Posted: Mon Nov 08, 2021 4:51 Post subject: WireGuard DNS Leakage
I recently switched from FreshTomato to DD-WRT since their platform hasn't implemented Wireguard yet. However, I cannot for the life of me get the DNS to stop leaking. I have spent 13 straight hours looking through forums here and across the internet, but nothing has worked. It shouldn't be THIS hard just to get something working on DD-WRT. I am running r46836 (June 1st, 2021) on an AC-56U due to the latest versions making it so every time I load a web page, it says failed, then I refresh and it works, so it got annoying. It hasn't helped that every few hours my NTP fails to load (yes I have tried various NTP servers) and the routers time randomly resets to 18:33:00 and then my VPN stops working, and WAN goes to 0.0.0.0 as a result unless I disable the VPN and reboot so the NTP updates.
But to the point, here are my settings:
Ignore WAN DNS: Yes.
Static DNS 1: 1.1.1.1
Use DNSMasq for DNS: Yes.
DHCP-Authoritative Yes.
Recursive DNS Resolving (Unbound): No.
Forced DNS Redirection: No. (Checking this causes my entire connection across all devices to stop working entirely unless I turn it off.)
On DNSMasq's settings:
Dnsmasq: Yes.
Query DNS in Strict Order: Yes.
I am using PBR to route Wireguard to only one single device, so that complicates things from what I have read elsewhere.
Whenever I check for a DNS Leak for the non-VPN devices, sometimes it shows my ISP's DNS (even though 'Ignore WAN DNS' is selected), and other times it will show the public DNS I have set in the Static DNS 1 slot.
Whenever I check for a DNS Leak for the VPN device, it will only show the 1.1.1.1 public DNS option, in which it is entirely ignoring the DNS that I've set in Wireguard under "DNS servers via tunnel".
In Wireguard, I have "Route Allowed IP's via tunnel" set to No. I have AllowedIPs set to 0.0.0.0/0.
I am so confused by what is going on wrong with this thing that I am on the verge of giving up, and going back to FreshTomato and just waiting for the developer to implement a working GUI for Wireguard. I cannot tell whether it is a bug with DD-WRT, something I've set wrong, or something that is missing. I am wits end, and I would greatly appreciate anyone's help.
I want to have my non-VPN clients only using the public DNS, and my VPN client to only use the entered DNS for it. I still am unable to find a solution to this, so it is greatly helpful if anyone has the answer!
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Mon Nov 08, 2021 7:40 Post subject:
Welcome to the forum.
Unfortunately you are posting in the wrong forum.
No sweat as I will transfer this thread for you.
But please read the forum guidelines with helpful pointers about how to research your router, where and what to download, where and how to post and many other helpful hints:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
A lot of work is going on the GUI and I think/hope those are resolved in the latest build but the build you are running should work.
Also Chrome not always plays nice with DDWRT
First about the NTP server, just leave the field blank that works best, DDWRT then uses the built in NTP servers.
Some hints:
It is best to set the "Route Allowed IP's via tunnel" to Yes (not related to your problem)
About DNS if you enabled "Query DNS in Strict Order" on Services page then the DNS server you entered in "DNS servers via tunnel" is used but only if the tunnel can make a connection.
After you have setup be sure to reboot the router.
(It can take several minutes before you have a connection and the DNS server is kicking in )
(Checking used DNS servers is not always easy some browsers even have their own DNS servers or cache DNS queries so make sure you clear browser cache if you test via a web browser)
The DNS server used is used by DNSMasq so not only for the PBR clients but for everybody.
If you want to have split DNS servers than that is possible with the use of DNSMasq or the use of IP tables rules.
How to do that is described in the DNS Problems guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
P.S.
DDWRT has wikis for almost anything so if you search for: "DDWRT wiki Wireguard" you eventually end up with that documentation which is also a sticky in the Advanced networking forum
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Mon Nov 08, 2021 8:22 Post subject:
also bear in mind if you use browser DNS over HTTPS (layer 7 dns) it will override your router dns settings and show of during testing... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Mon Nov 08, 2021 13:26 Post subject: Re: WireGuard DNS Leakage
kyrix wrote:
I am running r46836 (June 1st, 2021) on an AC-56U due to the latest versions making it so every time I load a web page, it says failed
But to the point, here are my settings:
Ignore WAN DNS: Yes.
