[RadTunesly]

Hi all,

I'm newish to home networking and I have a problem that has me stumped. My setup is a bit complex which I thought I understood but I'm getting behaviour I don't understand.

I'm running DD-WRT (v3.0-r59369) on a Netgear R7000 and it's been fantastic. I'm using it as a Wireguard server so I can access my server from outside my LAN securely and also a Wireguard client so all my home traffic runs through NordLynx. All of this works well independently, however Windows clients for my Wireguard server cannot access anything outside of the allowed IPs (ie. the rest of the internet, only my LAN network resources which are included in the Allowed IPs).

The Nord tunnel is on a separate listen port to my Wireguard server tunnel.
I have PBR setup on the Nord tunnel as follows:
Source Routing (PBR): Route Selected sources via WAN
Source for PBR: sport <wireguard server listen port>

This works fine. All my home LAN internet traffic is running through NordLynx wireguard (confirmed by ipleak.com).

The Wireguard server PBR is set to "Route all Sources via VPN"

DD-WRT router and the Wireguard server use two pihole instances, hosted locally on my LAN, for DNS which utilise CNAME resolution via a reverse proxy to access resources via DDNS for "MyDomain.net" through cloudflare.

For testing the Wireguard server, I setup my Windows laptop as a client, connected to my phone via hotspot (ensuring wifi on the phone is turned off). The laptop client has Allowed IPs:
1. <wireguard server IP gateway> (ie xx.xx.xx.1/32)
2. <home LAN network> (ie xx.xx.xx.0/24)
It also uses the IPs of the pihole instances as DNS servers.

When the Wireguard tunnel is activated on the laptop, it can connect to network resources via their "xxx.MyDomain.net" address, but not access the internet.

I also setup my android phone as a Wireguard client, with identical settings to my laptop (except the Wireguard network IP address of course). When the Wireguard tunnel is activated on my phone, I can access local network resources AND the wider internet.

Here's the kicker, when I disable the NordVPN tunnel on my router, and have the Wireguard client activated on my laptop (hotspotted via my phone), I can access local network resources AND the wider internet. This is happening when connected to my phone and supposedly not using my router at all (and the Wireguard client on my phone is not activated).

How could this be possible?

I suspect it may have something to do with DNS (it's always DNS, right ) but why it would work on the android phone and not the windows laptop is beyond me.

I realise there is a lot of info here and a million settings I could share but I thought I'd ask the question first, rather than post pages of screenshots, and see if anyone might be able to direct me to things I could check. Happy to share any details or run any tests that could get me closer to an answer.

Many thanks in advance.

[egc]

Start with removing the DNS servers from the windows client or use 1.1.1.1 as DNS server, reboot your windows client and test again so that you know if it is the DNS to your pihole.

[RadTunesly]

Hi egc,

Appreciate the reply, thank you.

You are correct. I changed the DNS on the windows Wireguard client to 1.1.1.1 and can access the network resources (as well as the wider internet), but only the ones on directly on the main network via their IP address and through HTTP. No domain name resolution to resources with unpublished ports via HTTPS on the docker network (of course, due to no reverse proxy/pihole access).

I'm still not clear on why the windows Wireguard client is using the piholes for DNS resolution when it is connected via my android mobile's cellular data but the Wireguard client on my mobile is not when using the same cellular data and also specifies the piholes IPs for DNS.

I could use DNS forwarding with on the piholes put I would rather not have additional DNS traffic to the piholes that I don't need when friends/family connect to my network via Wireguard. I'm trying to achieve split tunnel so that anything not going to the AllowedIPs is using the client's usual DNS provider and only using the piholes for the specified AllowedIPs in the Wireguard config.

Any ideas on the difference between windows/android Wireguard client's and how to achieve the above?

Thanks again for your time.

[RadTunesly]

Interestingly, I checked ipleak.com on my android phone when connected to my home Wireguard server and it gives the DNS IP address of the NordVPN DNS servers. This is not what I would have expected. I thought it should be using the mobile data provider's DNS servers.

[egc]

I am not sure what you are doing exactly but both the WireGuard client for Android and for Windows support setting a DNS server.

For both my Android and my Windows WireGuard client I have set the DNS server to my WireGuard server at home, which is running DNSMasq and I can resolve local clients this way for both my Android and Windows client.

So everything is working.

Note that to properly work all involved subnets need to be different so your Client's subnet, your WireGuard subnet and the Servers subnet need to be different, e.g. if you Client has subnet 192.168.1.0/24 and your Server also then you cannot reach your pihole from the client.

One other thing your PiHole might not allow DNS request from non local subnets, it also has to allow queries from the WG subnet.

Anyway it does not appear a DDWRT or WireGuard problem as far as I can see.

[RadTunesly]

Based on your response and the fact that I can access local network resources via the DD-WRT Wireguard server, it definitely doesn't seem like there is an issue with DD-WRT.

What I was hoping to do was avoid clients using my local LAN piholes as their DNS servers for all their internet traffic, only for traffic to my LAN via the Wireguard network. Is this possible? Probably the wrong forum to be asking in...

Am I correct in understanding that in your setup that you describe above, your client's wireguard configs are set to allow all traffic (AllowedIPs: 0.0.0.0/0, ::/0), then your Wireguard's DNS server has a DNSMasq configuration to point all your local server traffic to that DNS server for resolution and all other internet traffic to an upstream server (eg 1.1.1.1) for resolution?

Currently my Wireguard client's configs have DNS set to both local pihole instances and my DD-WRT Wireguard tunnel has the "DNS Servers via Tunnel" empty.

