Wireguard unable to resolve local domains but static IPs are working

Help docker
1

I have a Raspberry Pi 4b 2gb acting as an edge server with the docker engine and docker compose plug in installed:

$ docker --version
Docker version 20.10.22, build 3a2c30b
$ docker compose version
Docker Compose version v2.14.1

My network router is at 192.168.1.1. The router forwards wireguard traffic to the edge server.

The edge server is at 192.168.1.91.

My pihole docker container works well. I am using it for ad blocking and local DNS, but not for DHCP, which is being handled by my Netgear Router. It uses the following docker-compose.yml structure:

version: '3'

networks:
  edge:
    name: edge
    external: true

services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    hostname: edge-server
    shm_size: 768mb
    ports:
      - "53:53/tcp"   # dns
      - "53:53/udp"   # dns
      - "8080:80/tcp" # web
    environment:
      - TZ=${TZ}
      - WEBPASSWORD=${WEBPASSWORD}
      - FTLCONF_LOCAL_IPV4=192.168.1.91
      - PIHOLE_DNS_=208.67.222.222;208.67.220.220
      - DNSMASQ_LISTENING=all
      - FTLCONF_RATE_LIMIT=0/0
    volumes:
      - ${DIRECTORY_PIHOLE}:/etc/pihole/
      - ${DIRECTORY_DNSMASQ}:/etc/dnsmasq.d/
    networks:
      edge:
        ipv4_address: 172.16.0.61
    restart: unless-stopped

My pihole configuration includes 32 Local DNS Records for devices on my network. The settings also permit all origins.

On the edge server I have created a bridge network with the following settings:

docker network create --driver bridge --ipam-driver default \
        --subnet 172.16.0.0/24 --gateway 172.16.0.1 edge

The other docker containers running services on the edge server connect to the same docker network, and I have set the containers to have the following ip addresses:

Name Network Hostname ip address Gateway
duckdns edge edge-server 172.16.0.11 172.16.0.1
npm_app edge edge-server 172.16.0.21 172.16.0.1
npm_db edge edge-server 172.16.0.26 172.16.0.1
wireguard edge edge-server 172.16.0.31 172.16.0.1
uptime-kuma edge edge-server 172.16.0.41 172.16.0.1
netdata edge edge-server 172.16.0.51 172.16.0.1
pihole edge edge-server 172.16.0.61 172.16.0.1

The network on the edge server has the following relevant entries in ifconfig:

$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.91  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::e839:490d:913c:7957  prefixlen 64  scopeid 0x20<link>
        ether e4:5f:01:0c:74:46  txqueuelen 1000  (Ethernet)
        RX packets 26258998  bytes 5743183125 (5.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15522922  bytes 3370294593 (3.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ ifconfig br-1fea8a449a07
br-1fea8a449a07: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.1  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::42:11ff:fe3f:1a7  prefixlen 64  scopeid 0x20<link>
        ether 02:42:11:3f:01:a7  txqueuelen 0  (Ethernet)
        RX packets 2898209  bytes 2325655500 (2.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3000493  bytes 3571468991 (3.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ ifconfig lo
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 163469  bytes 10690634 (10.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 163469  bytes 10690634 (10.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

On a remote device such as a phone or laptop i can connect to my wireguard docker container which routes me through to the internet, but does not allow me to access my network via domain names. I For example, rather than using http://edge-server:8080/admin to access the pi-hole dashboard, I have to use http://192.168.1.91:8080/admin when connected remotely. The wireguard container uses the following docker-compose.yml structure:

version: '2.1'

networks:
  edge:
    name: edge
    external: true

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    hostname: edge-server
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - '51820:51820/udp' # wireguard
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SERVERURL=${SERVERURL}
      - SERVERPORT=${SERVERPORT}
      - PEERS=${PEERS}
      - PEERDNS=172.16.0.61
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=10.13.13.0/24,172.16.0.0/24,192.168.1.0/24,0.0.0.0/0
      - LOG_CONFS=false
    volumes:
      - ${APPDATA}:/config
      - /lib/modules:/lib/modules
    networks:
      edge:
        ipv4_address: 172.16.0.31
    restart: unless-stopped

The wireguard container generated the following wg0.conf file:

[Interface]
Address = 10.13.13.1
ListenPort = [port]
PrivateKey = [key]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_test
PublicKey = [key]
PresharedKey = [key]
AllowedIPs = 10.13.13.2/32

Along with the following peer_test.conf file:

[Interface]
Address = 10.13.13.2
PrivateKey = [key]
ListenPort = [port]
DNS = 172.16.0.61

[Peer]
PublicKey = [key]
PresharedKey = [key]
Endpoint = [serverurl]:[serverport]
AllowedIPs = 10.13.13.0/24,172.16.0.0/24,192.168.1.0/24,0.0.0.0/0

I've tried to set the wireguard DNS to 172.16.0.61 and 192.168.1.91 but I feel I've been trying different things and need to take a step back.

If anyone has any insight on this, I'd very much appreciate it!

The pihole debug token has been uploaded.

2

When trying to access http://edge-server:8080/admin, does Pi-hole's Query Log register the respective DNS request?

Run from a client in your 192.168.1.0/24 home network, what is the outpout of

nslookup pi.hole

And run from an active Wireguard client, what is the output of

nslookup edge-server

Does that register?

3

Hello Bucking_Horn (can't mention since I'm a new user)

I have the same issue but my setup is different.
I installed pihole directly on my raspberry pi 4. Using pivpn for wireguard. Router is at 192.168.178.1, raspi4 is at 192.168.178.78. Conditional forwarding is set up in pihole settings.

Local domains resolve when I'm in my home network (eg raspberrypi4.local:3000) but when connected via wireguard, they do not resolve; I have to use static IPs (eg 192.168.178.78:3000 works)

To your questions:

  1. When trying to access http://edge-server:8080/admin , does Pi-hole's Query Log register the respective DNS request?
    I think it does, but just as a request to local? Here it is:
2024-10-05 18:33:54/SOA/local/piyuv-iphone.pivpn/OK (cache)/SECURE/NXDOMAIN (2.5ms)
  1. Run from a client in your 192.168.1.0/24 home network, what is the output of nslookup pi.hole
❯ nslookup pi.hole
Server:		192.168.178.78
Address:	192.168.178.78#53

Name:	pi.hole
Address: 192.168.178.78
  1. And run from an active Wireguard client, what is the output of nslookup edge-server
❯ nslookup pi.hole
Server:		172.20.10.1
Address:	172.20.10.1#53

** server can't find pi.hole: NXDOMAIN

❯ nslookup raspberrypi4.local
Server:		172.20.10.1
Address:	172.20.10.1#53

** server can't find raspberrypi4.local: NXDOMAIN

What is strange here is that when I'm connected to wireguard, pi.hole in the browser works? I guess that makes sense since pihole returns local and local is just raspi4 which serves pihole from port 80?