What's new

Wireguard Wireguard bypassing DNS director settings.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

anaknipedro

Occasional Visitor
I have an ax86u with 388.1. I’m using DNS director to force DNS requests through CleanBrowsing.org with “global filter mode” set to “Router”. It works amazingly as a content filter for the family. I’m now wanting to add a Wireguard VPN server to my router so the family can have a safe way to connect to our home network. My concern is that the Wireguard iOS app allows for the network DNS settings to be bypassed. Any user can enter another DNS (e.g. cloudflare’s 1.1.1.1) and there is no longer any filtering.

Now, to get the benefits of CleanBrowsing.org when away from home, I also have a DNS configuration profile on each child’s phone forcing requests through CleanBrowsing.org via DoH. Unfortunately, the Wireguard VPN app doesn’t inherit the DNS from this profile. It either inherits it from the VPN server on the router, or allows for you to enter another DNS.

1. Is there a way to force all DNS requests from VPN clients to follow the DNS director rules?

2. What does the “permit DNS” setting on the Wireguard settings do?
 
I have the same problem. I use the router as a VPN Client (outgoing traffic via VPN) and also as a VPN Server for when I am not at home. I want my traffic to be

myPhone => VPN to my Home (Wireguard/OpenVPN Server) => PiHole as DNS Srv running in my LAN (192.168.1.xxx) => Outgoing via "upstream VPN"

My DNS Settings are ignored, it uses the "upstream VPN" DNSes, not my LAN IP PiHole one.

I have configured the following:

- LAN -> DHCP Server
-> DNS Server 1 = My PiHole IP (192.168.1.xxx)
-> Advertise routers IP in addition to user-specified DNS = false

- LAN -> DNS Director set to "Router"

- WAN -> Internet Connection
-> DNS Server -> Assign -> My PiHole IP (192.168.1.xxx) is set
-> Forward local domain queries to upstream DNS = No
-> Enable DNS Rebind protection = No

- Client Side DNS Settings (I tried Passpartout, Wireguard and OpenVPN Apps on iOS, DNS specifically set to my PiHole LAN IP)

- VPN -> VPN DIrector Rules:
- 10.6.0.0/24 => WGC1 (to redirect all OpenVPN Clients to the upstream VPN)
- 10.9.0.0/24 => WGC1 (to redirect all Wireguard Clients to the upstream VPN)

- I have added the following dnsmasq config to /jffs/configs/dnsmasq.conf.add:
Code:
strict-order
add-mac
add-subnet=32
local=/0.100.10.10.in-addr.arpa/

Neither my OpenVPN clients nor my Wireguard clients are using my local PiHole in my LAN (192.168.1.xxx) as their DNS. They use the one from the upstream VPN.

I also want to add, when opening up the VPN Tunnel and check the logs (e.g. the iOS App Passpartout neatly shows VPN logs) I can see that it indeed does receive the correct DNS (OpenVPN stating "DNS: Using Servers ["192.168.1.xxx"]", Wireguard does not print such a log entry). My assumption is that by mistake, the VPN Director rules re-direct DNS queries towards the upstream VPN or something like that?

What am I missing? Any hints are much appreciated.

Edit: I have an RT-AX86U with Firmware 388.2_2
Edit2: Formatting
 
I can answer my own question: The problem was the Wireguard "upstream VPN" config. In VPN -> VPN Client -> Wireguard, I simply removed the DNS (which was the one from the VPN provider).
 
I can answer my own question: The problem was the Wireguard "upstream VPN" config. In VPN -> VPN Client -> Wireguard, I simply removed the DNS (which was the one from the VPN provider).
Are you saying you got pihole dns working with the ASUS wireguard server? I'm trying to do that. To get my pihole dns used in the wireguard client on my iphone so I can access private domain names in the LAN when I'm away from home. I can access private IP addresses but not domain names like nextcloud.mydomain.com. The A record and CNAME record for the domains are in pihole.
 
For iOS clients i needed to also override and explicitly set the dns in the client. Not sure if that is a bug or a limitation of iOS clients, but otherwise it wouldn‘t work.

Passepartout and the Wireguard app itself allow you to override the DNS. Check the apps log which print out DNS they are using.

If the logs show your intended DNS, also check you DNS director settings under LAN -> DNS director if you redirect by accident.
 
For iOS clients i needed to also override and explicitly set the dns in the client. Not sure if that is a bug or a limitation of iOS clients, but otherwise it wouldn‘t work.

Passepartout and the Wireguard app itself allow you to override the DNS. Check the apps log which print out DNS they are using.

If the logs show your intended DNS, also check you DNS director settings under LAN -> DNS director if you redirect by accident.

I actually got the WireGuard server to use the Pi-Hole for DNS by going to WAN > DNS Server > Assign then adding my Pi-Hole's IP Address (192.169.50.168) then adding 10.6.0.1/32,192.168.50.0/24 to "Tunnel IPv4 and / or IPv6 address" in VPN > VPN Server > WireGuard. I'm able to use the Pi-Hole for ad blocking and reach private domain names, etc. And I'm using an iPhone 14 and WireGuard App.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top