What's new

Wireguard DNS leak

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

juniorsweet

Occasional Visitor
I've been happily using @Odkrys' implementation of Wireguard on my AC86U for a while now.

Recently I've run into an issue with leaking DNS requests that I haven't been able to figure out. I've followed @Odkrys tutorial and have modified the S50wireguard code to run in policy mode, and have included my VPN's DNS address.

Code:
Mode=client

export LocalIP=***
Route=policy   #default or policy
export wgdns=***
export Nipset=wgvpn

Here's the weird part...the VPN provider's DNS is correctly used for VPN traffic if I have Route set to default, but not when set to policy. This is a problem because I only have a few clients on my network that I want to route through the VPN tunnel, and right now they are leaking DNS queries by using the standard DNS specified by my router for all other clients.

Does anyone have any suggestions for how to troubleshoot or fix this?
 
What firmware are you using? Specifically?

You may want to test (or at least read) with RMerlin 386.3 Beta 1. See @shabbs journey in that thread.
 
What firmware are you using? Specifically?

You may want to test (or at least read) with RMerlin 386.3 Beta 1. See @shabbs journey in that thread.
Thanks for the reply @L&LD. As of this afternoon I am running the latest 386.3 Beta 1, but the DNS leak was a problem with the prior full release version 386.2_6 as well.

I did see @shabbs discussion on the beta thread. My understanding was that his issue was tied to openVPN and VPN Director. Is there a similar Accept DNS Configuration setting for Wireguard as is used for openVPN?
 
Yeah, my issue was specific to the OpenVPN client and my DNS config but it sounds like a similar issue with the clients not using the VPN DNS via the established tunnel. I'm not familiar with the Wireguard config on Asuswrt. Are you not able to use OpenVPN?
 
Yeah, my issue was specific to the OpenVPN client and my DNS config but it sounds like a similar issue with the clients not using the VPN DNS via the established tunnel. I'm not familiar with the Wireguard config on Asuswrt. Are you not able to use OpenVPN?
I had originally used OpenVPN but found the connection to be pretty unstable. Since switching to wireguard, my connection has been faster and rock solid.

Anyone familiar with wireguard have any ideas?
 
I had originally used OpenVPN but found the connection to be pretty unstable. Since switching to wireguard, my connection has been faster and rock solid.

Anyone familiar with wireguard have any ideas?
As far as I can see, when you use policy mode @Odkrys scripts (wg-policy) the $WGDNS is not used.

I have been using @Martineau Wireguard Session Manager now for acouple of months and I'm really surprised in how well it works in policy mode. I manage to run 3 subnets (1 lan and 2 guests)
one routed out wan and uses wan dns(through wan),
one routed out wg client 1 and uses wgdns (through wg1)
one routed out wg client 2 and uses dnsmasq/unbound bound to the same wg interface.
No leaks for the clients that uses wg client 2 and the other ones could easily be set to the same dns but this is how I like it.

In policy mode wgm uses dnat to forward your dns queries according to your source rules to wgdns (as far as I understand).

You find most info you need in the thread, otherwise I'll be happy to help you were I can.

//Zeb
 
Last edited:
As far as I can see, when you use policy mode @Odkrys scripts (wg-policy) the $WGDNS is not used.

I have been using @Martineau Wireguard Session Manager now for acouple of months and I'm really surprised in how well it works in policy mode. I manage to run 3 subnets (1 lan and 2 guests)
one routed out wan and uses wan dns,
one routed out wg client 1 and uses wgdns one routed out wg client 2 and uses dnsmasq/unbound bound to the same wg interface.
No leaks for the clients that uses wg client 2 and the other ones could easily be set to the same dns but this is how I like it.

In policy mode wgm uses dnat to forward your dns queries according to your source rules to wgdns (as far as I understand).

You find most info you need in the thread, otherwise I'll be happy to help you were I can.

//Zeb
Thanks @ZebMcKayhan, appreciate this suggestion. I had avoided taking the plunge with Wireguard Session Manager since my setup is pretty simple (single client instance, no WG server), but it sounds like this may be the best option to solve my DNS leak issue.

It's too bad there isn't a simple fix that could be applied to @Odkrys code, which works fine otherwise for my needs.
 
Well, you could always take the long way and paste in wg-up way in wg-policy:
Code:
if [ "$wgdns" != "" ] && [ ! -f /tmp/resolv.dnsmasq_backup ]; then {
        cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
                echo "server=$wgdns" > /tmp/resolv.dnsmasq
                service restart_dnsmasq
        }
fi

But I have no idea of the implication and more work you need to put in. This will make dnsmasq use your wgdns but probably through wan since it is not bound to any specific interface and how to make that is beyond me. It will also make your wan device query the same way.
Policy routing and dns is notoriously difficult.

//Zeb
 
Well, you could always take the long way and paste in wg-up way in wg-policy:
Code:
if [ "$wgdns" != "" ] && [ ! -f /tmp/resolv.dnsmasq_backup ]; then {
        cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
                echo "server=$wgdns" > /tmp/resolv.dnsmasq
                service restart_dnsmasq
        }
fi

But I have no idea of the implication and more work you need to put in. This will make dnsmasq use your wgdns but probably through wan since it is not bound to any specific interface and how to make that is beyond me. It will also make your wan device query the same way.
Policy routing and dns is notoriously difficult.

//Zeb
Another great suggestion! I had the same thought and was in the middle of testing this out when I saw your response come through.

As you suspected...simply copying and pasting the dns code from wg-up to wg-policy did not produce the desired result. In my case it meant that I was unable to resolve any address when the VPN tunnel was up.

Looks like I'll be setting up Wireguard Session Manager and giving that a try this weekend...
 
As you suspected...simply copying and pasting the dns code from wg-up to wg-policy did not produce the desired result. In my case it meant that I was unable to resolve any address when the VPN tunnel was up.
I guess your wgdns is not accessible from wan which is quite common. Trying to bind dnsmasq feels risky so other option is to place the dnat rules in netfilter yourself. I think setting up wireguard manager will be a lot faster and require less future maintenence.
Good luck!
//Zeb
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top