Join Log in
Score:0
PTwr avatar Server

Internal DNS without Wireguard "proxy"

cn flag
PTwr

Problem: Wireguard obfuscates DNS request, so all DNS lookups from devices connected via VPN are seen as coming from Wireguard server. This prevents me from setting up per-device DNS white/black lists.

Entering IP of internal DNS server as DNS in Wireguard profile does not work (nothing resolves) despite access to that IP through VPN.

Do I need to set DNS server as one of Wireguard clients for it to work? How to do it properly if DNS and Wireguard are hosted at same server under same IP?

Setup Client device: some crappy half-obsolete Android Server: Rasbperry Pi with Raspbian hosting PiHole and Wireguard inside of Docker.

Full story: I have a Wireguard VPN setup in my home network. Everything works fine and I can access all the goodies with just single open port, yay for not having to secure all the apps.

One of the goodies is internal DNS server, PiHole, with direct access (no router acting as intermediate DNS) so server sees all devices separately which allows me to tinker around with per-device whitelist. This is important feature to me as I have to use some badly written applications which crash when some google spy service is not available. Everything works fine inside of local network, with PiHole nicely distinguishing each device, but once connected through VPN PiHole sees DNS requests as originating from Wireguard server.

303
0 + 0
vpn
vidarlo avatar
ar flag
vidarlo
Don't configure your wireguard server to do masquerading. Set up subnets and route the subnets. Presto, no more connections coming from the WG server; they will come from the individual IP's assigned to the clients.
0
Reply
Score:1
Sam Foley avatar Server
us flag
Sam Foley

Its possible I've customised here so please forgive me if I have but in my setups at least each device gets an IP that's routable on the local network (to some degree, its a separate subnet but reachable).

In this case I can ping the WireGuard IP of the connected devices from inside the LAN and those IPs are fixed by their WireGuard configs.

Therefore all you'd need to do is associate both their native IP when on the LAN and their WireGuard IP with the rules in question.

If you aren't getting routable pingable IPs for them let me know and I can dig out the WireGuard config that is generating them. If they are behind a nat on the WireGuard then it won't ever be possible to filter on a per device basis.

0 + 0
PTwr avatar
cn flag
PTwr
I'm pretty much running vanilla WG from linuxserver docker image, so docker might be screwing with networking. VPN and LAN got different subnets but VPN->LAN and VPN->VPN works fully. For LAN->VPN ping fails even from WG server.
0
Reply
Sam Foley avatar
us flag
Sam Foley
@PTwr Pi-Hole logs DNS requests right? If your VPN clients can talk to your LAN have one of them query a random unique DNS record and see what it says for source IP on the pi-hole, that will tell you whether they are natting or routing directly. If they are routing directly then you should be good to go? Also just a quick sidenote the docker host cannot reach wireguard clients you need to try another device, this is because of docker isolation and I never looked into fixing it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.