DNS Problems with Wireguard and Destination Based Routing.

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Sat Jul 25, 2020 1:52    Post subject: DNS Problems with Wireguard and Destination Based Routing. Reply with quote
Hi all,

I am attempting to route my networks traffic through a Wireguard VPN for a single destination. I've set that up and it's working fine but my problem is that I have DNS leakage for this routing.

To test the routing I'm currently using dnsleaktest.com as the destination (23.239.16.110). I would like to route DNS queries over the VPN for only this destination to fix the leak but currently the only solution I've found specific to Wireguard results in DNS queries being sent via the VPN also effecting all clients which are not using the VPN. (Placing the DNS in the Allowed IPs field as suggested by the DDWRT WireGuard Client Setup guide)

I've referred to previous posts in this forum, the wiki, egc's guides, reddit, google, etc and can't seem to find a solution specific to Wireguard, a lot of it is for older versions of DDWRT or aimed at ovpn. I've enabled “Query DNS in strict order”, using no-resolv etc, Forced DNS Redirection, etc, etc.

Thanks for your time and I hope someone can help me achieve this as I feel I'm banging my head against a wall at this stage.
By addressing this issue it should also answer my question of how to do this for PBR. I also have questions relating to routing per port and ipv6 for Wireguard but they're probably best saved for another post. Cheers!

Router Model
Asus RT-AC3200
Firmware Version
DD-WRT v3.0-r43904 std (07/23/20)
Kernel Version
Linux 4.4.231-rc1 #656 SMP Thu Jul 23 08:32:33 +04 2020 armv7l
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5894
Location: Netherlands

PostPosted: Sat Jul 25, 2020 8:26    Post subject: Reply with quote
The client asks the router to query for DNS so the router itself does the querying.

You cannot tell the router (DNSMASQ) to send a DNS query for a specific client to use a specific route.

What you can do is to let DSNMASQ use different DNS servers for different clients.

Lets say you instruct DNSMASQ to let normal clients use 8.8.8.8 and the WG clients use 8.8.4.4 (all Google DNS servers)
Then you set 8.8.4.4 in the allowed IP's and that is routed through WG.

See the "DDWRT DNS Problems with Policy Based Routing v1.04.pdf" : https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686 to view how to tweak DSNMASQ to hand out different DNS servers for different clients

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Sat Jul 25, 2020 18:09    Post subject: Reply with quote
Hi egc,

Thanks for the tips. I think this will help solve my issue for PBR clients but I'm still stumped when it comes to my original issue with Destination Based Routing as it's not just a single client running through the tunnel but every client on the network.

The tunnel is set up with no clients in the PBR field and currently the IP for dnsleaktest.com for testing is in the Allowed IPs field (23.239.16.110) and the kill switch off. This means that traffic for any user on the network will travel through the tunnel only if they visit dnsleaktest.com but for every other destination on the web it is as if they're not traveling through a tunnel. This is working fine bar the DNS leak happening at dnsleaktest.com and I'm stumped trying to figure out how to use different DNS servers for this single Destination Based Routing as every client can potentially visit this website. Thanks again.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5894
Location: Netherlands

PostPosted: Sun Jul 26, 2020 8:33    Post subject: Reply with quote
To mitigate a DNS leak you have to route the query to the DNS server via the VPN as outlined in the document I pointed to Smile
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5695
Location: Akershus, Norway

PostPosted: Sun Jul 26, 2020 9:42    Post subject: Reply with quote
A solution is to add the host to local DNS

Add in Additional DNSMasq Options:

host-record=dnsleaktest.com,23.239.16.110
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Mon Jul 27, 2020 3:23    Post subject: Reply with quote
Thanks for the replies guys. I feel I'm closer to implementing what I'm looking for.
Hi Per, could you elaborate a bit further for me? I've added the host-record to dnsmasq options but I'm not quite sure how to do anything with it. What does this solution entail? , Do I still need to route the query to the DNS server via Wireguards Allowed IPs? How exactly should my DNS be configured for this solution you suggest?.

I should probably specify my current DNS setup:
Local DNS: 0.0.0.0

Static DNS 1-3: 0.0.0.0

Use DNSMasq for DNS: Enabled

Forced DNS Redirection: Enabled

No DNS Rebind: Enabled

Query DNS in Strict Order: Enabled

DNSmasq Options: no-resolv, server=1.1.1.1, your host record suggestion, will be adding dhcp-host and dhcp-options for PBR.

Thanks.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5894
Location: Netherlands

PostPosted: Mon Jul 27, 2020 10:45    Post subject: Reply with quote
So your DNS server is 1.1.1.1

If you place that in Allowed IP's (and enable routing of allowed IP's) than all queries to that DSN server are routed through the VPN.

