GL-MV1000 Wireguard can't connect after adding CIDR List in 'Allowed Clients" for AdGuard DNS

Ran into an issue after rebooting my router. Wireguard would not connect. Backed up my current config and restored from a backup and everything was fine. TL;DR - After removing the CIDR list from Allowed Clients and rebooting the router, Wireguard connects successfuly.

Question is - why?

I had made some changes to AdGuard since my last backup and started going through what i could remember. I made update to client entries, custom filters, upstream DNS, and the allowed client list. After some try/reboot/fail, the Allowed Clients list under Settings → DNS Settings was the culprit.

Here is the list I added:

192.168.8.1/32
192.168.8.2/31
192.168.8.4/30
192.168.8.8/29
192.168.8.16/28
192.168.8.32/27
192.168.8.64/26
192.168.8.128/25

<< EDIT - Changed this to 192.168.8.0/24 for simplicity >>

.1 is my GL-MV1000

Nothing out of the ordinary. I tried removing different entries (starting with 192.168.8.1/32) and rebooting each time. Once the list was empty, wireguard connected on reboot.

Any ideas? I’d certainly like to implement this as external IPs are using me for DNS.

So

So this is in the allowed list of wireguard config?

This seems strange.

If you want to add 192.168.8.x, you should just have 192.168.8.1/24 in the list.

If you want to add these IP individually you should use
192.168.8.1
192.168.8.2
etc without netmask or all /32.

So this is in the allowed list of wireguard config?

No. This is the configuration for Allowed Clients list under Settings → DNS Settings

If I have any entries on that list, Wiregard fails to connect. If I reboot the router with Allowed Clients blank, wireguard will connect. I am able to add entries to Allowed Clients after boot and it works as expected. The problem case here is that if I lose power or have to reboot the router I must remove the cofiguration, reboot the router again, then add my settings to Allowed Clients again manually.

Can you try removing the Allow Clients, connect Wireguard, then check the AdGuardHome Query Log to see if there are any DNS requests that are not in the 192.168.8.0/24 subnet?

I do not work for and I do not have formal association with GL.iNet

Quite a few, actually. This was the reason I implemented this in the first place. The Allow Clients configuration was in place for about a week before I had to restart to my router (and subsequently discovered this problem) and all requests were from 192.168.8.x – so it was working well.

Maybe some of those DNS requests from IP’s that are not in the 192.168.8.0/24 subnet are preventing Wireguard from connecting when they cannot be resolved.

I do not work for and I do not have formal association with GL.iNet

To clarify:

  • With CIDR ranges in the Allow Clients list, Wireguard will not connect on boot
  • Without CIDR ranges in the Allow Clients list (empty), Wireguard will connect on boot. External DNS requests show in my log immediately
  • After booting w/o CIDR ranges in the Allow Clients list (empty) and Wireguard connected successfully, I am able to add CIDR ranges to the Allow Clients. This DOES prevent external IPs from using my DNS server

This seems like a bug unless there is something that is happening/not happening that is beyond my scope of knowledge.

Can you show the config of wireguard?

…not too sure about your actual config but have you already tried

  • using CIDR only in WG config? What WG doesn’t allow won’t be forwarded to your local DNS (that was rather a workaround).
  • using the IP address of us5854.[…] in WG-client config (this is just to test, I guess you cannot resolve “us5854.[…]” to an IP address. if so we had to look at your WG-clients DNS config instead the WG-config)

Why do you use 192.168.8.1 as DNS and
Why do you put 192.168.8.0/24 inthe Allowed IPs?

If you are using Nordvpn you should not put your private subnet in allowed IPs.

That why I wanted to see DNS requests in the AdGuardHome Query Log that may be preventing Wireguard from connecting.

You should use the NordVPN DNS servers:

DNS = 103.86.96.100, 103.86.99.100

I do not work for and I do not have formal association with GL.iNe

Maybe to have AdGuardHome filter the Wireguard traffic?

I do not work for and I do not have formal association with GL.iNet

AGH is a plain DNS filter - it cannot filter anything else.

AdGuardHome terminology. DNS requests are still traffic.

image

I do not work for and I do not have formal association with GL.iNet

Yes, they do filter - but only DNS, nothing else (and not by actually filtering DNS-traffic but by providing a DNS resolver that selectively answers - even mandatory DNS is nothing else than forwarding DNS traffic to the DNS resolver which answers it).

Yes. Of course I know since I am running AdGuardHome in Docker on my Synology NAS. My statement was “filter the Wireguard traffic”, which is not incorrect.

I do not understand what you are trying to prove, but I do not think it helps the OP any, so I will not continue this.

I do not work for and I do not have formal association with GL.iNet

It is 100% incorrect.
AGH cannot filter anything else than DNS requests.
So the only possibility, that AGH is the culprit in this threads issue, is that AGH blocks the DNS resolve of us5854.nordvpn.com.

I am not “trying to prove” anything but trying to keep OP from following wrong leads.

BTW, @kuzak : Already tried if the nonworking config suddenly works when you replace us5854.nordvpn.com) by its actual IP (152.89.204.162 RN) in the VPN client config?

Blocked @GLrs forever in Preferences.

WTF?
What kinda guy is that @wcs2228? Talked plain BS, got corrected and cannot stand up for it?
GEEZ!