Wireguard client not honoring DNS setting [workaround discovered]

edit: see below posts for workaround.

I’m using an AR-750, running testing firmware “openwrt-ar750-3.022-0329”. It is configured as a wireless AP for my devices, and is directly plugged in via ethernet cable to a switch in my AirBnB.

I do have custom DNS settings configured, however I am also using the AR750 as a Wireguard client. My issue is that the device does not configure DNS correctly. My client devices always use the upstream devices DNS server.

When I ssh into the AR750, I can see that /etc/resolv.conf is pointing at /tmp/resolv.conf, however /tmp/resolv.conf is a link to /tmp/resolv.conf.auto. This file has the upstream DNS nameserver. There is also a /tmp/resolv.conf.vpn, which has the DNS server for my Wireguard VPN.

I can manually change the link in /tmp/resolv.conf to point to /tmp/resolv.conf.vpn, and name resolution works correctly on the AR750 only, however even when I restart dnsmasq service, my wireless clients are not using the Wireguard DNS – they all still use the upstream device’s nameserver, via the AR750.

How can I configure the AR750 to correctly use the Wireguard DNS nameserver? As mentioned, I can manually make this change, however it is not propagated to the wireless client devices. If I run nslookup or dig on a wireless client (eg, a linux laptop) it shows that the AR750 is the nameserver, however it cannot resolve names on the Wireguard VPN, even though the AR750 can do so after I change the link in /tmp.

In case this isn’t clear, here is what is happening (192.168.8.1 is the AR750):

Client wireless device cannot do lookup on Wireguard VPN:

[bongo@gally-959E ~]$ nslookup ns1
Server:         192.168.8.1
Address:        192.168.8.1#53

Non-authoritative answer:
*** Can't find ns1: No answer

AR750 gets the same answer, until I change link on /tmp/resolv.conf --> /tmp/resolv.conf.vpn, then:

root@GL-AR750:~# nslookup ns1
Server:         10.7.1.53
Address:        10.7.1.53#53

Name:      ns1
Address 1: 10.7.1.53

However, even when I make this change on the AR750, it never affects client devices.

Any help is appreciated!

The traffic from router itself will always use the upstream DNS even you have set manual DNS.

The client connected to AR750 will use always use AR750 as DNS server, unless you set an assign DNS server for your PC. So it is the normal behavior.

But if you have set the manual DNS on AR750, it will use the DNS server as upstream DNS server. To test DNS, you should use https://dnsleaktest.com/ instead.

Could you please ssh to the router, and execute cat /etc/config/dhcp after you start WireGuard?

Thank you for the reply. I understand that my clients will use the AR750 as DNS server, however I can never resolv names using the Wireguard VPN DNS server.

Here is my /etc/config/dhcp; I can see that resolvfile is set to the correct file /tmp/resolv.conf.vpn, however I can never resolv names on the client only the AR750:

config dnsmasq
option domainneeded ‘1’
option boguspriv ‘1’
option filterwin2k ‘0’
option localise_queries ‘1’
option rebind_localhost ‘1’
option local ‘/lan/’
option domain ‘lan’
option expandhosts ‘1’
option nonegcache ‘0’
option authoritative ‘1’
option readethers ‘1’
option leasefile ‘/tmp/dhcp.leases’
option localservice ‘1’
option rebind_protection ‘0’
list server ‘9.9.9.9’
list server ‘149.112.112.112’
option noresolv ‘1’
option resolvfile ‘/tmp/resolv.conf.vpn’

config dhcp ‘lan’
option interface ‘lan’
option start ‘100’
option limit ‘150’
option leasetime ‘12h’
option force ‘1’
option dhcpv6 ‘server’
option ra ‘server’
option ignore ‘0’

config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’

config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’

config domain ‘localhost’
option name ‘console.gl-inet.com
option ip ‘192.168.8.1’

config dhcp ‘guest’
option interface ‘guest’
option start ‘100’
option leasetime ‘12h’
option limit ‘150’
option dhcpv6 ‘server’
option ra ‘server’

I have fixed this problem by implementing the fixes described by @PaulS in this post:

AS-750S Slate Rotuer: DNS fix to allow use of internal DNS server with Wireguard Client

In the post he links to a blog wherein he describes the changes in detail:

GL-iNet GL-AR750S-Ext mss clamping mtu_fix for Wireguard VPN

Note: I did not need to implement the mtu_fix, only the two dns fixes.

You can read about how to make this change in @PaulS blog above. Here is a patch for “/etc/init.d/wireguard” file on the AR750:

--- /etc/init.d/wireguard.old	2019-07-11 09:30:43.563687226 +0200
+++ /etc/init.d/wireguard	        2019-07-11 09:30:25.301885360 +0200
@@ -95,6 +95,7 @@
 		#mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
 		echo -e "nameserver $dns" > /tmp/resolv.conf.vpn
 		uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
+		uci add_list dhcp.lan.dhcp_option="6,$dns"
 		uci commit dhcp
 		/etc/init.d/dnsmasq restart
 	else
@@ -382,6 +383,7 @@
 	[ -f "/tmp/resolv.conf.vpn" ] && {
 	rm -rf /tmp/resolv.conf.vpn
 	uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
+	uci del_list dhcp.lan.dhcp_option="6,$dns"
 	uci commit dhcp
 	/etc/init.d/dnsmasq restart
 	}

I have opened 0000226: GL-AR750 Wireguard does not pass wireguard DNS server to DHCP clients to track this future fix.