Closed ovizii closed 3 years ago
Your config looks correct here. I actually run a similar setup for my own home network using a pihole container.
I've networked both wg-access-server and pihole within a shared docker-network. I expose the containers using standard port binding i.e. --port 53:53
.
When I change my configuration to use the pihole's LAN ip rather than it's docker network hostname (i.e. to match your config) I get the same error.
I'll do some digging and see what I can find.
From running a tcpdump sudo tcpdump -i any -n udp port 53
on my docker host I can see a difference in routing between the two approaches.
When attaching wg-access-server and pihole to a shared docker network (i.e. docker network create
) and using their docker-network IPs (or hostnames):
# wg-access-server is `172.18.0.2`
# pihole is `172.18.0.4`
14:53:07.442081 IP 172.18.0.2.49694 > 172.18.0.4.53: 5217+ A? www.msftconnecttest.com. (41)
14:53:07.442180 IP 172.18.0.2.49694 > 172.18.0.4.53: 5217+ A? www.msftconnecttest.com. (41)
# ...
14:53:07.462756 IP 172.18.0.4.53 > 172.18.0.2.49694: 5217 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
14:53:07.462801 IP 172.18.0.4.53 > 172.18.0.2.49694: 5217 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
When using pihole's LAN ip address from wg-access-server
# wg-access-server is 172.17.0.3
# pihole is 192.168.0.50
14:48:31.943458 IP 172.17.0.3.46070 > 192.168.0.50.53: 21285+ A? www.msftconnecttest.com. (41)
14:48:31.943913 IP 172.17.0.1.34227 > 172.17.0.8.53: 21285+ A? www.msftconnecttest.com. (41)
# ...
14:48:31.964630 IP 172.17.0.8.53 > 172.17.0.1.34227: 21285 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
14:48:31.964989 IP 172.17.0.1.53 > 172.17.0.3.46070: 21285 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
I think this shows the issue. When using the LAN IP docker's networking breaks DNS responses coming back to wg-access-server. The DNS response is expected from 192.168.0.50:53
but wg-access-server sees a response from 172.17.0.1:53
.
wg-access-server logs an i/o timeout because as far as it's concerned it never received a reply from 192.168.0.50:53
.
I believe this is the root cause; i'll need to skill up a bit on the fundamentals at play here in regards to docker's networking to figure out a solution.
Given I don't have a solution for you yet I recommend placing your vpn + dns containers in the same docker network and then using the dns server's hostname rather than it's LAN ip to connect (so that wg-access-server connects to it via the shared docker-network)
sounds like good advice, I'll give it a try asap. Thanks for digging that deep into the issue. I'll close the issue for now.
I recommend placing your vpn + dns containers in the same docker network
Sorry to jump in and reopen the issue, but I attempted to follow this advice. When I did so in a single docker compose, I found that wg-access-server would use port 53, preventing pi-hole from launching, so I couldn't run both in the same container. Sometimes it would be the opposite way around, with pi-hole launching but wg-access-server not, but either way the only way I saw to fix it was to place them in separate docker-composes and therefore in separate docker networks. Any updates on the underlying issue of not receiving a reply from the correct ip? I also tried setting the upstream ip to that of the dns filter's docker network as it appears to the host (instead of that of the host itself), but no dice.
Let me try and explain my question:
I run wg-access-server and connect with my android phone. inside config.yaml I defined:
192.168.178.140 is the local IP of the docker host running both adguard home and wg-access-server
I run adguard home as a local filtering DNS and on the first connect from my phone I see this error once. Then never again. Everything works but I think its not using my adguard home as I have checked its query filter.
time="2020-09-11T19:01:12+02:00" level=error msg="failed lookup record with error: read udp 172.29.0.8:52540->192.168.178.140:53: i/o timeout\n;; opcode: QUERY, status: NOERROR, id: 40518\n;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;dns.adguard.com.\tIN\t AAAA\n" file="server.go:89"
wg-access-server is inside
as I use traefik for reverse proxy while adguard home runs as
network_mode: bridge
but I am 99% sure that should work. Can anyone spot a problem here?