Beryl AX not using Wireguard DNS

der-felix · June 16, 2024, 4:13pm

Hello everyone,

I recently purchased a Beryl AX (MT-3000) and have it connected to ethernet and a Wireguard client profil to my homelab with DNS settings is active. When trying to access my services it does not work via my domains just direct IP.

My setup:
I run two piholes in my homelab handling DNS, they are set in the Wireguard profile which works on my phone, tablet and laptops. At home I use *.felix.lan domains to access my services.
The Beryl AX is now on beta firmware 4.6.0 and with the active Wireguard client profile traffic gets routed to my home network and I can access IPs in my home network. But DNS is still routed through the ethernet DNS IP I have at the remote location, not through the tunnel and to my own DNS.

[Interface]
PrivateKey = xxxxx
Address = 10.8.0.6/24
DNS = 10.23.91.4,10.23.91.5

When I ssh into the router and check the /etc/config/dhcp file I see that the resolv file of the ethernet interface is selected option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' .
When setting it to option resolvfile '/tmp/resolv.conf.d/resolv.conf.wg' in the luci interface it still did not work.

Anyone got ideas how to get this to work? I am confused why my config works everywhere but not in the Beryl ax. I already found a number of posts here and on reddit with similar problems but no real solution

Pro4TLZZ · June 16, 2024, 4:36pm

If you read back through here it seems like a similar issue that I had with the flint 2.

The good thing is that the staff member was able to reproduce it, hopefully there is a fix soon

der-felix · June 16, 2024, 8:42pm

New discoveries: the Beryl is indeed (mostly) using my WG DNS but its doing so very slow. Requests take in some parts multiple seconds and I can see them in the logs of my pihole. It was important to enable Remote access LAN and IP Masquerading in the VPN client settings.
What is still not working is to resolve my local .lan tld domains. Theres something in luci interface about it using lan itself but i dont fully understand that part yet

GL-INET: it would be awesome to see the time since the last handshake with the WG-server in the UI to see if the tunnel is still alive/healthy.
Bonus points for a ping and auto reconnect with new resolv of the endpoint url (when the ip behind the url changes in a DDNS scenario)

alzhao · June 17, 2024, 7:18am

Do you have "DNS Rebinding Attack Protection" disabled?

It should be disabled by default. But for your local domain problem it should be the exact problem that caused by this option.

alzhao · June 17, 2024, 7:20am

Guys told me that the issue you mentioned only have on op24 firmware, which should not be the case in this thread.

der-felix · June 17, 2024, 7:51am

Yes DNS rebind is turned off

And i am on regular 6.5.0 not the v24 one

der-felix · June 17, 2024, 7:57am

I can also observe that queries reach my pihole but not all of them for some reason. When i do a dig on an entry in pihole with a non lan tld it often times out completely or takes around 10secs

In luci ui i cleared search domain and local server entry

Pro4TLZZ · June 17, 2024, 12:09pm

Do you have the custom DNS toggle enabled?

der-felix · June 17, 2024, 4:46pm

Custom DNS was not enabled but enabling it did not make a difference. Calling something like http://kirby.felix gets resolved by the pihole. Thus I am sure openwrt is somewhere still blocking my *.lan domains.
Why DNS resolution does not work for the entire traffic i do not know