Wireguard + Nextdns + DDNS

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Thu May 20, 2021 7:36    Post subject: Wireguard + Nextdns + DDNS Reply with quote
I currently use NextDNS, great tool. NextDNS works when I use OpenVPN in combination with DDNS (for NextDNS) as well.

When I activate Wireguard (tunnel is working) however, strange thing(s) happen. The ipaddress that is reported back to NextDNS switches between my WAN-ip and the endpoint ip.

Setup currently:
Provider router (Zyxel) is connected to WAN, my own router is running DD-WRT (see signature for versions) and connected to the Zyxel router.

What could be the problem here? I suspect it's because of the DDNS service I'm using on my Linksys router, but I am not sure. I imagine that if I browse to NextDNS through the tunnel, NextDNS will link to my tunnel-ip. Possibly the DDNS service on the router bypasses the tunnel. Could this be the case?

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069


Last edited by djuroutski on Thu May 20, 2021 10:02; edited 1 time in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Thu May 20, 2021 9:40    Post subject: Reply with quote
Router model and build information is not visible in your "signature". Please provide or fix your profile.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Thu May 20, 2021 10:03    Post subject: Reply with quote
sorry, forgot to check that option Cool

fixed my profile, won't happen again Very Happy
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu May 20, 2021 10:18    Post subject: Reply with quote
The DDNS service normally takes your WAN IP address unless you check "Use External IP Check"

However you should take care of update frequency, otherwise it will take a while for the IP address is changed from WAN ip to tunnel IP

(I have no experience with NextDNS)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Thu May 20, 2021 10:48    Post subject: Reply with quote
I have checked 'use external ip'. And it then does use my WAN address. If I uncheck it, it uses a private address.
I would expect that DDNS, when having 'use external ip' checked, also would go through the tunnel and then would report the endpoint ip. Isn't that how it works?

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu May 20, 2021 11:00    Post subject: Reply with quote
djuroutski wrote:
I have checked 'use external ip'. And it then does use my WAN address. If I uncheck it, it uses a private address.
I would expect that DDNS, when having 'use external ip' checked, also would go through the tunnel and then would report the endpoint ip. Isn't that how it works?


Not a DDNS expert but yes that is how I think it works but as said you have to take care of the update frequency, so depending on that setting it can take a while before it updates

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu May 20, 2021 11:42    Post subject: Reply with quote
Still not a DDNS expert but after the tunnel is up try (from the CLI):
Code:
restart ddns


If that works you can make a script with that instruction and add that script as route-up script in WG


P.S. 44715 is a bit old:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Thu May 20, 2021 12:41    Post subject: Reply with quote
Quote:
P.S. 44715 is a bit old:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


lol, I was using the router database Laughing
What is a good stable version?

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu May 20, 2021 13:33    Post subject: Reply with quote
djuroutski wrote:
Quote:
P.S. 44715 is a bit old:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


lol, I was using the router database Laughing
What is a good stable version?



The forum guidelines: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 will tell you where to download and how to research what is a good build for you

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Thu May 20, 2021 14:18    Post subject: Reply with quote
egc wrote:
Still not a DDNS expert but after the tunnel is up try (from the CLI):
Code:
restart ddns


If that works you can make a script with that instruction and add that script as route-up script in WG


P.S. 44715 is a bit old:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


...over even as simple as entering the wrong username > apply settings > revert to correct user name

After (again) entering valid credentials ddns is updated.


Later on tonight I will try this:
- disable ddns
- use these settings in additional Dnsmasq options:
Code:
no-resolv
bogus-priv
strict-order
server=45.90.30.0
server=45.90.28.0
add-cpe-id=<nextdnscode>

- no peer tunnel ip, no peer tunnel dns

Hope this solves it. Will move to firmware version 46069 as well.


UPDATE
Well, policy based routing seemed to do the trick: after specifying the nextdns servers (45.90.28.222/32 and 45.90.30.222/32) in the pbr field I was able to get nextdns working: the website finally showed I was using nextdns. Also, ipset is still working ok, this trick

Code:
iptables -t mangle -A PREROUTING -m set --match-set IPLEAK dst -j MARK --set-mark 40


still is working. Next up: check what happens when I enable DDNS. Smile

UPDATE
Got DDNS working as well: added wan-ip to pbr, et voila!


If you read all this and think "OMG, what's this dude doing!!!???", please let me know! Wink

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Thu May 20, 2021 18:52    Post subject: Reply with quote
Sigh. Ipset isn't working at all Rolling Eyes

Must have tested this at the wrong time.
Probably will have to change something in the firewall script right? If so, what?

#add default route to alternate table
ip route add default via 192.168.0.1 table 100

#add local routes to alternate table
ip route add 127.0.0.0/8 table 100
ip route add 192.168.0.0/23 table 100
ip route add 192.168.10.0/23 table 100

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri May 21, 2021 11:14    Post subject: Reply with quote
You are using a split tunnel (actually a reverse PBR).

So you probabaly want all your traffic except the ipset using the tunnel.

But now on the tunnel you enter things in the PBR field which signals to the tunnel to use the default WAN and only for entries in the PBR field to use the tunnel.

This way you are making a mess.

Besides you enter a destination address in the PBR that will not work (you can but not in this way).

WireGuard has a DNS field, if you want to use that specific DNS server *and* have it routed via the tunnel then enter the DNS servers there.

In your earlier posts you were using an OpenVPN tunnel, If you are running an OpenVPN and WireGuard tunnel side-by-side things get really complicated of course one of them has to use PBR.

When doing these kind of complicated things making a plan/layout first can be helpful Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Tue May 25, 2021 9:51    Post subject: Reply with quote
All clear.

When using pbr, all else ends. So, disabled that.

Only thing I'm trying to achieve is:

Have Nextdns report back that I'm using their DNS servers. What is do see on their website is that the endpoint ip is correct. I have tried, upgraded ddwrt to 46069, to set DNS servers via tunnel to 45.90.28.222 but that is not enough to use all functionality provided by Nextdns.

What is missing is the ID so that the configuration I created at Nextdns.
In Additional Dnsmasq Options i have set this: add-cpe-id=XXXXXX (X's being my ID) together with:

no-resolv
bogus-priv
strict-order
server=45.90.30.0
server=45.90.28.0

Any idea in how to get this working? The tunnel on itself is working great, with pbr disabled ipset rules are working fine (again).

Is there any way to achieve this?




UPDATE
Apparently Nextdns functions as a tunnel. So whatever I was trying, it is uselesss. Off course, using the Nextdns servers through the tunnel, but as the ID doesn't travel through the tunnel it (adblocking etc. by Nextdns) will never work. So, next option would be to set up ad blocking in DD-Wrt, which would play nicely with the Wireguard tunnel. But I've had enough for now Laughing

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum