Update on Wireguard: Can't browse while activating client service

[aanwark]

Hi Joshua, Just out of curiosity, I spun up a new instance and tried to see wireguard's performance. Everything went fine with the installation and configuration, however I am unable to tunnel my packets through it. By that I mean that upon activating the service on my client side, I am unable to browse. Perhaps the default DNS servers are unreachable from China. Any suggestions on that? Thanks!

[jlund]

The DNS server that it should use is located on the encrypted WireGuard interface, but the PostUp resolvconf command might not be working on your distribution. As a test after you run the wg-quick up wg0-client command, you can try running echo nameserver 10.192.122.1 > /etc/resolv.conf (to route all queries) or dig @10.192.122.1 google.com (to try just a single query via dnsmasq sent through WireGuard).

What Linux distribution are you using?

[aanwark]

I will spin up a new server and try out this solution. I am on Linux Mint 18.1, which means that the core is Ubuntu 16.04.

• A quick update: none of the above commands worked for me.

[nickolasclarke]

@jlund this also fails for me on a standard DO installation, client installed on Ubuntu server 16.04. echo nameserver 10.192.122.1 > /etc/resolv.conf fails, even with sudo because > is not properly redirected as with permissions. Instead using echo 'nameserver 10.192.122.1' | sudo tee --append /etc/resolv.conf seems to resolve this, though I dont know off the top of my head the consequences of appending the entry to the end of resolv.conf instead of placing it at the head.

A quick search didn't turn up a answer, but I would imagine that you'd want to weight 10.192.122.1 more heavily than an ISP DNS or otherwise to prevent dns poisoning as seen here in china. However, overwriting the file would break local DNS lookups. Someone who is more familiar with resolvconf than I can probably answer this quick, and I may be able to research this properly tonight and submit a PR.

see here for where I got the tee command

[nickolasclarke]

changing POSTUP= echo 'nameserver 10.192.122.1' | sudo tee --append /etc/resolv.conf | resolvconf -a wg0-client -m 0 -x fails to properly append, as well as w/out the single qoutes around nameserver 10.192.122.1. However, running either version straight in bash succeeds. Here is my output:

//start WG
user@server:~$ sudo wg-quick up wg0-client
[#] ip link add wg0-client type wireguard
[#] wg setconf wg0-client /dev/fd/63
[#] ip address add 10.192.122.2/32 dev wg0-client
[#] ip link set wg0-client up
[#] ip route add 0.0.0.0/0 dev wg0-client table 51820
[#] ip rule add not to $streisand-ip table 51820
[#] ip rule add table main suppress_prefixlength 0
[#] echo nameserver 10.192.122.1 | sudo tee --append /etc/resolv.conf | resolvconf -a wg0-client -m 0 -x

//the POSTUP fails so I run it manually
user@server:~$ echo nameserver 10.192.122.1 | sudo tee --append /etc/resolv.conf | resolvconf -a wg0-client -m 0 -x

//check to see the entry is there. It is.
user@server:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.xxx.xxx.xxx <-ISP DNS
nameserver xxx.xxx.xxx.xxx <-ISP DNS
nameserver 127.0.0.53
nameserver 10.192.122.1

//check if external IP is striesand's. It is.  
user@server:~$ curl ipinfo.io/ip
xxx.xxx.xxx.xxx <- Streisand External 

//shut down WG connection and revert resolv.conf
user@server:~$ sudo wg-quick down wg0-client
[#] ip link delete dev wg0-client
[#] resolvconf -d wg0-client

//check if external IP is chinese ISP's. It is.
user@server:~$ curl ipinfo.io/ip
180.xxx.xxx.xxx <- chinese IP

//check that revert was successful. it was. 
user@server::~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.xxx.xxx.xxx <-ISP DNS
nameserver xxx.xxx.xxx.xxx <-ISP DNS
nameserver 127.0.0.53

[aanwark]

@nickolasclarke I tried the solution that you have mentioned. A quick check on DNS Leak Test shows the IP belonging to Streisand host. Both of the standard and extended checks show no signs of dns leak however, I can't access Google sites, nytimes etc. Seems like all the sites blocked behind the wall are inaccessible. Although DNS leak test doesn't show DNS leaks, I think that DNS is being leaked.

[nickolasclarke]

humm, I was able to do a curl facebook.com and get a valid page. Are you sure you ran sudo wg-quick up wg0-client first?

[nickolasclarke]

also @denoza use a tool such as https://www.whatsmydns.net/#A/facebook.com to check if your dig facebook is being poisoned.

[aanwark]

@nickolasclarke Yes I ran sudo wg-quick up wg0-client first as per the instructions. curl ipinfo.io/ip returned the streisand host ip as well. But while opening google.com or nytimes.com the browser gave the same response as it gives while behind the wall. It gets stuck on loading and finally spits out the message that This site can't be reached. Were you able to browse using wireguard? I am curious as to how efficient/fast is it compared to SS? P.S. Accidentally closed the issue. I have reopened it. Sorry!

[nickolasclarke]

@denoza I run win10 mostly and was using a VM w/out an Xserver running, so only terminal. That said, I did do a curl facebook.com and got what appeared to be a valid html page returned from the facebook servers. If I get some more time I'll dig in again, but I think that things were working fine for me. I've not done any speedtest yet.

[aanwark]

I have resolved this issue by installing dnsmasq. With this installed, I followed the usual instructions generated by streisand and was able to browse the internet. Dnsleaktest shows the correct ip and speed is really fast.

• Closing the issue

[randy2134]

I'm having the same issue on Ubuntu 16.04 dnsmasq didnt work for me, but the following did: sudo apt install nscd sudo apt install unbound

all the errors went away, worked like a charm.. :+1:

[ORARiccardo]

Hi @jlund

I'm having a similar issue: can't browse after activating client service.

Server is using ubuntu 16.04, on my device I'm running ubuntu 16.04 as well. The POSTUP works fine if I don't have dnsmasq installed: the resolv.conf includes 10.192.122.1 but I can't browse.

If I install dnsmasq, POSTUP fails, I need to manually add 10.192.122.1 to resolv.conf but I can't browse either.

What could be causing this issue here? How can I fix it? Thanks

[cpu]

Hi @ORARiccardo Please open a new issue with the information requested in the issue template.