You can use multiple DNS servers for different clients as outlined in my previous post

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Mon Jul 27, 2020 14:09    Post subject: Reply with quote
Hi egc,

Thanks for your replies. Yeah I've figured as much, that it seems for the different VPN routes I need to use different DNS servers.
Currently for destination based routing I'm using "server=/dnsleaktest.com/1.0.0.1" in dnsmasq with "23.239.16.110,1.0.0.1" in AllowedIPs and nothing in the PBR field obviously. For policy based routing clients I will be using the dhcp-host / dhcp-options method.

I'm eager to hear more about host-record as mentioned by Per as my current method for destination based routing feels quite inelegant as it worked fine for dnsleaktest.com as an example but when I tested it with browserleaks.com (104.236.69.55) it didn't resolve the VPN DNS. Thanks.
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Tue Jul 28, 2020 5:03    Post subject: Reply with quote
In regards to PBR you might be able to help me see something I'm missing. I'm still getting DNS leak for the PBR client and I can't figure out why after following your guide and forums online.

Wireguard Tunnel for PBR Client
In the Policy Based Routing field I have the IP of the client. (Example: 192.168.1.10) In the Allowed IPs field I have: "8.8.8.8,0.0.0.0/1,128.0.0.0/1"

Dnsmasq
no-resolv
server=1.1.1.1
server=/test.com/8.8.4.4 (For my DBR)
dhcp-host=AA:BB:CC:DD:EE:FF,set:altdnsgw,192.168.1.10,Test,infinite
dhcp-option=tag:altdnsgw,option:dns-server,8.8.8.8

I can see the Static Lease set for 192.168.1.10 under the Status page with hostname "Test", etc confirming that worked.

Despite all these settings this client is still using 1.1.1.1 and ignoring the DNS set for "altdnsgw". Removing "server=1.1.1.1" doesn't suddenly cause it to use 8.8.8.8 for example (even though I didn't expect it to), it just results in this client having no DNS. Is there a reason for this I'm missing? Thanks again.


Last edited by brrfpm on Tue Jul 28, 2020 15:38; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5894
Location: Netherlands

PostPosted: Tue Jul 28, 2020 8:18    Post subject: Reply with quote
On first glance I do not see anything obviously wrong.

Make sure you do not set a static IP address in the GUI.

Make sure you set a static IP address outside the DHCP scope!

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5894
Location: Netherlands

PostPosted: Tue Jul 28, 2020 15:09    Post subject: Reply with quote
To add some things,

You can check if the routing is correct from CLI (telnet/putty) with:
ip route show.

I am assuming you are using default settings so you have "Forced DNS Redirection" on Setup disabled.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Tue Jul 28, 2020 15:37    Post subject: Reply with quote
Hi, thanks for these responses, it's all been helpful so far.

I have the clients static IP set on the client itself and have made sure to set it outside the DHCP scope. (192.168.1.10) I had "Forced DNS Redirection" enabled and now disabled it and the leak seems to have stopped.

I assumed it was desirable to force all client's DNS requests through DNSMasq as mentioned in the guide but is this the reason it was resolving to 1.1.1.1 despite the DNS being set for "altdnsgw" by dhcp-option?

Just to be sure I'm not missing anything else these are my current settings:
Router IP
Local IP: 192.168.1.98
Gateway: 0.0.0.0
Local DNS: 0.0.0.0

Network Address Server Settings (DHCP)
Start IP Address: 192.168.1.100
Static DNS 1 to 3: 0.0.0.0
Use DNSMasq for DNS: Enabled
DHCP-Authoritative: Enabled
Recursive DNS Resolving (Unbound): Disabled
Forced DNS Redirection: Disabled (Was enabled when leaking)

Dnsmasq
Dnsmasq: Enabled
No DNS Rebind: Enabled
Query DNS in Strict Order: Enabled
The reset of the radio buttons are disabled here.

My additional Dnsmasq Options the same as above.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5894
Location: Netherlands

PostPosted: Tue Jul 28, 2020 16:27    Post subject: Reply with quote
Indeed, Forced DNS redirection will intercept any DNS query and force it through the router hence will use 1.1.1.1

So you have to disable it Smile

Everything else looks OK (well query DNS in strict order has no use as you are using no-resolv but that does not matter)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
brrfpm
DD-WRT Novice


Joined: 22 Jul 2020
Posts: 7

PostPosted: Sat Aug 01, 2020 18:02    Post subject: Reply with quote
Thanks for all the responses on this. Helped me to understand it better and I was finally able to implement what I needed. Thanks again!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum