At home, I have a Wireguard server and a Pi-hole server (acting as a DNS) running in docker containers on the same machine. All of my Wireguard clients work just fine except for my router, which is a Flint/AX-1800. When the router is connected to my Wireguard server as a client, pinging local domain names works fine, but pinging internet domain names (like google.com) fails. Pinging internet IPs like 8.8.8.8 works.
Can someone please advise on what I should do?
Does your wireguard config provide a DNS settings inside?
Maybe you can set this DNS server directly in AX1800’s custom dns settings.
My Wireguard config sets the DNS to be the DNS of the Wirguard host device. I tried setting the DNS manually in the AX1800, but that did not work.
Are the Wireguard server and Pi-hole server in docker both configured to use the same IP address of the host machine?
If you run command “nslookup google.com” in SSH on the router connected as Wireguard client, what is displayed as “Server” and “Address” in the output?
I do not work for and I am not directly associated with GL.iNet
Are the Wireguard server and Pi-hole server in docker both configured to use the same IP address of the host machine?
Yes. I have port forwarding setup in docker so that the Pi-hole container forwards to port 53 on my host machine and the Wireguard container forwards to port 51820. The result of nslookup google.com is:
;; connection timed out; no servers could be reached
In fact, when I run nslookup on a local domain, I get the same result. Somewhere in my tinkering, I have also caused DNS resolution for local domains to stop working also. I emphasize again that my peer configs work fine on other devices.
As a test, can you set the DNS server to 8.8.8.8 in the Wireguard client config file and try “ping google.com” to see if domain name gets resolved?
If I understand your setup correctly, the docker for Wireguard and Pi-hole have networking configured in bridge mode because host mode should not require port forwarding. Can you try changing the docker to host mode, so their IP addresses are the same as the host machine’s IP address without requiring port forwarding?
I do not work for and I am not directly associated with GL.iNet
Thanks for the help, kind internet stranger. Alrighty, I tried switching the DNS to 8.8.8.8 in the Wireguard config, and doing so does make google.com resolve.
I suspect port forwarding does not work for packets from the Wireguard for DNS requests to go to Pi-hole, which is why I suggested to change the docker network to host mode. I run AdGuardHome in docker in host mode, so the server listens to port 53 on the same IP address as the host machine on subnet 192.168.8.0/24, instead of docker in bridge mode on subnet 172.17.0.0/16 by default.
It may be possible to set the DNS server in the Wireguard client config file to a static 172.17.0.x IP assigned to the Pi-hole container. However, I have not personally tested this configuration.
I do not work for and I am not directly associated with GL.iNet
Ah, I see. I missed the part in your message about trying out host mode. That seems like a good idea, but I am not sure how I would accomplish that with my current setup. If you use docker-compose, would you mind sharing bits of your config so I can see how you set it up? I had to do a lot of wrangling in my config to get split tunneling and DNS to work properly.