I am trying to configure a WireGuard VPN Client with AllowedIP range = 0.0.0.0/0. I have specified a DNS = 10.0.0.1 record in the WireGuard client setup.
GL-MT3000 IP: 10.0.10.1
It is connecting perfectly, I can access the internet via this wireguard tunnel, however DNS is unresponsive. If I manually set the DNS server on the client computer to either 10.0.0.1 or 8.8.8.8, the internet is working fine. However, when left as default (the DNS is set by DHCP to 10.0.10.1, the IP of my GL-MT3000), there is no DNS responses.
Even if I navigate to Network > DNS, and set Manual DNS to 1.1.1.1 or 8.8.8.8, the client computer is still unable to get any DNS responses. Can anyone tell me where I might be going wrong, and why the GL-MT3000 cannot pass on the DNS requests but when I set it on the client, it works fine?
DNS Rebinding Attack Protection = Off
Override DNS Settings of All Clients = Off
Allow Custom DNS to Override VPN DNS = Off
DNS Server Settings Mode = Automatic
VPN Client Global Options:
Block Non-VPN Traffic = Off
Allow Access WAN = On
Services from GL.iNet Use VPN = Off
Proxy Mode: Auto Detect
WireGuard config:
[Interface]
Address = 10.1.1.3/32
PrivateKey = X
DNS = 10.0.0.1 (or 8.8.8.8 for testing)
MTU = 1420
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = X:65142
PersistentKeepalive = 21
PublicKey = X
PresharedKey = X
Are there any other features in firmware enabled besides VPN?
Is it normal if you change VPN proxy mode to Global?
With the Auto Detect mode, but the VPN Profile does not seem to specify a route, it probably cannot route the traffic.
Also you are 100% sure the dns works and is pingable on a working setup? (I don't mean perse from a app unless it clearly works with that ip).
With a different vpn provider (mullvad) I noticed with pure OpenWrt their advertised 10.64.0.1, or ,10.64.132.1 doesn't work for me but I also didn't found a suitable solution, it automaticly hijacks dns when no dns is specified to a public one, which previously stated on their blog was going to be deprecated.
It proofs to me that sometimes these provider documentation are not always up to date or even fail, it could be a issue on my part but still investigating OpenWrt is complicated
No other features are enabled at all - a factory reset was done and confirmed everything is disabled except WG client
Unfortunately changing to Global Proxy did not change the outcome. The devices still cannot request any DNS. I also hard coded the range of the DNS server 10.0.0.0/24, 0.0.0.0/0 into the WG config to see if it made a difference. No such luck.
I noticed this port forward firewall rule becomes active when WG client is active. If I disable it, client DNS begins working, but not via the WireGuard config file DNS server, but from the WAN DNS IP. It seems something is wrong here and the forwarding via 1653 is not working?
Hi xize11, when I manually set the client's DNS server 10.0.0.1 (which goes across the WireGuard tunnel), it works perfectly. It is only when clients try to route DNS to the GL-Inet router and then forward to the WireGuard specified DNS server does it break.
Appreciate the support - I am stumped on this one.
Ping, Nslookup and Traceroute are all successful from SSH via the router (IP is returned), except they appear to not be going via the WireGuard DNS. I can resolve google.com but a DNS name which is internal to 10.0.0.1 network is not able to be resolved:
May I know what is the subnet mask of your LAN IP and VPN IP?
If they are both 255.0.0.0 or /8 (10.0.10.1/8 and 10.0.0.1/8), seems that two subnets are in conflict, please try to modify the LAN IP to 192.168.x.x/24 or others.
