Wireguard and local DNS lookup

Started by plattfot, May 19, 2020, 12:21:40 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
May 19, 2020, 12:21:40 AM
Hi,

I'm trying to setup a Wireguard VPN on my opnsense box. I followed this guide: https://wiki.opnsense.org/manual/how-tos/wireguard-client.html. And it seems to work, I can connect to it with my phone when it's on 4G. Internet works and I can ping any of my local machines using their ip address. The only issue I have is that, when I have the Wireguard VPN active on my phone I cannot use the hostname registered to the unbound dns from the dhcp service. It works fine when I have my phone connected to my local network.

I tried adding 192.168.1.1 (ip of my opnsense box) to the dns field in the local wireguard configuration as well as the wireguard config on my phone. But then dns stopped working altogether. It works, except no lookup for local hostnames, when I leave it blank or if it's set to 192.168.1.1, 1.1.1.1, 1.0.0.1.

I'm a bit lost in how to debug this. Does anyone know what I might have missed?

I have attached the wireguard settings (with the private and public key redacted).

Thanks

May 19, 2020, 03:45:47 PM #1
If you set DNS in WireGuard, the wireguard-tools will touch / rewrite /etc/resolv.conf which is out of scope from OPNsense. I only added this feature for advanced users. Better to not touch this value and only set it on clients.
May 20, 2020, 12:09:01 AM #2
Ah, ok.

So it should have worked if I just had left the DNS entry alone? I tried just now, to remove it in opnsense and keep it on the client side. Still same issue. But I assume I need to do a reboot to restore the /etc/resolv.conf. Is that correct?
May 20, 2020, 05:56:07 AM #3
And you need Unbound listen to the address and proper acl so Client can use it
June 07, 2020, 11:55:57 PM #4
Hi,

sorry for the radio silence. Did not have time to test it out as my opnsense install started to behave funny one morning. It was working fine up until that and I hadn't changed anything, so not sure what happened. But some webpages did not resolve correctly were as other did. So I needed to jump back to my pfsense install to get internet working. Will see when I have time again to try out opnsense. Really liking the interface over pfsense and of course easy wireguard support.

Anyway thanks for all the help!
September 02, 2021, 04:25:17 AM #5
I'm actually running into the same issue.  I installed Wireguard tonight and got it up and working.  The only way I can get Internet access on the clients is if I specify a DNS value of an external DNS server in the client settings.  That works, but then I don't have local DNS resolution like I have with OpenVPN.  I have Unbound DNS running on OPNsense.  Is there a way to tell the client to use OPNsense as the DNS server?  I've tried the main LAN IP address in the DNS = section, but that didn't work.  Is there something else I can do?
September 02, 2021, 05:28:17 AM #6 Last Edit: September 02, 2021, 05:42:07 AM by axel2078
Update: I found the fix. I had to go in my Unbound DNS settings and add an ACL to allow the Wireguard network to access DNS.  Now, I can point the client to my OPNsense system for DNS and it works.  The one minor drawback is that for querying internal hosts, I have to use the FQDN.  I haven't yet found a client option that would allow me to input something like a SEARCH= parameter like you'd find in resolv.conf.  I can deal with it though.

Update#2: After doing some more googling, I found the answer I was looking for.  To add in the search suffix of your internal DNS domain, just add the domain name after the DNS IP in the client config under [Interface].  See below:

DNS = 192.168.x.x, my.internal.domain

Now, I can do lookups on internal hosts, ping them, and connect to them with just the hostname.
March 15, 2023, 07:14:44 PM #7
This issue plagued me for quite some time.  I had advanced settings set within Wireguard to set the DNS without realizing the impact it had on the OPNsense box's own DNS for updates and troubleshooting via the console.  Once I removed this advanced DNS setting and then set it on the DHCP end, my /etc/resolv.conf was back to normal and fixed my DNS issues.
June 22, 2023, 10:33:43 PM #8
Quote from: axel2078 on September 02, 2021, 05:28:17 AM
Update: I found the fix. I had to go in my Unbound DNS settings and add an ACL to allow the Wireguard network to access DNS.  Now, I can point the client to my OPNsense system for DNS and it works. 
I have the same issue but I do not use Unbound DNS but instead I employed AdGuard to lookup for internal hosts by their dns names. I was unable to find anything like DNS in AdGuard so I am not sure how to let the WireGuard clients access the names. Any clue how to achieve that?
August 07, 2023, 05:50:03 PM #9
I believe you would have to update your AdGuard Home yaml file itself on the host to mimic the same behavior in it as Unbound.
August 07, 2023, 08:08:53 PM #10
I have this working.  Unbound runs on port 5353 with Adguard Home running natively on port 53.

