Spitz X3000 - Clients Not Using WG VPN DNS

doczenith1 · 2023-06-07T13:52:47.096Z

When using WireGuard with all traffic routed through the tunnel the DNS used by the clients is the DNS set under Network>DNS. I believe it should be the DNS set in my WireGuard config. Using FW 4.3.1

'# Spitz
[Interface]
PrivateKey =
Address = 10.50.1.7/32
DNS = 192.168.1.1

'# RT-AC86U ‘server’ (wg21)
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = Home IP Address:51820
PresharedKey =
PersistentKeepalive = 25
'# Spitz End

I can post the WG log if needed but after a quick look I didn’t see anything obvious.

When using OpenVPN clients are using the VPN’s DNS.

yuxin.zou · 2023-06-08T02:21:47.460Z

image715×163 6.51 KB

It should use the DNS that you set in DNS page.

hansome · 2023-06-08T03:34:32.574Z

Please print the following command output to check:

ip route get 192.168.1.1
ip route show table 51
cat /tmp/resolv.conf.wg
cat /tmp/etc/dnsmasq.conf.cfg01411c

doczenith1 · 2023-06-08T13:07:55.140Z

That worked but seems like it’s very limiting. For example, say I typically use the VPN for SIM1 but not SIM2. So, when using SIM2 I am forced to use the ISP’s DNS servers vs a DNS server of my choice. Would changing how this works be something you might be able to consider in the future? Thanks.

doczenith1 · 2023-06-08T13:21:43.639Z

root@GL-X3000:~# ip route get 192.168.1.1
192.168.1.1 dev wgclient src 10.50.1.7 uid 0
cache

root@GL-X3000:~# ip route show table 51
default via 100.70.51.141 dev rmnet_mhi0 proto static src 100.70.51.140 metric 40
52.144.113.70 via 100.70.51.141 dev rmnet_mhi0 proto static metric 40
100.70.51.136/29 dev rmnet_mhi0 proto static scope link metric 40
192.168.1.1 dev wgclient scope link
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

root@GL-X3000:~# cat /tmp/resolv.conf.wg
'# Interface wgclient
nameserver 192.168.1.1

root@GL-X3000:~# cat /tmp/etc/dnsmasq.conf.cfg01411c
'# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
edns-packet-max=1232
domain=lan
local=/lan/
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
dhcp-script=/usr/lib/dnsmasq/dhcp-script.sh
script-arp
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq

dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.8.100,192.168.8.249,255.255.255.0,12h

root@GL-X3000:~#

Edit: Apostrophes added in front of # symbols to remove formatting code.

yuxin.zou · 2023-06-09T01:27:54.897Z

doczenith1:

So, when using SIM2 I am forced to use the ISP’s DNS servers vs a DNS server of my choice.

It sounds like a bug. are you referring to the DNS server that you chose in the Network → DNS page?

doczenith1 · 2023-06-09T02:41:47.516Z

What I’m saying is that for SIM 1 to use the VPN assigned in the WireGuard config I need to set the system DNS to automatic. If I then switch to SIM 2 where I don’t use a VPN I will be using the ISP DNS servers as the router’s system DNS is set to automatic. But I don’t want to use the ISP’s DNS servers for SIM 2 so now I need to manually switch the system DNS to the DNS server of my choice. Now when I switch back to SIM 1 and use the VPN I need to switch the system DNS back to automatic. This behavior doesn’t seem right to me. The WireGuard VPN should use the DNS specified in the config file regardless of the system setting for DNS.

The OpenVPN client is working “correctly” in that it is using the DNS server specified in the VPN config regardless of the system setting.

hansome · 2023-06-09T03:50:51.534Z

There is no abnormality in the debug information. So I think you don’t need to set Manual DNS. The issue may be that the 192.168.1.1 DNS server is not accessible on the X3000 router.

If you change 192.168.1.1 to 1.1.1.1 for the original WireGuard config file, will it work as expected?
Do you disable IP masquerading?

