Wireguard DNS issues.

Started by swingline, June 08, 2020, 02:57:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 08, 2020, 02:57:28 PM
I have wireguard setup as a client connecting to a remote server. Its working like 95% I seem to be having a issues with DNS, im not  sure if this is an unbound issue or a wireguard routing issue. I have tried two diffrent configs.

Config 1:
1. Wireguard connected to VPS
2. Create an interface for wiregurad called "WG"
3. Create outbound NAT rule
             interface: "WG"
             Source address: 10.0.0.0/24
4. 1.1.1.1 and 1.0.0.1 set as DNS in setting Gneral.
5. Unbound set to forwarding mode.
6. Create LAN rules to route a few things around the VPN out to WAN.

This config works but there are a few urls that dont reslove correctly, I have tested on the server side and everything resolves correctly.

Config 2:
1. Disable Routes under local config of wireguard
2. Set Gatway to 10.30.0.1
3. Create an interface for wiregurad called "WG"
4. Create new Gateway
          Name: "VPN"
          Interface: "WG"
          IP: "10.30.0.1
          Check "Far Gateway"         
4. Create LAN Rule for just a small test Aliases called "Desktop"
         Source: "Desktop"
         Gateway: "VPN"
5. 1.1.1.1 and 1.0.0.1 set as DNS in setting Gneral.
6. Unbound set to forwarding mode.

This results in routing "Desktop" traffic via "VPN" Gateway, all but it seems DNS, so nothing resloves. Ihave palyed with a few variations of each, with either little or no diffrence.

I have been tearing my hair out over this one for a few months, I have just been living with the 95% solution but I would like to figure out what I have configured incorrectly.
June 17, 2020, 05:05:39 AM #1
I've found WG to be a (mostly) disagreeable experience but I'm holding out hope so I visit for a keyword search for "wireguard" periodically. However--credit where credit is due--this doesn't read like an issue specific to WG.

You didn't specify what you're actually trying to route; all traffic vs. DNS-only. I assume the former, with the exception of what few hosts you excluded in your LAN rules.

A few things to consider:
What is your "Desktop" client's DNS configuration?  Is it specified explicitly or does it adopt DNS delivered via DHCP? If DHCP, do your DHCP settings state DNS server as being OPNsense address? What happens when you force 1.1.1.1 on the client side; is this traffic sent over WG? If you specify the WG gateway for the DNS servers under general settings does the behavior change at all? 

I've found that things get a bit counter-intuitive when it comes to traffic egress from services on the OPN machine itself.  Try this if you haven't already: set your DNS server under general settings to 127.0.0.1.  In Unbound settings, listen port 53, network interfaces = all internal, remove the "forwarding mode" check box in Unbound settings, set outgoing network interfaces to WG (or, WAN + WG if that's appropriate for your use case), and specify the following in "custom options":

Code Select

tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-ssl-upstream: yes


If you use DHCP, change DNS address to that belonging to OPN.

Edit: I believe you have my stapler.

Print
Go Up Pages1
User actions