I’m trying to setup Wireguard to use as a VPN on my server using this guide. I currently run Pihole on the same machine.
LAN | 192.168.1.* |
WG | 10.14.0.* |
WG Server Addr | 10.14.0.1 |
WG Client Addr | 10.14.0.10 |
The handshake succeeds, and I can even ping IP addresses. However, it doesn’t receive DNS responses. I checked in Wireshark and see the following:
WAN Client IP -> | Server IP | [Wireguard] |
WG Client IP -> | Server IP | [DNS Request] |
Server IP -> | Server IP | [DNS Request] |
Server IP -> | Server IP | [DNS Response] |
WG Server Addr -> | WG Client Addr | [DNS Response] |
WG Client Addr -> | WG Server Addr | [ICMP Port unreachable] |
I’m admittedly pretty inexperienced when it comes to routing, but I’ve been at this for days with no success. Any help would be greatly appreciated.
Edit
I now realize that it would have been relevant to mention the my Pihole instance was running inside a rootless podman container.
To test things further, I wrote a small echo server and spun it up on bare metal. Wireguard had no issues with that. My guess is that something between wireguard and specifically rootless podman was going wrong. I still don’t know what, unfortunately.
My fix was to put Pihole in a privileged podman container with a network and static IP e.g. --net bridge:ip=10.88.0.230
. I also put wireguard into a privileged podman container on the same network --net bridge
. Finally, I set the peer DNS to the Pihole’s static IP on the podman network (10.88.0.230).
As I said before, I still don’t know why podman wasn’t replying to the correct IP initially. I’m happy with my fix, but I’d still prefer the containers to be rootless so feel free to message me if you have any suggestions.
Your DNS might be configured to only answer local (from 192 addresses) requests. Did you enable IP masquerading?
Yes. And I set Pi-hole to respond to any interface. Plus, I can see the response being sent in Wireshark. It only gets blocked inside the wireguard interface.
Ok so you see your request in the pihole log? Which address does it show?
I do see the request. I’m running it inside a container so all the clients show up as the container’s hostname.
Can you get to the pihole admin page over wg? Trying to narrow down if it’s just port 53 or everything else too.
Nope. I can’t ssh in either.
Ok what’s your container setup? LXC? Docker? Compose?
Is the WG server also a container?
Rootless podman. The plan is to eventually move WG into a container once I get it working, but it’s running on bare metal at the moment.
Commenting for visibility. Have had similar issues and not taken the time to dive into them yet. Thanks for the post, I’ll be watching with great interest.
Just wanted to let you know I somewhat found a solution and edited my post to reflect that.
Thanks again.
Try using the lan address of the dns server instead of the wireguard address.
What are you using for dns? You may need to allow access from all interfaces if your dns server is also a wireguard peer
if you’re on pihole: https://docs.pi-hole.net/ftldns/interfaces/
I am. Server IP is 192.168.1.xxx. DNS server is running on that machine. It already allows access from all interfaces. I just don’t have port 53 natted from my router to avoid creating an open resolver.
I just don’t have port 53 natted from my router to avoid creating an open resolver.
Do you mean you have all port 53 redirecting to your local DNS on your firewall?
No. I mean that my router doesn’t forward requests for port 53 to my server. My server’s firewall does allow access to port 53, and all my LAN devices are able to use it freely.
So, you’re running two exclusive DNS resolvers, one on your router and one on your pihole box? Or just one on the pihole box and using the local address of it for all LAN dns?
Why have a firewall on the pihole box at all? As long as it isnt in the DMZ you shouldn’t need it. I would try disabling it completely and see if dns on your wg peers starts working.
Just one on the pihole box and using the local address of it for all LAN DNS.
It is in the DMZ. I also use the box for Jellyfin so I want it remotely accessible.
I just tried disabling it for a short while with the same result. It still gets blocked in the 10.14.0.* network.
Hey I don’t really have a solution for you, but if you are still stuck on this, give tailscale a try.
I used to have a manually-configured WireGuard server too, and had a lot of the same issues you are.
Now I just use tailscale to manage that (it’s still a WireGuard backend just like you are looking for) and I actually have my Pihole configured as the DNS host for my local network and my Tailnet so it’s used by all of my devices even remotely.
So the same outcome you are looking for but with a slightly different path to get there
I’ll check it out. Thanks!
I had dns issues until I got my allowed ips squared away. You could try setting it to 0.0.0.0/0 if it’s not already to verify it’s not the problem.
Didn’t work, unfortunately. Same exact issues
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol LXC Linux Containers NAT Network Address Translation VPN Virtual Private Network
4 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #218 for this sub, first seen 16th Oct 2023, 17:05] [FAQ] [Full list] [Contact] [Source code]
Is it the server telling the server that the client’s port is unreachable or is it the client telling the server that the port is unreachable? Do you see the packets traveling over the Wireguard interface? Do you see the response if you use Wireguard from the client?
The request traced out is incorrect. WG Client IP initiates a DNS request to Server IP, and then WG Client Addr receives a response from WG Server Addr. The DNS response should come from the same IP that the request was sent to. The client may be rejecting a response coming from an unexpected source. If you’re doing masquerading instead of plain routing, you need to make sure that you’re doing NAT in both directions.