WireGuard on GL-A1300 not propagating custom DNS settings / Can't resolve local hostnames over WireGuard via GL-A1300

choque · May 27, 2024, 12:53pm

So my setup (the important parts) looks as follows:

Type	IP	Description
Router	192.168.100.1	My router, a FritzBox
LXC Container	192.168.100.200	AdGuard. Used as my DNS resolver with configured DNS rewrites for local services
LXC Container	192.168.100.210	WireGuard

Now if I create a wireguard config (in the WireGuard LXC container) it looks like this

[Interface]
Address = 10.7.0.3/24
DNS = 192.168.100.200
PrivateKey = zTV...

[Peer]
PublicKey = 5Eo...
PresharedKey = Rgt...
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = mydomain.com:51820
PersistentKeepalive = 25

Using those configs on my computer or android phone works AND the local hostnames resolve without a problem.

Now I got myself a GL.iNet Slate Plus (GL-A1300) which I want to use for traveling. I created a new wireguard config and imported it to the device. When I connect my computer or phone to the WLAN of the GL-A1300 (with WireGuard running on the GL-A1300) then I'm able to access the internet and access my local services via IP (eg. 192.168.100.101) but I'm unable to access them via their hostname configured in AdGuards DNS rewrites.

Since resolving of the local hostnames over WireGuard is working when I'm using it directly on my computer or phone, my guess is that it's a (configuration) problem with the GL-A1300 but I figured asking here won't hurt since someone here might be running a similiar setup.

Oh and I've already tried adding my local suffix to the DNS line of the config and adding the IP of my DNS server to the list of allowed IPs like so

DNS = 192.168.100.200, fritz.box
AllowedIPs = 0.0.0.0/0, ::/0, 192.168.100.200/32

But that brought no change.

Already posted to Reddit but go no reply there either.

admon · May 27, 2024, 12:56pm

Could you please check if DNS Rebinding Attack Protection is enabled on your A1300?

choque · May 27, 2024, 1:01pm

I'll check that and report back, thanks for the reply. In the meantime here's an in-depth analysis by /u/pp6000v2 from reddit.

Summary:

it's changing the file at every boot or WAN change. It got the DNS server from my home DHCP server flags. So either WG's configured DNS server isn't being passed through when the tunnel is brought up, or a change to include it would need to be made inside the Network > Interfaces tab and/or /etc/config/network

Full post from reddit:

pp6000v2:

I do, as my travel router. I pulled it out and have it tethered through my phone here on my desk to test and verify. It also will not resolve hostnames of the home network devices on the other end of the WG tunnel. In my home network, I run a pihole instance at 10.0.0.13 (on a physical pi4b), and my router (10.0.0.1) runs the WG server interface at 10.0.0.32/32.

The Slate WG config is set to use: 10.0.0.39/32, the pihole 10.0.0.13 address set as dns, and it's (server) peer config allowing 0.0.0.0/0.

I do enable adguard home on the Slate, because there are situations where I don't have the WG tunnel up.

That said, ssh'ing into the Slate and running netstat -peanut, there are a whole lotta port 53's listening that are tied to dnsmasq on tcp and udp (and explicitly not adguard- it's listening on 3053 and it's web interface on 3000). Basically dnsmasq is listening on every single interface- lan, wan, tether, wg tunnel...

The GL.iNet interface sort of hides the default luci interface, and there are changes made that luci doesn't like. Logging into the luci interface/advanced settings, and going to Network > Interfaces, I get this warning popup:

Network ifname configuration migration

The existing network configuration needs to be changed for LuCI to function properly.

Upon pressing "Continue", ifname options will get renamed and the network will be restarted to apply the updated configuration.

Rather than mess with something that's working, I don't go into luci very often in the gui except for when I really need to. So going into the br-lan interface and setting all the DNS fields (use custom dns, the dhcp flag options, etc) is a no-go for my usage.

Openwrt's dnsmasq is still listening, but forwarding requests to adguard on 3053. Because the /etc/hosts file doesn't have hostname/mac/ip listings, it can't handle requests for hostnames, even using the FQDN.

One solution may be to add the dns server into /etc/init.d/dnsmasq on line ~1127 (typically it just lists 127.0.0.1, but amend to include your remote dns) to be DNS_SERVERS="$DNS_SERVERS 127.0.0.1 192.168.100.200".

The add is because the /etc/resolv.conf file gets overwritten at each boot (at least on my home openwrt router), so adding it there only survives one boot or service load. Looking at the /etc/resolv.conf file on the Slate right now as it's connecting to the internet via USB tethering through my phone, the file reads:
root@GL-A1300:/etc# cat resolv.conf 
# Interface tethering
nameserver 172.20.10.1
which is the iphone that's connected to it for personal hotspot. I'm guessing it reloads at each boot or change in WAN, hence the possible need to include the desired DNS server in the dnsmasq service's file.

SO! either go add all your hostnames and IP's to the hosts file on the travel router, or do what I'm too scared to and enter Network > Interfaces in the luci interface and force all the dns settings. I don't know what the latter does in terms of changes that would affect the functionality of the gl.inet web admin interface (it is just openwrt 21.02.2 underneath, as of my current 4.2.1 firmware), but I have the functionality I need in my set up, if not everything I would desire.

I think that's all my rambling mind dump here at midnight EDT. Hope something in there helps send you down a path towards success.

ETA: added a line in the Slate's hosts file for one of my home devices, and tried to connect to it after rebooting the Slate (since reloading dnsmasq didn't suffice). I can connect using the the FQDN, but not hostname alone. So in my ssh app, I can use [email protected], but not pi@pi4b2. I do have a big hosts file on my home router since I have everything set to dhcp reservations. I imagine if you did the same sort of thing, you could just copy it over to the Slate and be pretty much good to go.

2nd ETA: had a firmware update to 4.2.3 available, so I plugged in to my ethernet network. /etc/resolv.conf now reads:
root@GL-A1300:~# cat /etc/resolv.conf 
# Interface wan
nameserver 10.0.0.13
search lan
so it's changing the file at every boot or WAN change. It got the DNS server from my home DHCP server flags. So either WG's configured DNS server isn't being passed through when the tunnel is brought up, or a change to include it would need to be made inside the Network > Interfaces tab and/or /etc/config/network, but I'm way past bedtime as a millennial old man.

choque · May 27, 2024, 8:31pm

Ok, I just checked. Network - DNS - DNS Rebinding Attack Protection is turned OFF.