am

Quote from: Greelan on October 31, 2022, 09:38:58 pm

Have you restarted unbound after adding the WG interface?

Yes, both manually and via multiple reboots of the OPNSense box.

Title: Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
Post by: x2416 on November 10, 2022, 10:56:15 pm

Did you add DNS: <ip address> to the [Interface] of your client tunnels?