Wireguard vpn quirk on 4.8.3op24

Router VPN, DNS, Leaks
1

So this is a strange issue to me, but it might make perfect sense to someone else.

  1. I have one wireguard server running within the firmware of my flint 2 for local access and it’s working fine for the most part.
  2. I also have one wireguard server running on a separate machine within the network (wg port forwarded to that machine from the router interface)
  3. I have various services on my network that are accessed via reverse proxy domain interally and/or externally.

for the most part everything works fine with both vpn tunnels but in certain instances, attempts to access a service via domain name vs ip address yields nothing. for example ssh to a box within my network while connect to vpn #1 (router service) via domain name will result in connection refused. If i retry with local ip address instead it works fine.

attempting this same type of connection via vpn #2, the connection works just fine!

for vpn #1, i do have “Allow Remote Access the LAN Subnet” enabled.

both tunnels are using the same DNS 1.1.1.1

any ideas? it seems like a DNS issue to me, but since they’re using the same server, does it have something to do with the fact that VPN #1 is running on the router firmware layer and VPN #2 is running within the network?

any other ideas or troubleshooting i should take?

2

Hi,

Please check whether “Override DNS Settings of All Clients” is enabled under Network → DNS on the MT6000.
If so, DNS traffic (e.g., to 1.1.1.1) from a WireGuard tunnel running on an internal server (VPN#2) will be redirected to the router for processing, allowing it to resolve local domain names such as .lan.

You can also try modifying the DNS entry in the WireGuard configuration file (VPN#1) to point to the MT6000’s VPN IP and see if it achieves a similar effect.

If we’ve misunderstood your setup, could you provide more details about the type of domain you’re using and whether it resolves to a public or private IP? This will help us analyze the issue further.

5

hello thank you for your reply. the domain name is one that resolves to my WAN IP

6

thank you, by default the router based vpn wanted to use router based dns resolution which resulted in the same issue. in troubleshooting i figured i would get both vpns on the same dns just to eliminate that as a possible variable.

I will check split-dns and nat reflection! i didn’t see these settings in the flint 2 pages, but if you can point me in the right direction, I’ll be happy to test!