[Solved][Kinda] Server blocking LAN responses over Wireguard VPN
[Solved][Kinda] Server blocking LAN responses over Wireguard VPN
I'm trying to setup Wireguard to use as a VPN on my server using this guide. I currently run Pihole on the same machine.
| LAN | 192.168.1.* |
| WG | 10.14.0.* |
| WG Server Addr | 10.14.0.1 |
| WG Client Addr | 10.14.0.10 |
The handshake succeeds, and I can even ping IP addresses. However, it doesn't receive DNS responses. I checked in Wireshark and see the following:
| WAN Client IP -> | Server IP | [Wireguard] |
| WG Client IP -> | Server IP | [DNS Request] |
| Server IP -> | Server IP | [DNS Request] |
| Server IP -> | Server IP | [DNS Response] |
| WG Server Addr -> | WG Client Addr | [DNS Response] |
| WG Client Addr -> | WG Server Addr | [ICMP Port unreachable] |
I'm admittedly pretty inexperienced when it comes to routing, but I've been at this for days with no success. Any help would be greatly appreciated.
Edit
I now realize that it would have been relevant to mention the my Pihole instance was running inside a rootless podman container.
To test things further, I wrote a small echo server and spun it up on bare metal. Wireguard had no issues with that. My guess is that something between wireguard and specifically rootless podman was going wrong. I still don't know what, unfortunately.
My fix was to put Pihole in a privileged podman container with a network and static IP e.g. --net bridge:ip=10.88.0.230. I also put wireguard into a privileged podman container on the same network --net bridge. Finally, I set the peer DNS to the Pihole's static IP on the podman network (10.88.0.230).
As I said before, I still don't know why podman wasn't replying to the correct IP initially. I'm happy with my fix, but I'd still prefer the containers to be rootless so feel free to message me if you have any suggestions.
Your DNS might be configured to only answer local (from 192 addresses) requests. Did you enable IP masquerading?
Try using the lan address of the dns server instead of the wireguard address.
What are you using for dns? You may need to allow access from all interfaces if your dns server is also a wireguard peer
if you're on pihole: https://docs.pi-hole.net/ftldns/interfaces/
I am. Server IP is 192.168.1.xxx. DNS server is running on that machine. It already allows access from all interfaces. I just don't have port 53 natted from my router to avoid creating an open resolver.
Commenting for visibility. Have had similar issues and not taken the time to dive into them yet. Thanks for the post, I'll be watching with great interest.
Just wanted to let you know I somewhat found a solution and edited my post to reflect that.
Thanks again.
I had dns issues until I got my allowed ips squared away. You could try setting it to 0.0.0.0/0 if it's not already to verify it's not the problem.
Didn't work, unfortunately. Same exact issues
Is it the server telling the server that the client's port is unreachable or is it the client telling the server that the port is unreachable? Do you see the packets traveling over the Wireguard interface? Do you see the response if you use Wireguard from the client?
The request traced out is incorrect. WG Client IP initiates a DNS request to Server IP, and then WG Client Addr receives a response from WG Server Addr. The DNS response should come from the same IP that the request was sent to. The client may be rejecting a response coming from an unexpected source. If you're doing masquerading instead of plain routing, you need to make sure that you're doing NAT in both directions.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol LXC Linux Containers NAT Network Address Translation VPN Virtual Private Network
4 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #218 for this sub, first seen 16th Oct 2023, 17:05] [FAQ] [Full list] [Contact] [Source code]
Hey I don't really have a solution for you, but if you are still stuck on this, give tailscale a try.
I used to have a manually-configured WireGuard server too, and had a lot of the same issues you are.
Now I just use tailscale to manage that (it's still a WireGuard backend just like you are looking for) and I actually have my Pihole configured as the DNS host for my local network and my Tailnet so it's used by all of my devices even remotely.
So the same outcome you are looking for but with a slightly different path to get there
I'll check it out. Thanks!