Static DNS 1: 1.1.1.1
Hello at kyrix.
Let me add something to what was already said so far.
Try to add a secondary DNS like 1.0.0.1, I had exact same issue as you with failed loading pages both Chrome side and Firefox side, without using browser HTTPS over DNS in either,
Adding that secondary DNS fixed issues for me, even though cloudflare engineers did not find any issues with 1.1.1.1 DNS resolver, adding the second 1.0.0.1 made the issue go away here, so I was/am happy with that.
Regarding Wireguard.
You are using a really old dd-wrt build r46836, wireguard fixes have been made by egc and they are available in the current DD-WRT v3.0-r47618 std (11/05/21) build.
So give the new build a try with the added second DNS and see if all the issues go away.
Thank you for the link. I will go over it when I wake up and post here later if any of it helped or if I have questions.
egc wrote:
It is best to set the "Route Allowed IP's via tunnel" to Yes (not related to your problem)
Oddly enough I've found it to not make a difference whatsoever whether it is on or not. I will set it to yes however.
egc wrote:
About DNS if you enabled "Query DNS in Strict Order" on Services page then the DNS server you entered in "DNS servers via tunnel" is used but only if the tunnel can make a connection.
Sadly this doesn't make a difference, the VPN client still uses the public DNS unless I only have the VPN DNS entered.
egc wrote:
If you want to have split DNS servers than that is possible with the use of DNSMasq or the use of IP tables rules.
How to do that is described in the DNS Problems guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
I actually checked this already, but the routing options are for OpenVPN config so I was unsure of what to do at that point.
egc wrote:
P.P.S FreshTomato is stuck on Kernel 2.6 and does not have a native WireGuard implementation so it is only slightly faster than OpenVPN while DDWRT has the native Kernel implementation which is about 3 times faster than OpenVPN
That is very unfortunate. Any idea why the developer chooses such an old kernel? I would imagine a smaller codebase to maintain over newer versions.
Posted: Mon Nov 08, 2021 13:53 Post subject: Re: WireGuard DNS Leakage
the-joker wrote:
kyrix wrote:
I am running r46836 (June 1st, 2021) on an AC-56U due to the latest versions making it so every time I load a web page, it says failed
But to the point, here are my settings:
Ignore WAN DNS: Yes.
Static DNS 1: 1.1.1.1
Hello at kyrix.
Let me add something to what was already said so far.
Try to add a secondary DNS like 1.0.0.1, I had exact same issue as you with failed loading pages both Chrome side and Firefox side, without using browser HTTPS over DNS in either,
Adding that secondary DNS fixed issues for me, even though cloudflare engineers did not find any issues with 1.1.1.1 DNS resolver, adding the second 1.0.0.1 made the issue go away here, so I was/am happy with that.
Regarding Wireguard.
You are using a really old dd-wrt build r46836, wireguard fixes have been made by egc and they are available in the current DD-WRT v3.0-r47618 std (11/05/21) build.
So give the new build a try with the added second DNS and see if all the issues go away.
Keep us updated and be well.
Hello to you as well! I will update to the latest version again sometime later today, and let you know what happens with the second DNS added.
I can recall that I tried other DNS servers besides 1.1.1.1 and still had the same issue, but I will mix & match and let you know of the results if it helped or not.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Mon Nov 08, 2021 15:03 Post subject:
If you have entered the DNS server in the "DNS servers via tunnel" then then is placed on top of resolv.dnsmasq and so is used first (if that DNS server is responding and query strict order is enabled)
I have in Static DNs 1 and 2:
9.9.9.9
1.1.1.1
and my WG DNS server is 193.138.218.74
So check from CLI (telnet/Putty) with:
cat /tmp/resolv.dnsmasq
If you have entered the DNS server in the "DNS servers via tunnel" then then is placed on top of resolv.dnsmasq and so is used first (if that DNS server is responding and query strict order is enabled)
I have tried that, and now whenever I check for a leak, it is showing both my public DNS and my VPN DNS at the same time on non-VPN devices. It shows cloudflares servers, and the VPN at the same time. Is this an issue or would be 'counted as a leak'?
I upgraded to build 47618, and now it seems that my tunnel is only using the VPN DNS. Oddly, that seems to be fixed! I don't know however how that occurred.
