Posted: Thu May 20, 2021 7:36 Post subject: Wireguard + Nextdns + DDNS
I currently use NextDNS, great tool. NextDNS works when I use OpenVPN in combination with DDNS (for NextDNS) as well.
When I activate Wireguard (tunnel is working) however, strange thing(s) happen. The ipaddress that is reported back to NextDNS switches between my WAN-ip and the endpoint ip.
Setup currently:
Provider router (Zyxel) is connected to WAN, my own router is running DD-WRT (see signature for versions) and connected to the Zyxel router.
What could be the problem here? I suspect it's because of the DDNS service I'm using on my Linksys router, but I am not sure. I imagine that if I browse to NextDNS through the tunnel, NextDNS will link to my tunnel-ip. Possibly the DDNS service on the router bypasses the tunnel. Could this be the case? _________________ Linksys WRT3200ACM
DD-WRT v3.0-r46069
Last edited by djuroutski on Thu May 20, 2021 10:02; edited 1 time in total
I have checked 'use external ip'. And it then does use my WAN address. If I uncheck it, it uses a private address.
I would expect that DDNS, when having 'use external ip' checked, also would go through the tunnel and then would report the endpoint ip. Isn't that how it works? _________________ Linksys WRT3200ACM
DD-WRT v3.0-r46069
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu May 20, 2021 11:00 Post subject:
djuroutski wrote:
I have checked 'use external ip'. And it then does use my WAN address. If I uncheck it, it uses a private address.
I would expect that DDNS, when having 'use external ip' checked, also would go through the tunnel and then would report the endpoint ip. Isn't that how it works?
Hope this solves it. Will move to firmware version 46069 as well.
UPDATE
Well, policy based routing seemed to do the trick: after specifying the nextdns servers (45.90.28.222/32 and 45.90.30.222/32) in the pbr field I was able to get nextdns working: the website finally showed I was using nextdns. Also, ipset is still working ok, this trick
Code:
iptables -t mangle -A PREROUTING -m set --match-set IPLEAK dst -j MARK --set-mark 40
still is working. Next up: check what happens when I enable DDNS.
UPDATE
Got DDNS working as well: added wan-ip to pbr, et voila!
If you read all this and think "OMG, what's this dude doing!!!???", please let me know! _________________ Linksys WRT3200ACM
DD-WRT v3.0-r46069
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Fri May 21, 2021 11:14 Post subject:
You are using a split tunnel (actually a reverse PBR).
So you probabaly want all your traffic except the ipset using the tunnel.
But now on the tunnel you enter things in the PBR field which signals to the tunnel to use the default WAN and only for entries in the PBR field to use the tunnel.
This way you are making a mess.
Besides you enter a destination address in the PBR that will not work (you can but not in this way).
WireGuard has a DNS field, if you want to use that specific DNS server *and* have it routed via the tunnel then enter the DNS servers there.
In your earlier posts you were using an OpenVPN tunnel, If you are running an OpenVPN and WireGuard tunnel side-by-side things get really complicated of course one of them has to use PBR.
Have Nextdns report back that I'm using their DNS servers. What is do see on their website is that the endpoint ip is correct. I have tried, upgraded ddwrt to 46069, to set DNS servers via tunnel to 45.90.28.222 but that is not enough to use all functionality provided by Nextdns.
What is missing is the ID so that the configuration I created at Nextdns.
In Additional Dnsmasq Options i have set this: add-cpe-id=XXXXXX (X's being my ID) together with:
Any idea in how to get this working? The tunnel on itself is working great, with pbr disabled ipset rules are working fine (again).
Is there any way to achieve this?
UPDATE
Apparently Nextdns functions as a tunnel. So whatever I was trying, it is uselesss. Off course, using the Nextdns servers through the tunnel, but as the ID doesn't travel through the tunnel it (adblocking etc. by Nextdns) will never work. So, next option would be to set up ad blocking in DD-Wrt, which would play nicely with the Wireguard tunnel. But I've had enough for now _________________ Linksys WRT3200ACM
DD-WRT v3.0-r46069