this post was submitted on 16 Oct 2023
21 points (92.0% liked)

Selfhosted

40133 readers
519 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm trying to setup Wireguard to use as a VPN on my server using this guide. I currently run Pihole on the same machine.

LAN 192.168.1.*
WG 10.14.0.*
WG Server Addr 10.14.0.1
WG Client Addr 10.14.0.10

The handshake succeeds, and I can even ping IP addresses. However, it doesn't receive DNS responses. I checked in Wireshark and see the following:

WAN Client IP -> Server IP [Wireguard]
WG Client IP -> Server IP [DNS Request]
Server IP -> Server IP [DNS Request]
Server IP -> Server IP [DNS Response]
WG Server Addr -> WG Client Addr [DNS Response]
WG Client Addr -> WG Server Addr [ICMP Port unreachable]

I'm admittedly pretty inexperienced when it comes to routing, but I've been at this for days with no success. Any help would be greatly appreciated.

Edit

I now realize that it would have been relevant to mention the my Pihole instance was running inside a rootless podman container.

To test things further, I wrote a small echo server and spun it up on bare metal. Wireguard had no issues with that. My guess is that something between wireguard and specifically rootless podman was going wrong. I still don't know what, unfortunately.

My fix was to put Pihole in a privileged podman container with a network and static IP e.g. --net bridge:ip=10.88.0.230. I also put wireguard into a privileged podman container on the same network --net bridge. Finally, I set the peer DNS to the Pihole's static IP on the podman network (10.88.0.230).

As I said before, I still don't know why podman wasn't replying to the correct IP initially. I'm happy with my fix, but I'd still prefer the containers to be rootless so feel free to message me if you have any suggestions.

top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

Your DNS might be configured to only answer local (from 192 addresses) requests. Did you enable IP masquerading?

[–] [email protected] 1 points 1 year ago (1 children)

Yes. And I set Pi-hole to respond to any interface. Plus, I can see the response being sent in Wireshark. It only gets blocked inside the wireguard interface.

[–] [email protected] 2 points 1 year ago (1 children)

Ok so you see your request in the pihole log? Which address does it show?

[–] [email protected] 2 points 1 year ago (1 children)

I do see the request. I'm running it inside a container so all the clients show up as the container's hostname.

[–] [email protected] 1 points 1 year ago (1 children)

Can you get to the pihole admin page over wg? Trying to narrow down if it's just port 53 or everything else too.

[–] [email protected] 2 points 1 year ago (1 children)

Nope. I can't ssh in either.

[–] [email protected] 1 points 1 year ago (1 children)

Ok what's your container setup? LXC? Docker? Compose?

Is the WG server also a container?

[–] [email protected] 2 points 1 year ago

Rootless podman. The plan is to eventually move WG into a container once I get it working, but it's running on bare metal at the moment.

[–] [email protected] 1 points 1 year ago (1 children)

I had dns issues until I got my allowed ips squared away. You could try setting it to 0.0.0.0/0 if it's not already to verify it's not the problem.

[–] [email protected] 1 points 1 year ago

Didn't work, unfortunately. Same exact issues

[–] [email protected] 1 points 1 year ago

Is it the server telling the server that the client's port is unreachable or is it the client telling the server that the port is unreachable? Do you see the packets traveling over the Wireguard interface? Do you see the response if you use Wireguard from the client?

The request traced out is incorrect. WG Client IP initiates a DNS request to Server IP, and then WG Client Addr receives a response from WG Server Addr. The DNS response should come from the same IP that the request was sent to. The client may be rejecting a response coming from an unexpected source. If you're doing masquerading instead of plain routing, you need to make sure that you're doing NAT in both directions.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Hey I don't really have a solution for you, but if you are still stuck on this, give tailscale a try.

I used to have a manually-configured WireGuard server too, and had a lot of the same issues you are.

Now I just use tailscale to manage that (it's still a WireGuard backend just like you are looking for) and I actually have my Pihole configured as the DNS host for my local network and my Tailnet so it's used by all of my devices even remotely.

So the same outcome you are looking for but with a slightly different path to get there

[–] [email protected] 1 points 1 year ago

I'll check it out. Thanks!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
LXC Linux Containers
NAT Network Address Translation
VPN Virtual Private Network

4 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #218 for this sub, first seen 16th Oct 2023, 17:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 1 year ago (1 children)

Commenting for visibility. Have had similar issues and not taken the time to dive into them yet. Thanks for the post, I'll be watching with great interest.

[–] [email protected] 2 points 1 year ago (1 children)

Just wanted to let you know I somewhat found a solution and edited my post to reflect that.

[–] [email protected] 1 points 1 year ago

Thanks again.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Try using the lan address of the dns server instead of the wireguard address.

What are you using for dns? You may need to allow access from all interfaces if your dns server is also a wireguard peer

if you're on pihole: https://docs.pi-hole.net/ftldns/interfaces/

[–] [email protected] 1 points 1 year ago (1 children)

I am. Server IP is 192.168.1.xxx. DNS server is running on that machine. It already allows access from all interfaces. I just don't have port 53 natted from my router to avoid creating an open resolver.

[–] [email protected] 1 points 1 year ago (1 children)

I just don’t have port 53 natted from my router to avoid creating an open resolver.

Do you mean you have all port 53 redirecting to your local DNS on your firewall?

[–] [email protected] 1 points 1 year ago (1 children)

No. I mean that my router doesn't forward requests for port 53 to my server. My server's firewall does allow access to port 53, and all my LAN devices are able to use it freely.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

So, you're running two exclusive DNS resolvers, one on your router and one on your pihole box? Or just one on the pihole box and using the local address of it for all LAN dns?

Why have a firewall on the pihole box at all? As long as it isnt in the DMZ you shouldn't need it. I would try disabling it completely and see if dns on your wg peers starts working.

[–] [email protected] 1 points 1 year ago

Just one on the pihole box and using the local address of it for all LAN DNS.

It is in the DMZ. I also use the box for Jellyfin so I want it remotely accessible.

I just tried disabling it for a short while with the same result. It still gets blocked in the 10.14.0.* network.