I have added ! -d 192.168.0.0/16
and ! -d fc00::/7
to Wireguard's killswitch example (see man wg-quick
EXAMPLES):
PostUp = iptables -I OUTPUT ! -d 192.168.0.0/16 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = ip6tables -I OUTPUT ! -d fc00::/7 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
This lets me access other hosts on my 192.168.X.X network while the VPN is running. It does however appear to block DNS lookups to domains such as myhost.local
. I say this because I can connect to the VPN and still ping myhost.local
. After only a few minutes of running the VPN, the ping stops working and reports: ping: myhost.local: Name or service not known
. I'm guess the DNS cache expired.
My understanding is that since I did not specify the protocol in iptables (like -p udp
) it should exclude all protocols from the REJECT rule.
I'm able to bring the VPN up without iptables and ip6tables rules and I am always able to resolve myhost.local
.
Do you think it is still rejecting UDP DNS lookups on some other criteria? How can I tweak the rule to allow for local DNS lookups?