To mirror what you're doing, would I need to configure the DNSMasq for the piholes to point to my local DNS servers (put a custom config in "/etc/dnsmasq.d/" pointing to the local piholes). Then the rest of the traffic will flow to the defined upstream DNS server?

If this is out of scope here just let me know, but if you've got some resources to read your could point me to that would be great. Clearly I have more to learn.

Thanks for your help!

[egc]

It looks like you are lacking basic understanding about how things work.

The WireGuard server does not play any role in DNS.

In your WireGuard Client you can set a DNS server which is then used by e.g. that Windows client whether it is a PiHole in your servers LAN or DNSMasq on the router or a public DNS server.

If you use the PiHole it is up to the Pihole to deal with the DNS requests

The only time you cannot use a local DNS server is if your client and server are having the same subnet.

[RadTunesly]

I definitely have some knowledge gaps, still trying to learn. I do understand that Wireguard does not play a role in DNS, only that you set the DNS servers clients using the wireguard tunnel will connect to for their DNS resolution.

Is it correct that when a client is connected to the Wireguard tunnel it can only use the DNS servers specified in the wireguard client config for ALL DNS resolution (not just for AllowedIPs) OR is it actually possible to have it use the DNS servers specified in the wireguard client config for AllowedIPs only and any attempts to connect to IPs outside of the AllowedIPs to use whatever DNS servers are usually used by the client when not connected to the wireguard tunnnel?

Also, I really don't understand differing results between Wireguard windows client and Wireguard android client with the identical settings.

Would I be better taking these questions to a pihole or wireguard specific forum?

Thanks for taking the time to answer, even if the questions seem dumb.

[egc]

[RadTunesly]

Apologies for taking so long to get respond. I implemented this as you suggested and it's working as advertised.

There really isn't a problem with this, I just had the idea that there was no need to for my DNS servers to take on the resolution traffic of my wireguard server's client's. This idea was clearly not feasible and came from a lack of understanding about how wireguard server's work.

Thanks for your time and patience in helping me sort this out.

I've also discovered I have DNS leaks all over the place, which I'll make a separate post about as the solution seems complicated.

[egc]

Great to hear it is working

DNS leaks can be complicated indeed but there is a guide about it with some information which can be found in https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

[sanjonny]

I also use nord and wireguard in a similar fashion to what you are doing. I mostly connect wireguard on my android mobile and a few other devices while I am out and about to do adblocking so i am not stuck on verizon's awful dns resolution...that being said, you can use outside dns and still connect to your network, i do that all the time.

As to the differences with windows and android clients for wireguard...there is some driver stuff that goes on in windows that has things way behind. I have been doing extensive stuff with that and it makes me hate windows as much as always. I will make changes to the windows connections and they will be minutes behind, and 2 revs etc etc. its not router...its windows, but eventually it will come up correct using the gui. you can also do iprelease/renew and similar to correct some of that and there is a few windows/chrome settings you have to change to prevent windows from overriding you dns...if I remember exactly what they are, ill post. I know I have to change them every new laptop and maybe once a year when windows updates decides to reset things.

BUT, you should still be able to use dns client side if you do not want the devices to use your pihole for their dns.

I just responded to another person about how wireguard is different from say nord...scroll down on this page, hopefully that helps too. Once we figured that out, wireguard made much more sense.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=338676

That being said, my wife's work laptop makes almost a million requests a day to her work network, because the idiots who set it up and the network at her university where they teach computers stuff, dont cache their active directory structure...(It's cached on my end but they request it over and over again..)So I use adguard but used to use pihole and can tell you that it can handle millions of requests from you attached users...and yes, I have tried to get them to fix that for 2 years...but you know...they are cisco certified...govt haha. One guy didnt even know what a static ip set on device was..(not dhcp)

But dns can go inside wireguard or not, inside Nord or not, depends on your settings. You might have to change your firewall if you force all requests thru the router, but you also could open that up by changing your firewall for the wireguard connection

One final thing, since I have been testing recently, I found a gui setting that at the time was not always retaining for me as discussed in another thread, so double check that your wireguard setting is correct after reboot, which pretty much is a good idea all the time anyway.

Hope this helps

[RadTunesly]

Thank you both.

Following your advice and the linked guides, I was able to resolve the DNS leak issues by changing the upstream DNS servers on my piholes to NordVPNs DNS servers so now that is all working as it would expect it to. I can connect remotely from my phone via the wireguard tunnel and have it exit via the Nord client tunnel and use Nord's DNS servers (Wireguard client app on phone has AllowedIPs set to 0.0.0.0/0 / Wireguard server client in DD-WRT has AllowedIPs set to <wireguard client IP>/32).

I was looking to setup failover tunnels for NordVPN, but I'm not sure about the options (Standby/Running/Failed), it wasn't clear to me in the "wireguard client setup" document. If I wanted to setup 3 client tunnels and make them part of the failover group, what should each of the tunnels be set to? "Running" for the first tunnel and "Standby" for the other 2 tunnels? Are the details of how each option works listed anywhere I've missed?

I also wanted to specify specific network services that clients can access. Some services are on the same host IP at different ports. I would like to be able to access all resources myself but some clients should only be able to access a few (Plex/Piholes/Nginx Reverse Proxy). I expect this needs to be done using iptables and postup/postdown scripts with rules for each client IP, rather than the DD-WRT web interface, is that correct?
If yes, will I need to SSH into the router to save the scripts on the device and specify the paths in the wireguard server settings Route up script/Route down script settings?

I have been learning iptables and expect it will take some testing and trial and error. If there are any good resources that you're aware of that explain implementing this via DD-WRT I'd be grateful if you could point me towards it.

Thanks as always.

[egc]

[RadTunesly]

Thanks once again for your help.