[HELP] Server blocking LAN responses over Wireguard VPN

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨ShitpostCentral@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

I’m trying to setup Wireguard to use as a VPN on my server using this guide. I currently run Pihole on the same machine.


LAN	192.168.1.*
WG	10.14.0.*
WG Server Addr	10.14.0.1
WG Client Addr	10.14.0.10

The handshake succeeds, and I can even ping IP addresses. However, it doesn’t receive DNS responses. I checked in Wireshark and see the following:


WAN Client IP ->	Server IP	[Wireguard]
WG Client IP ->	Server IP	[DNS Request]
Server IP ->	Server IP	[DNS Request]
Server IP ->	Server IP	[DNS Response]
WG Server Addr ->	WG Client Addr	[DNS Response]
WG Client Addr ->	WG Server Addr	[ICMP Port unreachable]

I’m admittedly pretty inexperienced when it comes to routing, but I’ve been at this for days with no success. Any help would be greatly appreciated.

source

Comments

Sort:hotnew top

lemming741@lemmy.world ⁨1⁩ ⁨year⁩ ago
Your DNS might be configured to only answer local (from 192 addresses) requests. Did you enable IP masquerading?

source
- ShitpostCentral@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Yes. And I set Pi-hole to respond to any interface. Plus, I can see the response being sent in Wireshark. It only gets blocked inside the wireguard interface.
  
  source
  - lemming741@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Ok so you see your request in the pihole log? Which address does it show?
    
    source
    -> View More Comments
Hominine@lemmy.world ⁨1⁩ ⁨year⁩ ago
Commenting for visibility. Have had similar issues and not taken the time to dive into them yet. Thanks for the post, I’ll be watching with great interest.

source
- ShitpostCentral@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Just wanted to let you know I somewhat found a solution and edited my post to reflect that.
  
  source
  - Hominine@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Thanks again.
    
    source
Rootiest@lemmy.world ⁨1⁩ ⁨year⁩ ago
Hey I don’t really have a solution for you, but if you are still stuck on this, give tailscale a try.

I used to have a manually-configured WireGuard server too, and have a lot of the same issues you are.

Now I just use tailscale to manage that (it’s still a WireGuard backend just like you are looking for) and I actually have my Pihole configured as the DNS host for my local network and my Tailnet so it’s used by all of my devices even remotely.

source
- ShitpostCentral@lemmy.world ⁨1⁩ ⁨year⁩ ago
  I’ll check it out. Thanks!
  
  source
i_am_not_a_robot@discuss.tchncs.de ⁨1⁩ ⁨year⁩ ago
Is it the server telling the server that the client’s port is unreachable or is it the client telling the server that the port is unreachable? Do you see the packets traveling over the Wireguard interface? Do you see the response if you use Wireguard from the client?

The request traced out is incorrect. WG Client IP initiates a DNS request to Server IP, and then WG Client Addr receives a response from WG Server Addr. The DNS response should come from the same IP that the request was sent to. The client may be rejecting a response coming from an unexpected source. If you’re doing masquerading instead of plain routing, you need to make sure that you’re doing NAT in both directions.

source
Stubborn9867@lemmy.jnks.xyz ⁨1⁩ ⁨year⁩ ago
I had dns issues until I got my allowed ips squared away. You could try setting it to 0.0.0.0/0 if it’s not already to verify it’s not the problem.

source
- ShitpostCentral@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Didn’t work, unfortunately. Same exact issues
  
  source
Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨year⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

DNS Domain Name Service/System

IP Internet Protocol

VPN Virtual Private Network

[Thread #218 for this sub, first seen 16th Oct 2023, 17:05] [FAQ] [Full list] [Contact] [Source code]

source

Fewer Letters	More Letters
DNS	Domain Name Service/System
IP	Internet Protocol
VPN	Virtual Private Network