Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard SiteToSite VPN DNS problems

    Scheduled Pinned Locked Moved WireGuard
    2 Posts 1 Posters 397 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hangnail6119
      last edited by

      Hi,
      I was able to configure S2S connection between 2 sites, my config is based on this video: https://youtu.be/2oe7rTMFmqc

      And everything is good, except DNS. I did not do any NAT, only basic connection with static routes.
      I have those 2 sites let's call them SERVERS_SITE and CLIENT_SITE. I want CLIENT_SITE pfsense to be able to resolve DNS queries sent to SERVERS_SITE pfsense using WG tunel.

      On SERVER_SITE under ServicesDNS/Resolver/Access Lists I added entry that allows clients from CLIENT_SITE subnet and those clients can access the DNS directly(via SERVERS_SITE pfsense IP), but the CLIENT_SITE pfsense can't do that. My guess is that pfsense sends requests using WAN IP that is not in the ACL on the SERVERS_SITE, but if that IP is dynamic and I add it then it might work for some time and then break again.

      Under SystemGeneral/Setup I tried different configs for that endpoint:
      a) I used WG ip, I used some other VLAN ip. with gateway NONE
      b) I tried using WG ip with WG Gateway, but I get the message "A gateway cannot be specified for XX.XX.XX.0 because that IP address is part of a directly connected subnet XX.XX.XX.0/31. To use that nameserver, change its Gateway to none."
      c) I tried using just VLAN ip with WG Gateway and then I get the message: "A gateway cannot be specified for YY.YY.YY.1 because that IP address is part of a directly connected subnet YY.YY.YY.0/24. To use that nameserver, change its Gateway to none."

      So default IP does not work and I cant set the gateway DNS server, So I think I reached dead end. Is there something that I am missing? Or something else that I need to configure?

      H 1 Reply Last reply Reply Quote 0
      • H
        Hangnail6119 @Hangnail6119
        last edited by

        @Hangnail6119 Ok few updates that I found out after digging a lot more.

        1. In the S2S config pfsense uses transit network IP address so if you have a tunnel as in the video 10.100.90.0/31 that means your sites when sending requests to other end will use that tunnel ips: 10.100.90.0 and 10.100.90.1
        2. Firewall that is asked for a DNS record needs to have Access Lists record for the tunnel. Otherwise it will just refuse those requests.
        3. You don't need to add other firewall as DNS server you just need to define Domain override.
          With that knowledge how would my example work:

        I have 2 sites connected with a tunnel: 10.100.90.0/31
        SITE_1 with IP: 10.100.90.0
        SITE_2 with IP: 10.100.90.1
        SITE_1 has some servers under domain example.com and SITE_2 wants to access them
        SITE_1 has host overrides for single servises under Services > DNS Resolver > Host Overrides for example:
        git.example.com points at some internal IP and SITE_2 will want to access that
        SITE_1 will need to have Access List added for tunnel network Services > DNS Resolver > Access List > +Add and there tunnel network specified 10.100.90.0/31
        SITE_! will also need a rule that allows it to recive DNS requests from other end of the tunnel, The simple rule ALLOW src:* dst:This Firewall(53) on S2S interface should be enough AFAIK(at least it works for me :P)
        Now the only thing that SITE_2 needs to do is add Domain override. It's located under: Services > DNS Resolver > Domain Overrides and it needs 2 things example.com domain and IP address of SITE_1 that would be 10.100.90.0
        And that was my problem, now everything works.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.