[Solved] Anyone use Wireguard + NextDNS CLI and have DNS working?

Started by Giant850, April 16, 2021, 05:42:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 16, 2021, 05:42:36 AM Last Edit: April 16, 2021, 04:18:44 PM by Giant850
I'm in a bit of a pickle, trying to get WireGuard (kernel module) on OPNSense working + NextDNS CLI playing well together. As far as I can tell, WireGuard itself is working perfectly as I can ping LAN/WAN/Internet addresses all day long without issue.

Problem: If I point my wireguard clients to the OPNSense LAN IP (10.13.2.1) for DNS (in the WireGuard client), they are unable to resolve DNS queries. I have NextDNS CLI running on OPNSense, and my DHCP clients use 10.13.2.1 as the DNS resolver without issue.

I have a legacy RasperryPi running Pi-hole, and if I point the Wireguard client to that IP (10.13.2.200), then DNS resolution works just fine.

From the WG client I can ping 10.13.2.1, no problem. I also ran a portscan from my WG client (iphone) and the port scan shows port 53 listening on 10.13.2.1. But DNS resolution from the WG network when pointed to the OPNSense LAN IP just won't work and I can't figure out why.

Any ideas?
April 16, 2021, 08:04:10 AM #1
I'm not really familiar with NextDNS CLI, but if the WireGuard clients can reach your Pi-hole, the firewall rules relevant for DNS are probably OK and not the problem. I would assume, somehow NextDNS CLI maintains an internal accesslist for allowed clients (as other DNS resolvers, namely Unbound do) and your WireGuard clients are not part of this list.

I this is so, there would be two options:

- find that list and edit it in NextDNS CLI configuration
  might have something to do with https://github.com/nextdns/nextdns/wiki/Conditional-Configuration

- use Unbound to forward to NextDNS CLI on the OPNsense and edit the access lists under "Services -> Unbound -> Access List" to include the WireGuard Clients
April 16, 2021, 04:18:22 PM #2
Thanks for the reply, much appreciated! So I found a solution to my problem. I had to disable route mode on the NextDNS client:

setup-router false

Then I configured NextDNS to listen on my LAN IP and loopback:

listen 10.13.2.1:53
listen localhost:53

Restarted the NextDNS service, and now WireGuard clients can resolve via NextDNS.
April 16, 2021, 11:40:28 PM #3
For the a step by step walk-through of the configuration, there's this blog post:

https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html
Print
Go Up Pages1
User actions