Wireguard gateway connection issues when using domain names for peer endpoints
-
Hey everyone,
I wanted to add Mullvad's Wireguard Domain Names (as seen on here: https://mullvad.net/en/servers?type=wireguard when you click on a wireguard hostname) to the Wireguard peer endpoint fields (instead of Mullvad's IP addresses) in pfsense to add some better reliability (if Mullvad changes their Wireguard ip address it gets picked up automatically).
My issue is: pfsense accepts mullvad's domain names fine and everything seems to be working normally afterwards. But the issues occur later. Most notably, if I reboot pfsense or restart wireguard on pfsense, all or some of the wireguard gateways will be down (red with packet loss).
If all wireguard gateways are down (after a reboot for example) and I change the wireguard peer's endpoint IP address from mullvad's domain name to mullvad's ip address, all the wireguard gateways go up shortly after. Even the wireguard gateways that still have mullvad's domain name set in the peer endpoint setting.
If I change for example this peer's endpoint to mullvad's domain name instead of IP, as seen below:
The Wireguard peers outlined in red will connect fine. But the top two will not connect at all unless I change the endpoint back to an IP address.
Anyone have experience on this?
Thanks
My DNS Resolver settings:
My System -> General Setup DNS Settings:
Example of interface firewall rules (my workstations subnet):
WAN Interface firewall rules:
Example of wireguard interface (all are the same):
-
Ping a mullvad domain endpoint that causes wireguard gateway to have 100% packet loss:
-
@pfsenseuser10293 I have similar problems too and no solution. But in your case you have to make sure not having a DNS problem. I would use WAN instead of none in General Setup DNS Settings and in the resolver only select WAN as outgoing interface. You will have DNS-Leaks but this is another topic.
-
@Bob-Dig Thank you Bob! I'm glad to know it's not just me with that issue. I will give that a try and see what it does, but if I remember I didn't do it because like you said I get DNS leaks and I don't like DNS leaks.
-
@Bob-Dig Hi again Bob,
Interestingly, I change General setting dropdown DNS menus to WAN and change dns resolver outgoing network interfaces to only WAN.
The outcome:
-
Now using domains in all wireguard endpoints work when I restart the wireguard service on pfsense everytime, where as before the OP issue would occur every time.
-
DNS leak test shows i'm still using QUAD 9 for DNS but also shows Calgary Unix User Group. Before, it would show DNS location of USA (same as my wireguard). The new location it shows is now in my country but not close to me.
Do you know what's going on there? Why isn't it showing location close to me? Quad9 definitely has dns servers way closer to me. And that UNIX group doesn't seem to be affiliated with Quad9. And Woodyneed is only showing ipv6 addresses.
Sorry to pick your brain but do you know of any work arounds to not use WAN as dns to make this work? I guess you already said you don't have a solution :(
Thanks!
-
-
@pfsenseuser10293 The easiest solution is to live with some DNS-Leak, although it will go to Quad9 anyways so you can ask yourself if this makes any difference to you.
And for some hosts, where you don't want any dns-leak, you give those hosts or networks a dns-server of your liking via dhcp and not Unbound in pfSense, done. -
@Bob-Dig Thank you. So in this context of having selected WAN for DNS in the pfsense settings - Does this mean my ISP is getting all my DNS traffic and can see websites I visit (on top of quad9 public dns)?
Im using DNS over TLS so maybe they can't..
Meh, maybe i'll just keep using IP for wireguard endpoint...it's not the end of the world I guess. Having more privacy is more important to me i think.. Everything else seems to work fine..
-
@pfsenseuser10293 said in Wireguard gateway connection issues when using domain names for peer endpoints:
Does this mean my ISP is getting all my DNS traffic and can see websites I visit
With your config, your ISP never sees anything because it is encrypted towards Quad9. In your case the only DNS-Leak happens to Quad9. They know your WAN-IP if goes through your WAN. Again, I think in your case your good anyways.
-
@Bob-Dig Thanks!! I'll have a long think about it.
