WireGuard blocking dns requests from other machines

mbranchick · April 26, 2019, 10:10pm

Yeah I have it set to listen on all interfaces and permit all origins

mbranchick · April 26, 2019, 10:26pm

I was wondering if the server address should be the address of the pi-hole? Currently my pi-hole is 192.168.1.39 which is the address handed out by my router for the LAN DNS, but wireguard is configured to have the server interface of 192.168.2.1 on a different subnet. Changing this didnt seem to help but wondered if there was some additional configuration needed.

tonymet · April 26, 2019, 10:26pm

I had the same problem, this fixed it

pihole -a -i all

longstory: despite netstat showing FTL listening on 0.0.0.0:53 -- it was not responding on the wg0 interface.

The above command fixed.

mbranchick · April 26, 2019, 10:34pm

I tried this but I still seem to have the issue. If I try to ping the pi-hole from my desktop I still get no response (and DNS requests dont resolve).

tonymet · April 26, 2019, 10:38pm

It helps to first test with ping and listen with tcpdump to make sure wireguard is routing your traffic.

I've had a number of issues so here are some tips for configuration and testing

Common Issues

Make sure ip_forward=1

sudo sysctl -w  net.ipv4.ip_forward=1

Make sure your client (e.g. mac or linux laptop) has the firewall turned off
Make sure your vpn server doesn't have an external firewall (e.g. AWS security group)
Make sure yoru vpn server kernel firewall is wide open for testing
Make sure you've added the peer on the server properly. Adding it to the config and using wg-quick up... does not add the peer . In my experience..

only add using wg set .. peer

sudo wg set wg0 peer XXXXXXXXX  allowed-ips 192.168.4.0/24

Testing

Listen for ICMP (pings) on the server

 tcpdump -ni any icmp

Ping from client to server

# on client
ping -c200 <ip-addr-of-server>

tonymet · April 26, 2019, 10:41pm

I added some steps to test that pihole is listening on both interfaces. make sure these work prior to testing over the vpn network

mbranchick · April 26, 2019, 10:48pm

So I've confirmed that ip_forward=1 is reporting as 1. Ill try some of these client side tests, but I'm confused as to why the client configuration would affect the server when no clients are connected.

Just to make sure it wasn't misunderstood, my issue is that when wireguard is enabled using this command:

sudo wg-quick up wg0

No other PC's on the LAN are able to talk to the raspberry pi. The other computers are not trying to communicate over wireguard because they are already on the LAN and dont need a VPN. Once I disable wireguard with:

sudo wg-quick down wg0

All LAN PC's can again get responses from the pi-hole again. I can basically have all my remote wireguard clients working with no issues, or the local LAN machines working, but not both.

mbranchick · April 26, 2019, 11:00pm

So checked with TCPDUMP and I'm seeing strange behavior. As soon as I enable the wireguard server I see the following over and over again (192.168.1.47 is another PC on the LAN not using wireguard which loses access as soon as wireguard is enabled):

IP 192.168.2.1 > 192.168.1.47 : ICMP host 192.168.1.47 unreachable, length 116

mbranchick · April 26, 2019, 11:05pm

If I observe the ping request from .1.47 to .1.39 it looks the same whether wireguard is on or off, however when wireguard is on the .1.47 never receives the reply that TCP Dump is showing

tonymet · April 26, 2019, 11:11pm

Thanks i think i better understand your issue now.

I would check your routing table before and after wg-quick up & wg-quick down

e.g.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
pi@piholezero:/etc/dnsmasq.d $ netstat -tulnp|grep -i list
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

Also tail -f /var/log/pihole.log while you do both tests to see if it shows replies as blocked

tonymet · April 26, 2019, 11:13pm

In this case make sure that allowed-ips is correct -- that is basically establishing the routing table from server back to client .

e.g.

sudo wg show |tail -n 5
peer: xxxxx
  endpoint: xxxx:51820
  allowed ips: 192.168.4.0/24
  latest handshake: 1 hour, 3 minutes, 22 seconds ago
  transfer: 1.32 MiB received, 6.72 MiB sent

here's the cmd I used to set up the peer. I've never had luck configuring the peer within the wg0.conf

sudo wg set wg0 peer xxx allowed-ips 192.168.4.0/24

tonymet · April 26, 2019, 11:15pm

can you post your ...

 cat /etc/dnsmasq.d/01-pihole.conf |tail

log-async

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=1.1.1.1
server=1.0.0.1
except-interface=nonexisting

mbranchick · April 26, 2019, 11:24pm

Routing table before:

root@raspberrypi:/etc/wireguard# sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0

routing table after enabling wireguard:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
192.168.2.3 0.0.0.0 255.255.255.255 UH 0 0 0 wg0

mbranchick · April 26, 2019, 11:27pm

Server is listed as follows because outgoing DNS requests to the upstream server are handled through dns crypt proxy before being forwarded on to 1.1.1.1. I dont think this would cause any issue because the wireguard clients have no problems with DNS requests when connected to the server.

root@raspberrypi:/etc/wireguard# cat /etc/dnsmasq.d/01-pihole.conf |tail
local-ttl=2

log-async

If a DHCP client claims that its name is "wpad", ignore that.

This fixes a security hole. see CERT Vulnerability VU#598349

dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=127.0.0.1#5354
except-interface=nonexisting

tonymet · April 26, 2019, 11:36pm

hmm to tell you the truth i'm stuck i'd have to do a session with you. A couple of thoughts

see if you can simplify the route table with using a /24 address for the peer.
see if you can hit the 127.0.0.1:5354 and/or replace with 1.1.1.1 while testing. you can use netcat e.g.

netcat -z -v -u localhost 53
netcat -z -v -u localhost 5354

mbranchick · April 26, 2019, 11:38pm

Thanks for all the help. Ill give that a try. Yeah I checked the pihole log too and its constantly filling with this when the wireguard server is enabled:

Apr 26 19:36:24 dnsmasq[3567]: failed to send packet: Destination address required

mbranchick · April 27, 2019, 12:01am

I have been able to narrow down what the issue is. If I comment out the Peers in the server configuration file I am able to ping the pi-hole and make dns requests when the wireguard server is "up"

mbranchick · April 27, 2019, 12:14am

Ok I think I have resolved the issue. in the server's allowed IP's I had 192.168.1.1/24. This should have been in the client .conf file in the peers allowed IP's section, not the servers .conf file.

Thanks again for all the help, learned alot!

tonymet · April 27, 2019, 10:11pm

awesome great job debugging

system · May 18, 2019, 10:11pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.