search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.2k stars 1.99k forks source link

Wireguard leaks DNS through iOS mobile hotspot #1560

Open TennesseePete opened 5 years ago

TennesseePete commented 5 years ago

I setup my own DNS using unbound on the VPS host, and direct all my wireguard peers to the gateway IP as the DNS server. I have tethered my laptop to my iOS mobile hotspot. Both devices have wireguard up and running. DNSleaktest shows my laptop is leaking (ISP = Mobile phone provider). However, running the leaktest through my iPhone browser (correctly) shows my VPS IP as the ISP--no leaks on the phone itself.

Expected behavior:

Laptop would also show my VPS IP as the DNS server.

Actual Behavior:

Laptop shows my mobile phone provider as the DNS.

Steps to Reproduce:

  1. run DNSleaktest.com on laptop;
  2. run DNSleaktest.com on iPhone.

[ contents of streisand-diagnostics.md here ]

Additional Details:

Log output from Ansible or other relevant services (link to Gist for longer output):

I spun up these wireguard peers manually w/o using Ansible

Target Cloud Provider:

Digital Ocean

Operating System of target host:

18.04

Operating System of client:

1) 18.04 2) iOS

*Version of Ansible, using ansible --version :

N/A

Output from git rev-parse HEAD in your Streisand directory :
ghost commented 5 years ago

If I remember right wireguard does something like this when the allowed ips field doesn’t include ipv6, for example

AllowedIPs = 0.0.0.0/0 would leak AllowedIPs = 0.0.0.0/0, ::/0 wouldn’t leak So try setting allowed ips to the above in your client and see if it helps