Sending DNS Resolver queries through Wireguard tunnel

packetpirate · Jul 24, 2021, 8:50 AM

With pfSense 2.5.2 I decided to switch from OpenVPN to wireguard for my on router VPN. In my old setup I had the outgoing interface in the DNS Resolver set to my OpenVPN interface. This ensured no DNS leaks when making requests to authoritative servers.

I have setup the wireguard tunnel without issue, assigned an interface with static ip, and a new upstream gateway for the wireguard interface. My firewall rule routes everything from LAN net to the new wireguard gateway, and this works perfectly.

My issue is when I set the DNS resolver outbound interface to the wireguard interface, I lose DNS resolution.

I believe the issue comes from my NAT configuration. So far I have a NAT rule for the local network to the wireguard interface. Do I need to add a rule of some sort to allow the wireguard tunnel to make DNS requests? Maybe something from the static wireguard IP?

gabacho4 · Jul 24, 2021, 9:47 AM

@packetpirate ok you have a couple things that need to be changed. First of all, when you log into the other box, what is the IP address that appears as the one accessing pfsense? Your local LAN or your WireGuard IP? Based on what you described it should be your WireGuard IP. This isn’t right. Remove the NAT rule - you don’t need one. Just make sure that you have a Policy based routing rule on your LAN firewall tab that sends all traffic over your WireGuard gateway. Then make sure that you have static route(s) for your LAN subnet over the WireGuard gateway. This should then make sure that your local LAN ip is the one that shows as accessing the remote pfsense. You then need to make sure you have a NAT rule on the remote side that allows your Local LAN subnet put through remote WAN.

Just to be sure, do you have your local pfsense WireGuard allowed IPs set to 0.0.0.0/0? It should be that if you’re trying to route DNS. Assuming you’re also routing internet traffic as well of course.

Next question is what are you using for DNS resolution. Your pfsense box or something else like a pihole?

packetpirate · Jul 24, 2021, 9:56 AM

@gabacho4 Sorry if I was unclear, my wireguard tunnel goes to Mullvad VPN, not a site to site that I operate. I am using wireguard to route all the traffic on my network through Mullvad VPN. As for the DNS Resolver, I am just using the pfSense built in one.

I do have 0.0.0.0/0 as the allowed IPs on my wireguard peer.

For routing I have one rule on my LAN tab, which passes all of LAN net to the Mullvad gateway.

For NAT I have one rule on the Mullvad interface which does my lan net to the Mullvad addresses.

I read the bit about static routing in the netgate documentation but was not sure if I needed that. I followed more or less the video from Christian Mcdonald but without the failovers. https://www.youtube.com/watch?v=wYe7FzZ_0X8

Do I need to do the static route? What is that exactly?

gabacho4 · Jul 24, 2021, 10:03 AM

@packetpirate nah you don’t need static routes for Mullvad. Sorry I had assumed you were using a site to site. Looks like everything is good then. So if you leave the resolver just as it is (all versus just Mullvad for outbound queries) and then go to Mullvad.net and do a leak test, what shows up? My setup is a little different as I’m using a pihole, however it forwards to opendns servers over my WAN gateway and Mullvad still shows me as not leaking and using their DNS. Are you resolving on your pfsense box or do you have forwarding set to another DNS service like Google or Cloudflare or OpenDNS?

packetpirate · Jul 24, 2021, 11:56 AM

@gabacho4 If I set the resolver to ALL and I check the DNS leak, I get my home IP as a leak. This tells me the ALL is going over WAN. Which is why I had it set to the mullvad interface, however when I do that I cannot resolve at all. It is strange because if I set it to my old OpenVPN interface, then it works (if I have OpenVPN running). So the problem seems to be specific to my Mullvad/wireguard interface.

I also tried setting the DNS resolver to ALL, and then setting my default gateway to the Mullvad interface. I get the same result as if I set the mullvad interface directly (does not work).

The DNS resolver is set to resolve directly on the pfSense box, no forwarding to any services. So the connection in question is from the pfSense box to the authoritative servers, its like this request is not being correctly NATed or something.

packetpirate · Jul 24, 2021, 12:13 PM

One thing I just remembered, Mullvad does DNS hijacking on the standard OpenVPN ports, you need to use 1400 UDP or 1401 TCP in order to get DNS requests through their OpenVPN tunnels. I wonder if there is something like that going on for the wireguard side, which would be preventing my requests from going through.

thimplicity · Jun 26, 2022, 8:15 PM

@packetpirate
It seems like I am facing the same problem:

https://forum.netgate.com/topic/173025/mullvad-gateway-as-dns-resolver-gateway-does-not-work

did you ever solve yours?