The trick is to point your DNS at the wireguard tunnel's gateway... So whatever the IP is on your WIreguard interface, DNS should be listening on there.

Mine forward to there, then adguard looks at unbound port 5353 for all look ups.. including local DNS entries.
November 01, 2023, 06:50:56 AM #11
When my Wireguard starts, it can't resolve DNS. So it stays offline, with zero further attempts to connect.

Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/usr/bin/wg setconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'' returned exit code '1', the output was 'Name does not resolve: `frikkingdomain.tld:51820' Configuration parsing error'

Spent hours to no avail, tons of combinations of settings. Unbound will not even report those DNS requests in the Reporting table, but will show the resolving failures in log. Several seconds later during the boot, Unbound starts resolving. But Wireguard is dead forever. There's no command in /usr/local/opnsense/scripts/Wireguard/wg-service-control.php to even restart it (truly).

I wish AdGuard was running early during the boot. That would fix everything. Be part of "dns" plugins. Instead CryptDNS starts despite turned off. I couldn't figure out how to make AdGuard on the same level as Dnsmasq/Unbound.
November 01, 2023, 01:37:11 PM #12
Don't use AGH for local name resolution of the firewall itself. Simple solution. The firewall does not need an ad blocker ...

I do this:

- run BIND on 127.0.0.1:53 - this could be Unbound, but I prefer BIND
- run AGH on 127.0.0.1:53530
- have AGH use BIND as upstream (127.0.0.1)
- have 127.0.0.1 as the system name server in System > Settings > General
- have [X] Do not use the local DNS service as a nameserver for this system - because I do not like "magic" and prefer explicit configuration

On the public server VLAN:

NAT port forward: TCP/UDP, interface address, 53 --> 127.0.0.1:53

On the family and clients VLAN:

NAT port forward: TCP/UDP, interface address, 53 --> 127.0.0.1:53530


Everything starting up and working as it should.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 29, 2023, 08:30:27 PM #13
Quote- have 127.0.0.1 as the system name server in System > Settings > General

Yup I figured this out too. I couldn't change the boot flow, it's way difficult.
I left AdGuard at :53, and use 127.0.0.1 for system, and 192.168.1.1 for LAN etc.

then I redirect 127.0.0.1 to Unbound:853:
Loopback    UDP    This Firewall    *    Loopback net    53 (DNS)    127.0.0.1    853    Redirect firewall DNS requests to Unbound

This allows me to see DNS statistics for the firewall in Reporting UI + use DOT/DOH to hide request at least a bit. All else is VPN. Which requires special rules on AdGuard side to avoid locking out when Wireguard is restarted.

Plus I let AdGuard use Dnsmasq:8953 as only this one can resolve local addresses. Unbound can do DOH/DOT but can't do as simple task as translating single hostnames is.


So 3 resolvers and tricky rules and race condition solving for me.

Still hoping AdGuard will move earlier in boot process to become the main DNS.
April 26, 2024, 08:16:07 PM #14
Late to the party, but I've been working my way thru this issue the last few days.. and finally got it working:
- wireguard connection up, routing only hosts I want across this interface
   - no DNS leaks
- all LAN hosts (wireguard routed, and non-wireguard routed) able to resolve local DNS
- DHCP handing out the router's ip as DNS to all hosts

Had to do jump thru a few hoops here tho.. I can go into detail if anyone's interested, but to get this to work:
- Unbound running on router
- two PiHole instances running as hosts (one for wireguard hosts, one for non-wireguard hosts)
- DNS path for wireguard hosts: HOST -> Router(LAN interface) -> Pihole#1 -> Wireguard Interface
- DNS path for NON-wireguard hosts: HOST -> Router(LAN interface) -> Pihole#2 -> Unbound(Router) -> WAN
- I wrote a shell script that I have running on OPNsense as a cron job every minute, it:
   - creates a list of LAN IPs / hostnames from Unbound's conf file: dhcpleases.conf and host_entries.conf
   - takes that list and formats them into a new file called custom.list - <ip address> <hostname>
   - copies custom.list to Pihole#1 - Pihole scrapes custom.list for local dns entries

The result of all this is that local dns gets resolved by Pihole#1 for wireguard routed hosts
Also a bunch of firewall rules to make it all work.
Print
Go Up Pages1 2
User actions