One problem that seems to be occurring is the DNS I have set in "DNS servers via tunnel", is not being applied. The VPN DNS that is being pushed is used instead of the one that I specified. Should I set the DNS that is in "Peer Tunnel DNS" to be the same as the DNS in "DNS servers via tunnel" to fix that?
Posted: Tue Nov 09, 2021 0:31 Post subject: Re: WireGuard DNS Leakage
the-joker wrote:
Try to add a secondary DNS like 1.0.0.1, I had exact same issue as you with failed loading pages both Chrome side and Firefox side, without using browser HTTPS over DNS in either,
Adding that secondary DNS fixed issues for me, even though cloudflare engineers did not find any issues with 1.1.1.1 DNS resolver, adding the second 1.0.0.1 made the issue go away here, so I was/am happy with that.
Regarding Wireguard.
You are using a really old dd-wrt build r46836, wireguard fixes have been made by egc and they are available in the current DD-WRT v3.0-r47618 std (11/05/21) build.
So give the new build a try with the added second DNS and see if all the issues go away.
Keep us updated and be well.
This seems to have fixed the loading issues! Having two static Public DNS servers set appears to have fixed the problem of it. I upgraded to the version you stated as well. My only worry and wonder is why it is that DD-WRT needs two of these to keep the pages from loading incorrectly.
On other firmware, I've never experienced this issue with just one DNS server set. So DD-WRT doing it boggles my mind. Maybe it is a bug? I recall installing DD-WRT years ago and experiencing the same issue (which caused me to stray from it for a long time).
I do not have DNS over TLS/HTTPS enabled in my browser or system whatsoever so there is no need to worry of that.
Joined: 08 May 2018 Posts: 14222 Location: Texas, USA
Posted: Tue Nov 09, 2021 4:13 Post subject:
Well, if we were to look further into your settings, knowing you don't have forced dns redirection set and are using the static settings instead of no-resolv and server= lines for dnsmasq, well. I don't see why folks are doing it the way as described here as it tends to break things a lot easier and you don't get to add as many servers as you want. People do realize that dnsmasq hands out the router IP as dns server, correct? It doesn't matter what you set or not. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Tue Nov 09, 2021 6:39 Post subject: Re: WireGuard DNS Leakage
kyrix wrote:
This seems to have fixed the loading issues! Having two static Public DNS servers set appears to have fixed the problem of it. I upgraded to the version you stated as well. My only worry and wonder is why it is that DD-WRT needs two of these to keep the pages from loading incorrectly.
On other firmware, I've never experienced this issue with just one DNS server set. So DD-WRT doing it boggles my mind. Maybe it is a bug? I recall installing DD-WRT years ago and experiencing the same issue (which caused me to stray from it for a long time).
I do not have DNS over TLS/HTTPS enabled in my browser or system whatsoever so there is no need to worry of that.
Result, I was confident it would work, why matters not so much (depends how much time you have to try get to the bottom if it).
You can even try removing the 1.1.1.1 and using just 1.0.0.1 (idk if it will go back to the issue), I haven't bothered trying, because simply doesn't matter to me an extra DNS resolver and its nice to have the redundancy. If you do traceroute to both 1.0.0.1 and 1.1.1.1 I'm willing to bet 1.0.0.1 will be faster by a hair, but dont tell cloudflare engineers this, their main DNS resolver cant do any wrong.
Its weird why it works, agreed, I had same reaction as you and quickly put my time to better use.
I dont have any extra dnsmasq configuration besides what it does by default either and Im not willing to waste time digging into the perceived issue anyway.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Nov 09, 2021 8:33 Post subject:
To clarify some matters further, WireGuard is a lightweight protocol so there is no pushing of DNS servers by your VPN provider.
Most providers give you a configuration file which you can use to manually setup your WG client or use the import config utility to do that for you (note: not all providers add a KeepAlive setting in their configs so check that that is set)
One of the settings is a DNS server which you can use but it is up to the client to do something with that information.
In this case you add that DNS server (or servers, you can add more in a comma delimited list) in the "DNS servers via tunnel" field.
DDWRT uses that DNS server to add a static route via the WG tunnel and place it on top of /tmp/resolv.dnsmasq. This file has all the upstream DNS servers which are used by DNSMasq to resolve DNS queries.
The file is made up of the ISP DNS server (unless you tick/enable "Ignore Wan DNS" on setup page (recommended)).
Furthermore the /tmp/resolv.dnsmasq file has the entries of static DNS 1,2,3.
