AX1800 Flint F/W 4.1 stable - Wireguard client DNS option

jdub · 2022-12-05T18:37:42.265Z

Insert a DNS option into your client config:

[Interface]
# client001 #
PrivateKey = <private key of client>
Address = 10.55.0.100/32
DNS = 10.55.0.1

Tr0s · 2022-12-05T18:44:40.096Z

I tried that and also 192.168.8.1. It does not work - the client connects and the connection stays alive (i.e. handshakes take place) but no Internet name resolution.

jdub · 2022-12-05T18:45:57.471Z

Does the DNS setting actually get pushed (irrespective of whether it works)?

Tr0s · 2022-12-05T18:58:38.749Z

Yes, it does - using 192.168.8.1 as DNS I have access to the internal network (open the router interface in a browser works.) But as I said, no name resolution for the Internet.

jdub · 2022-12-05T19:02:36.890Z

Assuming you have some sort of *nix box to test on, what do you get when you run

dig @192.186.8.1 example.com

on a client?

If the DNS setting is getting pushed properly and you’re able to query the lan then it sounds like some sort of dnsmasq problem.

Tr0s · 2022-12-05T19:35:50.732Z

I have an Ubuntu box on the network. The dig command works as expected on Ubuntu on the local network. It also works on a Wireguard smartphone client connected over SSH to the internal Ubuntu box.

Tr0s · 2022-12-05T19:37:42.884Z

Just for clarity - 192.168.8.1 works as DNS on the internal network. It does not work though as DNS for a Wireguard client connected to the server running on Flint.

jdub · 2022-12-05T19:47:08.779Z

Ok, so for clarity:

WG clients get the 192.168.8.1 setting pushed.
WG clients can execute LAN DNS queries but cannot execute other DNS queries OR
WG clients can’t execute any DNS queries, including LAN queries?

If 2), it seems like some sort of dnsmasq problem. If 3, it might be some sort of firewall/interface issue.

Are you able to use dig on a WG client for output?

Tr0s · 2022-12-05T20:09:45.180Z

1 & 2 are correct. I’ll use dig on a WG client and post the result soon.

Tr0s · 2022-12-05T20:28:21.144Z

Here is the output:

g****@L*****:~$ dig @192.186.8.1 example.com
;; communications error to 192.186.8.1#53: connection refused

jdub · 2022-12-05T20:36:19.566Z

Wulp, that’ll do it.

Jump over into Luci, go to Network->DHCP and DNS, find this setting and uncheck it (then hit save and apply):

image1250×150 7.37 KB

Then try again.

Tr0s · 2022-12-05T20:47:56.565Z

I tried that while troubleshooting - it looks like this on my version

image1031×85 3.56 KB

… ?

Tr0s · 2022-12-05T21:10:25.325Z

Actually the the setting you mentioned is available and unchecked…

jdub · 2022-12-05T21:15:14.648Z

Hmm. It’s not actually clear that the dnsmasq.conf file does anything either. Someone from GL.iNet may have to comment… they may be doing something weird with the config/service in a non-standard way.

alzhao · 2022-12-06T10:18:40.765Z

So you use AX1800 as Wireguard server and use another GL router as Wireguard client?

Sergio · 2022-12-06T12:22:49.900Z

Hello good afternoon
For information, I am running a wireguard server on a Flint router with firmware 3.214.
My wireguard clients (Laptop, android smartphone) have a DNS 192.168.8.1 and resolve correctly.

Tr0s · 2022-12-06T16:12:37.635Z

I’m using Flint as the WG server and a laptop and smartphones are the WG clients.

NOTE 1: AdGuard Home is enabled and everything works well on the local network.
The WG clients can use external DNS (i.e. 64.6.64.6, 1.1.1.1 etc) and work well. However, the VPN server IP - 10.55.0.1 or the router 192.168.8.1 do not work as WG DNS on the client side.

Tr0s · 2022-12-06T16:17:29.613Z

Well, the F/W versions are quite different and I’m using AdGuard Home as mentioned in my first post in the thread.
…so there’s not much to compare. However, I’m glad you have it working :).

rhester72 · 2023-04-01T21:08:14.733Z

Having the same issue, unchecking “Local Service Only” and saving and applying has no effect.

Interestingly, the router itself cannot resolve LAN entries behind the tunnel either.

pnguyentoan · 2023-05-02T13:22:19.204Z

jdub:

q pro

How you have fixed this problem? I have this same bug - wireguard client can not have adguard home applied.