Router does not handle DNS queries from LAN correctly for WIreguard DNS

Technical Support for Routers VPN, DNS, Leaks
1

Hello,
I am trying to set up a wireguard tunnel on my beryl-ax to access resources on my home lan including my DNS server

Here is my config
GL-MT3000 running 4.6.4
MT3000 LAN is 192.168.101.0/24
Wireguard subnet on home router is 192.168.100.0/24
Desired DNS server listens on 192.168.100.1

Wireguard config on MT-3000

[Interface]
Address = 192.168.100.15/24
ListenPort = 51840
PrivateKey = xxxxx
DNS = 192.168.100.1
MTU = 1420

[Peer]
AllowedIPs = 192.168.100.1/32, 192.168.100.0/24, 192.168.30.0/24, 192.168.80.0/24, 192.168.101.0/24
Endpoint = home_wan_domain:51840
PersistentKeepalive = 15
PublicKey = xxxx

Routing Table is configured manually do be

image
image2034×868 43.9 KB

DNS on router is set to auto and shows VPN from DNS as 192.168.100.1 when WG is enabled

image
image1338×842 65.5 KB

DHCP DNS server settings are left blank so LAN clients query 192.168.101.1:53 by default
however it does not seems like 192.168.101.1 forwards anything to 192.168.100.1
I can manually set 192.168.100.1 as DNS server with nslookup on a LAN client for testing and my home LAN domains resolve just fine so I know the DNS server at 192.168.100.1 is reachable when WG tunnel is active

non local domains resolve fine with 192.168.101.1 so it does seem to be forwarding to upstream WAN DNS

I did some troubleshooting and looks like this port forward rule is not enabled when Wireguard tunnel is activated. If I manually enable to rule then 192.168.101.0 LAN clients will resolve my home LAN hosts using the WG configured DNS

image
image2152×864 86.6 KB

Is this a bug with WG enable script in GL.inet?

2

I made a typo in the description above
GL.INET LAN and DNS server are 192.168.101.0/24 and 192.168.101.1
Not 192.168.1.101

3

I modified your post according to your suggestions. Pls check if it is precise.

5

Hi sarmenator,
Is the VPN Policy in auto detect or customize routing mode? Does this happen when the policy is in global mode?

8

It is customized routing mode. Autodetect does not seem to function properly as it looks like it only reads the first entry in allowed IPs list in wireguard config.

I did not try global mode because as you can see the tunnel is configured as a split tunnel and in global mode it won’t be able to route the rest of traffic through the tunnel. And that also is not the setup I am interested in. I just want my private DNS for ALL DNS resolutions and access to my home LAN subnets.

Workaround would be to have DHCP pass 192.168.100.1 as DNS but then I’ll have to go disable that every time I turn WG VPN off.

I can’t configure MT3000 DNS to 192.168.100.1 manually either because then wireguard won’t be able to resolve peer IP at startup.

As it stands now all needs to be done for this to work is to have the FW enable the port forward rule that was created when tunnel is up. It does seem to disable it properly when tunnel goes down.

Either the startup script is buggy or I’m setting something wrong inadvertently

9

When Policy is in customize routing mode, DNS-related rules are not configured by default. This mode gives all configuration permissions to the user.

You need to manually create firewall rules to forward DNS requests to port 1653.

Or you can enable our preset rule. The method is as follows:

  1. Edit the file /lib/functions/vpn_func.sh.

  2. modify code vpn_dns_enable=1 at the location shown in the figure below.

    1729053110312_A2455670-089A-4df1-8D11-2852DE80D671
    1729053110312_A2455670-089A-4df1-8D11-2852DE80D671778×666 25.7 KB

    1729053071537_FAF19B5A-CA66-440d-8A83-32DFE83C9155
    1729053071537_FAF19B5A-CA66-440d-8A83-32DFE83C9155716×725 24.7 KB

  3. Then restart the VPN.

This may solve the issue you are encountering.

1 Like
10

Hah!
Let me try this and report back. I think this may be it. Thank you for the suggestion.

1 Like
11

Dear @teleney

Your suggestion works with some changes to handle Enable/Disable of WG VPN properly

in vpn_dns_first_set() function

       2)
            #custom route mode
            if [ "$wgclient_disabled" = 0 ]; then
               vpn_dns_enable=1
            else
              vpn_dns_enable=0
            fi
            ;;

in vpn_dns_double_set() function

  2)
            #custom route mode
            if [ "$status" = down ]; then
               vpn_dns_enable=0
               vpn_dns_stop_dnsmasq
            fi
            if [ "$status" = up ]; then
               vpn_dns_enable=1
            fi
            ;;
1 Like