By placing the DNS from the "DNS servers via tunnel" field on top in /tmp/resolv.dnsmasq that is the DNS server which should be used if "strict order" is enabled.
So effectively you should use that DNS server and as there is a static route via the tunnel for that DNS server you should not have a DNS leak.
One problem DNSMasq is very quick to give up on strict order (especially after recent DNSMasq upgrades) so if you have a slow DNS server DNSMasq will move on to the next one and you can have a DNS leak
If you experience this you can set the DNS server from the WG provider as only one in Static DNS 1 (and check if Ignore WAN DNS is ticked) as discussed in the WireGuard client setup guide.
In your case as you are using PBR and you want to have split DNS servers there is another solution which kills two birds with one stone.
Assuming you have two public DNS servers in static DNS 1 and 2 and added the WG DNS server in the "DNS servers via tunnel" you add the following rule to Administration/Commands Save firewall:
Code:
iptables -t nat -I PREROUTING -p tcp -s <IP address in PBR field> --dport 53 -j DNAT --to < IP Address of DNS server>
iptables -t nat -I PREROUTING -p udp -s <IP address in PBR field> --dport 53 -j DNAT --to <IP Adddress of DNS server>
Depending on what you have in the PBR field and if you have only one tunnel you can even automate this with:
Code:
iptables -t nat -I PREROUTING -p tcp -s $(nvram get oet1_pbr) --dport 53 -j DNAT --to $(nvram get oet1_dns)
iptables -t nat -I PREROUTING -p udp -s $(nvram get oet1_pbr) --dport 53 -j DNAT --to $(nvram get oet1_dns)
This rule catches all DNS queries from the entries in the PBR field and routes them to the specified DNS server.
In your case as you are using PBR and you want to have split DNS servers there is another solution which kills two birds with one stone.
Assuming you have two public DNS servers in static DNS 1 and 2 and added the WG DNS server in the "DNS servers via tunnel" you add the following rule to Administration/Commands Save firewall:
Code:
iptables -t nat -I PREROUTING -p tcp -s <IP address in PBR field> --dport 53 -j DNAT --to < IP Address of DNS server>
iptables -t nat -I PREROUTING -p udp -s <IP address in PBR field> --dport 53 -j DNAT --to <IP Adddress of DNS server>
Depending on what you have in the PBR field and if you have only one tunnel you can even automate this with:
Code:
iptables -t nat -I PREROUTING -p tcp -s $(nvram get oet1_pbr) --dport 53 -j DNAT --to $(nvram get oet1_dns)
iptables -t nat -I PREROUTING -p udp -s $(nvram get oet1_pbr) --dport 53 -j DNAT --to $(nvram get oet1_dns)
This rule catches all DNS queries from the entries in the PBR field and routes them to the specified DNS server.
When you do this you can disable "strict order"
I have several questions:
1. When I click save firewall, how will I be able to delete them if needed?
2. With the first set of codes you gave, do I delete the < >? Or do I enter the IP/DNS inbetween them?
3. With the first set of codes as well, do I also add the CIDR that I have entered with the IP in the PBR field?
4. "When you do this you can disable "strict order"" Does this apply to both sets of commands? Or only the second set?
5. My final question is, is it better to use the first set or the second set of commands? If it's automated and I have a static DNS 1/2 set, would the second set of commands still work?
I think if I am right by looking at the commands you've given, the first set manually assigns it to the specific PBR I have set, and the second just assigns the DNS automatically to the PBR so I won't have to change it every single time.
My apologies for so many questions, I am trying to make sure of things, and so if anyone looks through this thread in the future having the same problem they'll know what to do.
Well, if we were to look further into your settings, knowing you don't have forced dns redirection set and are using the static settings instead of no-resolv and server= lines for dnsmasq, well. I don't see why folks are doing it the way as described here as it tends to break things a lot easier and you don't get to add as many servers as you want. People do realize that dnsmasq hands out the router IP as dns server, correct? It doesn't matter what you set or not.
Whenever I enable Forced DNS Redirection, my connection completely breaks. As for no-resolv, if I set it to that, then DNSMasq would assign any DNS in no order, which means the VPN client would be receiving a Public DNS (thereby creating a leak), which is not what we want. That is why we need to use strict-order, otherwise this doesn't ensure that the VPN DNS is on top.