I deleted the "DNS servers from tunnel" entry and rebooted the router and the correct routes still came back without having to manually enter them.
Re-enabling "DNS servers from tunnel" generally hosed things up and required a router reboot with it again disabled to recover.
------------------
Here is the relevant part of the log when it works:
Aug 6 16:33:48 Netgear R9000 user.info root: WireGuard number of non failed tunnels in fail set: 0
Aug 6 16:33:48 Netgear R9000 user.info root: WireGuard: Deleted endpoint route to 104.129.56.68 from 104.129.56.68
Aug 6 16:33:48 Netgear R9000 user.info root: Flush delete PBR interface oet1, table : 21
Aug 6 16:33:48 Netgear R9000 user.info root: Enable WireGuard interface oet1 on port 51820
Aug 6 16:33:48 Netgear R9000 user.info root: Establishing WireGuard tunnel with peer endpoint 104.129.56.68:1194
Aug 6 16:33:48 Netgear R9000 user.info root: WireGuard setting route for oet1 to endpoint 104.129.56.68:1194 via 71.236.228.1 dev vlan2
Aug 6 16:33:48 Netgear R9000 user.info root: WireGuard 100.104.252.39/24 added to oet1
Aug 6 16:33:49 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
Aug 6 16:33:49 Netgear R9000 user.info root: WireGuard waited 11 seconds to set routes for oet
Aug 6 16:33:49 Netgear R9000 user.info root: WireGuard route 0.0.0.0/1 added via oet1
Aug 6 16:33:49 Netgear R9000 user.info root: WireGuard route 128.0.0.0/1 added via oet1
----------------------
Subsequently disabling and re-enabling the tunnel (without rebooting the router) removes and re-enters routing table entries as desired.
My DNS (which runs on a separate local Linux server and forwards to OpenDNS) still seems to work fine when the tunnel is up even with "DNS servers from tunnel" empty. Is there a downside to just leaving the DNS servers through the tunnel field blank? dnsleaktest.com doesn't show any leaks.
Thanks again for all of your help! I couldn't have figured this out on my own.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sun Aug 07, 2022 6:25 Post subject:
You already answered my next questions:
Quote:
My DNS (which runs on a separate local Linux server and forwards to OpenDNS) still seems to work fine when the tunnel is up even with "DNS servers from tunnel" empty. Is there a downside to just leaving the DNS servers through the tunnel field blank? dnsleaktest.com doesn't show any leaks.
So you likely have DNSMasq disabled on the router.
Setting a DNS server when DNSMasq is not used is not very useful (as some would call it a "user error")
From the updated Wireguard Client setup guide:
Quote:
1. Do not set a DNS Server if you do not use DNSMasq e.g. if on Basic Setup page "Use dnsmasq for DNS" or on Services Page " Enable dnsmasq" is disabled.
2. Wireguard uses the built-in DNSMasq, so this is not compatible with other DNS systems like Unbound, Smart DNS, DNScrypt etc.
3. Wireguard relies on the use of resolv.dnsmaq, so do not use the no-resolv directive in DNSMasq.
4. To avoid DNS leaks make sure Ignore WAN DNS on Setup page is enabled/checked.
5. It is good practice to set at least two DNS servers in Static DNS 1 and 2 on Setup page.
Of course a good program/GUI should shield users from errors.
This program also checks for this and if DNSMasq is not working/is disabled it will time out and log an error.
Only it does not work as there is a typo in the code
I will patch it of course in the coming builds
This typo is already present in builds as early as 44980.
I actually had trouble reproducing this problem on my R7800 (I could but had to do some tricks), after a reboot it was working on my router, so probably the fact that that error surfaced on a very fast router has something to do with it (and of course most people will use DNSMasq in combination with VPN otherwise you can have a DNS leak).
About the DNS leak, yes you can have one depending on if your own Linux DNS server is routed via the tunnel, so it might be better to use DNSMasq on the router in combination with your own DNS server.
We have an excellent tutorial about using a Pihole as DNS server but the same applies to your situation:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414
dnsmasq *was* disabled on my Basic Setup page. Can't remember why I did that. dnsmasq was still enabled on the Services page.
So I tried enabling dnsmasq on the Basic Setup page and then re-enabled the "DNS Servers via Tunnel" configuration on the Wireguard tunnel, and *voila* all the routes are still correct and the VPN works fine. Also, the WAN status page now shows IPv4 DNS 0 is my VPN's DNS server.
So thanks to your help, everything seems to be working perfectly now.
DHCP seems to be interrelated to this discussion according to some of the reading I did. I do not use the DD-WRT Netgear R9000 router as a DHCP server. Looks like if I had then dnsmasq would have been automatically enabled. Perhaps that's why I didn't see this issue on my older DD-WRT router because I was using that as a DHCP server.
In case it's useful, my dnsmasq infrastructure settings are shown in the attached image.
Sorry for the user error. I am a former programmer, but not a networking expert and am not up on the interaction between DNS and dnsmasq. I will try to find some reading about this as I should be informed.