search

Place1 / wg-access-server

An all-in-one WireGuard VPN solution with a web ui for connecting devices
MIT License
1.78k stars 222 forks source link

How to use local DNS server? #71

Closed ovizii closed 3 years ago

ovizii commented 4 years ago

Let me try and explain my question:

I run wg-access-server and connect with my android phone. inside config.yaml I defined:

dns:
  upstream:
    - "192.168.178.140"

192.168.178.140 is the local IP of the docker host running both adguard home and wg-access-server

I run adguard home as a local filtering DNS and on the first connect from my phone I see this error once. Then never again. Everything works but I think its not using my adguard home as I have checked its query filter.

time="2020-09-11T19:01:12+02:00" level=error msg="failed lookup record with error: read udp 172.29.0.8:52540->192.168.178.140:53: i/o timeout\n;; opcode: QUERY, status: NOERROR, id: 40518\n;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;dns.adguard.com.\tIN\t AAAA\n" file="server.go:89"

wg-access-server is inside 

    networks:
      - traefik

as I use traefik for reverse proxy while adguard home runs as network_mode: bridge but I am 99% sure that should work. Can anyone spot a problem here?

Place1 commented 3 years ago

Your config looks correct here. I actually run a similar setup for my own home network using a pihole container.

I've networked both wg-access-server and pihole within a shared docker-network. I expose the containers using standard port binding i.e. --port 53:53.

When I change my configuration to use the pihole's LAN ip rather than it's docker network hostname (i.e. to match your config) I get the same error.

I'll do some digging and see what I can find.

Place1 commented 3 years ago

From running a tcpdump sudo tcpdump -i any -n udp port 53 on my docker host I can see a difference in routing between the two approaches.

When attaching wg-access-server and pihole to a shared docker network (i.e. docker network create) and using their docker-network IPs (or hostnames):

# wg-access-server is `172.18.0.2`
# pihole is `172.18.0.4`
14:53:07.442081 IP 172.18.0.2.49694 > 172.18.0.4.53: 5217+ A? www.msftconnecttest.com. (41)
14:53:07.442180 IP 172.18.0.2.49694 > 172.18.0.4.53: 5217+ A? www.msftconnecttest.com. (41)
# ...
14:53:07.462756 IP 172.18.0.4.53 > 172.18.0.2.49694: 5217 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
14:53:07.462801 IP 172.18.0.4.53 > 172.18.0.2.49694: 5217 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)

When using pihole's LAN ip address from wg-access-server

# wg-access-server is 172.17.0.3
# pihole is 192.168.0.50
14:48:31.943458 IP 172.17.0.3.46070 > 192.168.0.50.53: 21285+ A? www.msftconnecttest.com. (41)
14:48:31.943913 IP 172.17.0.1.34227 > 172.17.0.8.53: 21285+ A? www.msftconnecttest.com. (41)
# ...
14:48:31.964630 IP 172.17.0.8.53 > 172.17.0.1.34227: 21285 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
14:48:31.964989 IP 172.17.0.1.53 > 172.17.0.3.46070: 21285 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)

I think this shows the issue. When using the LAN IP docker's networking breaks DNS responses coming back to wg-access-server. The DNS response is expected from 192.168.0.50:53 but wg-access-server sees a response from 172.17.0.1:53.

wg-access-server logs an i/o timeout because as far as it's concerned it never received a reply from 192.168.0.50:53.

I believe this is the root cause; i'll need to skill up a bit on the fundamentals at play here in regards to docker's networking to figure out a solution.

Place1 commented 3 years ago

Given I don't have a solution for you yet I recommend placing your vpn + dns containers in the same docker network and then using the dns server's hostname rather than it's LAN ip to connect (so that wg-access-server connects to it via the shared docker-network)

ovizii commented 3 years ago

sounds like good advice, I'll give it a try asap. Thanks for digging that deep into the issue. I'll close the issue for now.

ghost commented 3 years ago

I recommend placing your vpn + dns containers in the same docker network

Sorry to jump in and reopen the issue, but I attempted to follow this advice. When I did so in a single docker compose, I found that wg-access-server would use port 53, preventing pi-hole from launching, so I couldn't run both in the same container. Sometimes it would be the opposite way around, with pi-hole launching but wg-access-server not, but either way the only way I saw to fix it was to place them in separate docker-composes and therefore in separate docker networks. Any updates on the underlying issue of not receiving a reply from the correct ip? I also tried setting the upstream ip to that of the dns filter's docker network as it appears to the host (instead of that of the host itself), but no dice.