ShitpostCentral

[HELP] Server blocking LAN responses over Wireguard VPN

https://lemmy.world/post/6885923

[HELP] Server blocking LAN responses over Wireguard VPN - Lemmy.World

I’m trying to setup Wireguard to use as a VPN on my server using this guide [https://mikkel.hoegh.org/2019/11/01/home-vpn-server-wireguard/]. I currently run Pihole on the same machine. | | | |-|-| | LAN | 192.168.1.* | | WG | 10.14.0.* | | WG Server Addr | 10.14.0.1 | | WG Client Addr | 10.14.0.10 | The handshake succeeds, and I can even ping IP addresses. However, it doesn’t receive DNS responses. I checked in Wireshark and see the following: | | | | |-:|-|-| | WAN Client IP -> | Server IP | [Wireguard] | | WG Client IP -> | Server IP | [DNS Request] | | Server IP -> | Server IP | [DNS Request] | | Server IP -> | Server IP | [DNS Response] | | WG Server Addr -> | WG Client Addr | [DNS Response] | | WG Client Addr -> | WG Server Addr | [ICMP Port unreachable] | I’m admittedly pretty inexperienced when it comes to routing, but I’ve been at this for days with no success. Any help would be greatly appreciated.

Oct 16, 2023 at 3:31pmWeb
Show threadHominineOct 16, 2023
Commenting for visibility. Have had similar issues and not taken the time to dive into them yet. Thanks for the post, I’ll be watching with great interest.
Show threadkroldenOct 16, 2023

Try using the lan address of the dns server instead of the wireguard address.

What are you using for dns? You may need to allow access from all interfaces if your dns server is also a wireguard peer

Show threadDecronymOct 16, 2023

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol VPN Virtual Private Network

[Thread #218 for this sub, first seen 16th Oct 2023, 17:05] [FAQ] [Full list] [Contact] [Source code]

Decronym

Show threadi_am_not_a_robotOct 16, 2023

Is it the server telling the server that the client’s port is unreachable or is it the client telling the server that the port is unreachable? Do you see the packets traveling over the Wireguard interface? Do you see the response if you use Wireguard from the client?

The request traced out is incorrect. WG Client IP initiates a DNS request to Server IP, and then WG Client Addr receives a response from WG Server Addr. The DNS response should come from the same IP that the request was sent to. The client may be rejecting a response coming from an unexpected source. If you’re doing masquerading instead of plain routing, you need to make sure that you’re doing NAT in both directions.