Please try ping 192.168.1.1 to check if it is reachable.

doczenith1 · 2023-06-09T13:56:29.476Z

But I want to set manual DNS so that when I’m using SIM 2 with no VPN it uses the DNS server of my choice.

With IP Masquerading on:
With Network>DNS set to automatic I AM able to use 192.168.1.1 for my DNS servers. With Network>DNS set to manual I AM NOT able to use 192.168.1.1 for my DNS servers and it uses the server set in Network>DNS>manual. I am able to successfully ping 192.168.1.1 with either Network>DNS setting.

I have set the WireGuard config to use 9.9.9.9 (192.168.1.1 uses 1.1.1.1 so I picked something different).
With Network>DNS set to automatic I AM able to use 9.9.9.9 for my DNS servers. With Network>DNS set to manual I AM NOT able to use 9.9.9.9 for my DNS servers and it uses the server set in Network>DNS>manual.

With IP Masquerading off:
With Network>DNS set to manual I AM NOT able to access the internet. The tunnel is broken.
With Network>DNS set to automatic I AM NOT able to access the internet. The tunnel is broken.

Edit:
I want to reiterate that when using OpenVPN the DNS server in the OpenVPN config is used regardless of the Network>DNS setting. This is my expected behavior when using a VPN.

hansome · 2023-06-11T14:07:44.541Z

Thank you for the detailed tests. I will check the OpenVPN client, as I assume the manually set DNS has the highest priority. We will find a way to make the VPN DNS override the manual DNS, which is more reasonable.

hansome · 2023-06-12T04:35:25.300Z

doczenith1:

when using OpenVPN the DNS server in the OpenVPN config is used regardless of the Network>DNS setting.

I test opevpn client, it will also use manual DNS setting designated server. How do you make sure the DNS traffic is via the server by the OpenVPN config?
I use this command to test

tcpdump -i ovpnclient -s0 -n port 53

doczenith1 · 2023-06-19T22:06:09.784Z

I am using ipleak.net to check which DNS servers are being used.

I am happy to report that the issue appears to be fixed on 4.3.3. When using manual DNS servers under Network>DNS the DNS server specified in the WireGuard config is being used now.

doczenith1 · 2024-01-05T14:46:49.042Z

I believe I’m seeing a regression in 4.0-0404release1. When manually selecting DNS servers under Network>DNS the DNS server specified in the WireGuard config is NOT being used. When I switch DNS back to automatic the DNS server specified in the WireGuard config is used.

hansome · 2024-01-06T12:26:57.860Z

So far, the manual DNS will override wireguard DNS. It’s the same case with older firmware.
Recently I made a new schema for DNS traffic separation, making it possible to use VPN DNS by default even with manual DNS set. I’ve prepared a testing firmware for ax1800.

kennethrc · 2024-01-08T19:31:48.173Z

I’m seeing something similar; with the release 0404release1 when I have my WG tunnel enabled (which specifies a DNS) its DNS is not being used.

Before this release, I would see two entries under “DNS Server Settings” when “Automatic” was selected- “DNS from Cellular” (etc.) and “DNS from Wireguard”, but now it’s just “DNS from Cellular”.

kennethrc · 2024-01-08T19:43:42.755Z

Confirmed version “0403release7” does not suffer this bug; RN I see:

DNS Server Settings
Mode: Automatic
DNS from Cellular
192.0.0.1
DNS from WireGuard
192.168.124.1

… and “DNSLeaktest.com” only shows my VPN’s DNS (not my WAN’s DNS).

hansome · 2024-01-09T16:30:36.055Z

kennethrc:

Before this release, I would see two entries under “DNS Server Settings” when “Automatic” was selected- “DNS from Cellular” (etc.) and “DNS from Wireguard”, but now it’s just “DNS from Cellular”.

Thanks. That’s indeed a bug not showing VPN DNS but actually using VPN DNS when “Automatic” was selected

kennethrc · 2024-01-09T19:20:14.968Z

hansome:

… but actually using VPN DNS when “Automatic” was selected

So it works, it’s just a display bug?

hansome · 2024-01-10T01:26:05.950Z

Yes, correct, correct