0

Problem: Wireguard obfuscates DNS request, so all DNS lookups from devices connected via VPN are seen as coming from Wireguard server. This prevents me from setting up per-device DNS white/black lists.

Entering IP of internal DNS server as DNS in Wireguard profile does not work (nothing resolves) despite access to that IP through VPN.

Do I need to set DNS server as one of Wireguard clients for it to work? How to do it properly if DNS and Wireguard are hosted at same server under same IP?

Setup Client device: some crappy half-obsolete Android Server: Rasbperry Pi with Raspbian hosting PiHole and Wireguard inside of Docker.

Full story: I have a Wireguard VPN setup in my home network. Everything works fine and I can access all the goodies with just single open port, yay for not having to secure all the apps.

One of the goodies is internal DNS server, PiHole, with direct access (no router acting as intermediate DNS) so server sees all devices separately which allows me to tinker around with per-device whitelist. This is important feature to me as I have to use some badly written applications which crash when some google spy service is not available. Everything works fine inside of local network, with PiHole nicely distinguishing each device, but once connected through VPN PiHole sees DNS requests as originating from Wireguard server.

PTwr
  • 123
  • 3
  • Don't configure your wireguard server to do masquerading. Set up subnets and route the subnets. Presto, no more connections coming from the WG server; they will come from the individual IP's assigned to the clients. – vidarlo Mar 26 '22 at 08:22

1 Answers1

1

Its possible I've customised here so please forgive me if I have but in my setups at least each device gets an IP that's routable on the local network (to some degree, its a separate subnet but reachable).

In this case I can ping the WireGuard IP of the connected devices from inside the LAN and those IPs are fixed by their WireGuard configs.

Therefore all you'd need to do is associate both their native IP when on the LAN and their WireGuard IP with the rules in question.

If you aren't getting routable pingable IPs for them let me know and I can dig out the WireGuard config that is generating them. If they are behind a nat on the WireGuard then it won't ever be possible to filter on a per device basis.

Sam Foley
  • 66
  • 1
  • 4
  • I'm pretty much running vanilla WG from linuxserver docker image, so docker might be screwing with networking. VPN and LAN got different subnets but VPN->LAN and VPN->VPN works fully. For LAN->VPN ping fails even from WG server. – PTwr Mar 17 '22 at 14:47
  • @PTwr Pi-Hole logs DNS requests right? If your VPN clients can talk to your LAN have one of them query a random unique DNS record and see what it says for source IP on the pi-hole, that will tell you whether they are natting or routing directly. If they are routing directly then you should be good to go? Also just a quick sidenote the docker host cannot reach wireguard clients you need to try another device, this is because of docker isolation and I never looked into fixing it. – Sam Foley Mar 17 '22 at 15:39