Can't get access to dns behind private wireguard from client net

Routers VPN, DNS, Leaks
1

On a AXT1800 having the latest firmware (4.8.2) I’m trying to get dns lookups forwarded to the private dns servers through wireguard client connection but can’t get it to work.

Setup:

  • wan connection via usb-tethering
  • wireguard client connection is running and setup using policy routing
  • client can ping/connect the remote dns server but get not found for servers known by the dns set in the wireguard client config
  • on the router itself (connected via ssh) I can request for an ip like nslookup myhost.private.net 10.0.1.2 (given 10.0.1.2 is the dns in the remote network)
  • in a AdGuard config I set 10.0.1.2 as Upstream-DNS-Server and the AdGuard upstream test reports success, but when doing a nslookup myhost.private.net I get DNS request timed out.
  • in a setup with AdGuard disabled I added a forward /private.net/10.0.1.2 via LuCI (Advanced Settings), but this does not resolve from the client computer either. Even more strange: on the router I can do a nslookup myhost.private.net 192.168.8.1 but when I do the same on the client I get timeouts.
  • When restarting the dnsmask service via ssh I get a `... not found from console.gl-inet.com …

So I guess there is something in the default config which prevents to see dns responses others than from default upstream?

Could someone give me some hint / advice please to configure dns to resolve private ips queried from a dns behind a wireguard tunnel?

2

Update: The issue “feels” like related to tunnels having lower mtu than 1450
I tested a tunnel against dns directly running on fritzbox –> mtu: 1450, no issue
I tested another tunnel requiring mtu 1390 –> dns hangs from LAN clients

3

I figured it out: one of the wireguard configs had a dns ip which was in the allowed ips but not in the same network as the wireguard ip’s network. dnsmask seems to have a problem with such a config, although network traffic was possible to/from that ip.
I configured a dns-proxy in the same network as the wireguard’s ip and now all works as expected.

Thanks for reading …
@GBMaryland
BTW: I had the same issue as GL-MT3000 USB Tethering Drops Constantly

Since I can not answer there I leave a note here: The mobile device was drawing too much power, causing the router to become unstable. The solution was to use a more powerful power adapter.

So if you connect the router to any USB power source while on the go, you need to make sure it provides enough power if you want to connect a phone for USB tethering.

1 Like