Wireguard DNS leak

[juniorsweet]

I've been happily using @Odkrys' implementation of Wireguard on my AC86U for a while now.

[Experimental] WireGuard for HND platform (4.1.x kernels)

1. Install WireGuard You need Entware-aarch64-3.10 to use wireguard without a new firmware build. ㅡ Kernel Module ㅡ RT-AC86U, GT-AC2900 - 4.1.27 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk opkg install...

www.snbforums.com

Recently I've run into an issue with leaking DNS requests that I haven't been able to figure out. I've followed @Odkrys tutorial and have modified the S50wireguard code to run in policy mode, and have included my VPN's DNS address.

Mode=client

export LocalIP=***
Route=policy   #default or policy
export wgdns=***
export Nipset=wgvpn

Here's the weird part...the VPN provider's DNS is correctly used for VPN traffic if I have Route set to default, but not when set to policy. This is a problem because I only have a few clients on my network that I want to route through the VPN tunnel, and right now they are leaking DNS queries by using the standard DNS specified by my router for all other clients.

Does anyone have any suggestions for how to troubleshoot or fix this?

 

[L&LD]

What firmware are you using? Specifically?

You may want to test (or at least read) with RMerlin 386.3 Beta 1. See @shabbs journey in that thread.

 

[juniorsweet]

What firmware are you using? Specifically?

You may want to test (or at least read) with RMerlin 386.3 Beta 1. See @shabbs journey in that thread.

Thanks for the reply @L&LD. As of this afternoon I am running the latest 386.3 Beta 1, but the DNS leak was a problem with the prior full release version 386.2_6 as well.

I did see @shabbs discussion on the beta thread. My understanding was that his issue was tied to openVPN and VPN Director. Is there a similar Accept DNS Configuration setting for Wireguard as is used for openVPN?

 

[shabbs]

Yeah, my issue was specific to the OpenVPN client and my DNS config but it sounds like a similar issue with the clients not using the VPN DNS via the established tunnel. I'm not familiar with the Wireguard config on Asuswrt. Are you not able to use OpenVPN?

 

[juniorsweet]

Yeah, my issue was specific to the OpenVPN client and my DNS config but it sounds like a similar issue with the clients not using the VPN DNS via the established tunnel. I'm not familiar with the Wireguard config on Asuswrt. Are you not able to use OpenVPN?

I had originally used OpenVPN but found the connection to be pretty unstable. Since switching to wireguard, my connection has been faster and rock solid.

Anyone familiar with wireguard have any ideas?

 

[ZebMcKayhan]

I had originally used OpenVPN but found the connection to be pretty unstable. Since switching to wireguard, my connection has been faster and rock solid.

Anyone familiar with wireguard have any ideas?

As far as I can see, when you use policy mode @Odkrys scripts (wg-policy) the $WGDNS is not used.

I have been using @Martineau Wireguard Session Manager now for acouple of months and I'm really surprised in how well it works in policy mode. I manage to run 3 subnets (1 lan and 2 guests)
one routed out wan and uses wan dns(through wan),
one routed out wg client 1 and uses wgdns (through wg1)
one routed out wg client 2 and uses dnsmasq/unbound bound to the same wg interface.
No leaks for the clients that uses wg client 2 and the other ones could easily be set to the same dns but this is how I like it.

In policy mode wgm uses dnat to forward your dns queries according to your source rules to wgdns (as far as I understand).

You find most info you need in the thread, otherwise I'll be happy to help you were I can.

//Zeb

 

[juniorsweet]

As far as I can see, when you use policy mode @Odkrys scripts (wg-policy) the $WGDNS is not used.

I have been using @Martineau Wireguard Session Manager now for acouple of months and I'm really surprised in how well it works in policy mode. I manage to run 3 subnets (1 lan and 2 guests)
one routed out wan and uses wan dns,
one routed out wg client 1 and uses wgdns one routed out wg client 2 and uses dnsmasq/unbound bound to the same wg interface.
No leaks for the clients that uses wg client 2 and the other ones could easily be set to the same dns but this is how I like it.

In policy mode wgm uses dnat to forward your dns queries according to your source rules to wgdns (as far as I understand).

You find most info you need in the thread, otherwise I'll be happy to help you were I can.

//Zeb

Thanks @ZebMcKayhan, appreciate this suggestion. I had avoided taking the plunge with Wireguard Session Manager since my setup is pretty simple (single client instance, no WG server), but it sounds like this may be the best option to solve my DNS leak issue.

It's too bad there isn't a simple fix that could be applied to @Odkrys code, which works fine otherwise for my needs.

 

[ZebMcKayhan]

Well, you could always take the long way and paste in wg-up way in wg-policy:

if [ "$wgdns" != "" ] && [ ! -f /tmp/resolv.dnsmasq_backup ]; then {
        cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
                echo "server=$wgdns" > /tmp/resolv.dnsmasq
                service restart_dnsmasq
        }
fi

But I have no idea of the implication and more work you need to put in. This will make dnsmasq use your wgdns but probably through wan since it is not bound to any specific interface and how to make that is beyond me. It will also make your wan device query the same way.
Policy routing and dns is notoriously difficult.

//Zeb

 

[juniorsweet]

Well, you could always take the long way and paste in wg-up way in wg-policy:

if [ "$wgdns" != "" ] && [ ! -f /tmp/resolv.dnsmasq_backup ]; then {
        cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
                echo "server=$wgdns" > /tmp/resolv.dnsmasq
                service restart_dnsmasq
        }
fi

But I have no idea of the implication and more work you need to put in. This will make dnsmasq use your wgdns but probably through wan since it is not bound to any specific interface and how to make that is beyond me. It will also make your wan device query the same way.
Policy routing and dns is notoriously difficult.

//Zeb

Another great suggestion! I had the same thought and was in the middle of testing this out when I saw your response come through.

As you suspected...simply copying and pasting the dns code from wg-up to wg-policy did not produce the desired result. In my case it meant that I was unable to resolve any address when the VPN tunnel was up.

Looks like I'll be setting up Wireguard Session Manager and giving that a try this weekend...

 

[ZebMcKayhan]

As you suspected...simply copying and pasting the dns code from wg-up to wg-policy did not produce the desired result. In my case it meant that I was unable to resolve any address when the VPN tunnel was up.

I guess your wgdns is not accessible from wan which is quite common. Trying to bind dnsmasq feels risky so other option is to place the dnat rules in netfilter yourself. I think setting up wireguard manager will be a lot faster and require less future maintenence.
Good luck!
//Zeb