Wireguard + NextDNS

[junn0]

Hello everyone! I have a RT-AX88u and have the latest Merlin firmware. I am currently using dnscrypt and I use nextdns as my resolver. I am also using mullvad vpn tied to one of the interfaces under vpn director. To make this setup work I had to delete the dns server configuration in the wireguard client so that I force it to use nextdns and I had to create a DDNS to constantly update my WAN IP (otherwise nextdns wouldn't work if it didn't know the IP of my WAN). When using test.nextdns.io to test my config I see the src ip to belong tp my vpn IP (which is good) and the value for client field is my WAN IP. My question is, if I am doing this setup are all my dns queries passing thru my VPN tunnel then to my dnscrypt relay or are my dns queries using a split tunnel (outside my wireguard vpn tunnel) to get my dns queries resolved? Any help would be appreciated!

 

[Zastoff]

Here is a guide for nextdns/controld dns service for dnscrypt-proxy
Also recommend to set DNS-Director to global mode =Router

Not sure but you may need to change in VPN-director so it uses the routers internal address as dns in my case 192.168.1.1 then dns will go thru dnscrypt-proxy

To force/remark DNS traffic to vpn provider tunnel ip (port 53 traffic) i think it can be done with iptables only think i have a example.

Ip tables for VPN and DNSCrypt (in nat-start)

#!/bin/sh

iptables -t nat -D PREROUTING -i tun11 -p udp ! --source $(nvram get lan_ipaddr) ! --destination $(nvram get lan_ipaddr) --dport 53 -j DNAT --to $(nvram get lan_ipaddr) 2>/dev/null
iptables -t nat -D PREROUTING -i tun11 -p tcp ! --source $(nvram get lan_ipaddr) ! --destination $(nvram get lan_ipaddr) --dport 53 -j DNAT --to $(nvram get lan_ipaddr) 2>/dev/null
iptables -t nat -A PREROUTING -i tun11 -p udp ! --source $(nvram get lan_ipaddr) ! --destination $(nvram get lan_ipaddr) --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i tun11 -p tcp ! --source $(nvram get lan_ipaddr) ! --destination $(nvram get lan_ipaddr) --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

tun11 in this case is Openvpn client1 so that needs to be changed to what the wireguard interface is called i think.

Hope this can help!
Best regards Zastoff

 

[junn0]

Hello Zastoff! Your guide in that link was what I followed to make DNSCrypt work with NextDNS. It works great! To edit the IP tables I am not sure how to perform that (really a beginner in this networking). So after I am ssh'ed into the router I would have to type in "in nat-start" and add those entries in and just edit the tun interface to my wireguard client is that correct?

 

[Zastoff]

In JFFS/scripts nat-start : Those iptables should be enterd but as you wrote edited to wireguard inteface

A router reboot so the iptables are applied.

Also do a backup of the JFFS and router setting before you edit/try new stuff that way you can restore if things do not work as you like.
In router gui in administration you have backup options.

Also edited my previous post bit also as you may need to edit in vpn-director also

I have never used wireguard vpn client only done this with Openvpn client

 

[junn0]

Got it. Currently at work but will give that a go later tonight. Thank you so much!

 

[Caesar the Dictator]

@junn0 hi,

If you use the DoT on your router instead of DNSCrypt, there is a very good job to monitor your DNS queries in real time. You can see whether you are using Do53 or DoT, and in both cases whether DNS queries are going through the WAN or through the VPN tunnel. Here is that beautiful work of @eibgrad: https://www.snbforums.com/threads/how-to-monitor-dns-traffic-in-real-time.77151/

I used to add the IP address of a DoT server to VPN Director, which I added to the relevant section in the WAN settings, so that all my devices' DNS queries used the DoT address and went through the VPN client of my choice. If you want to try this, add at least 1 Do53 address to the WAN DNS settings or use your ISP's DNS server (so you should have 2 DNS servers at the same time, 1 Do53 and one DoT. This setup will force your devices to use the DoT server). Since you are forwarding the IP address of the NextDNS DoT server to a VPN, when your router restarts, it will be able to do the name resolution it needs through Do53 and then your VPN clients will be up and running. You'll have to excuse me for not being able to explain this like the expert members because I'm just a regular user.

Whatever, But I stopped doing this because I found that I was diverging from the web traffic pattern of other people using my VPN provider, meaning that other VPN users were using my VPN provider's own DNS servers, unlike I was doing. I chose to use my VPN provider's ad-blocking DNS server, even though it wasn't perfect.

If you're using NextDNS to block ads, you might want to consider using your VPN provider's ad-blocking DNS. You mentioned that you use Mullvad VPN, and I see that Mullvad offers a lot of options for its users. If I counted correctly, they have exactly 31 DNS servers! https://github.com/mullvad/dns-blocklists

Please don't think that I'm sticking my nose in your business or disrespecting your preferences, but if I were you, I'd just put 100.64.0.31 (the DNS that blocks everything) from Mullvad VPN in the DNS address of my Wireguard VPN client and be done with it!

 

[junn0]

Please don't think that I'm sticking my nose in your business or disrespecting your preferences, but if I were you, I'd just put 100.64.0.31 (the DNS that blocks everything) from Mullvad VPN in the DNS address of my Wireguard VPN client and be done with it!

Hey man! No, not at all! I was considering that at the start as well and just use Mullvad's ad blocking service and be done with it! Lol! But I realized DNS queries are encrypted anyway and it egressing from the vpn or my WAN is of no importance at all. And me bothering with it is just a waste of time lol. But thank you guys tho!