search

cmulk / wireguard-docker

Wireguard setup in Docker meant for a simple personal VPN
345 stars 92 forks source link

DNS requests not being forwarded #9

Closed sedago closed 3 years ago

sedago commented 4 years ago

Hello, everything works as expected if you leave the DNS entry on the client.config blank.

However, if you add a custom DNS server, the DNS request do not get forwarded. I suspect it has to do with the iptables forward rules. Any help would be appreciated. Thanks

cmulk commented 4 years ago

I have been using custom DNS on the client side without issues. Maybe make sure the DNS address is included in the AllowedIPs? (unless of course your are already using AllowedIPs=0.0.0.0/0)

Also, just to confirm, there are no iptables rules to block traffic in this image by default. The only iptables rule that is created is for doing the outbound NAT

sedago commented 4 years ago

Thank you for your reply, I am using it on a stock Debian buster installation. The only thing I could think of would be that I have UFW installed, but as far as I know that only blocks incoming connections.

If I check iptables on the host, I can not see anything specific about DNS. The strange thing is that wireguard works flawlessly, but only if I do not set a DNS in the config file (tested on Linux and Android clients). I can ping the DNS server over the VPN but nothing is resolved.

Here are my configs: docker.compose:

  wg:
    container_name: wireguard
    image: cmulk/wireguard-docker:buster
    volumes:
     - ${DOCKERCONFDIR}/wireguard:/etc/wireguard
    networks:
     - wgnet
    ports:
     - 24532:24532/udp
    restart: unless-stopped
    cap_add:
     - NET_ADMIN
     - SYS_MODULE

networks:
  wgnet:

Server config:

[Interface]
PrivateKey = REMOVED
ListenPort = 24532 # UDP
Address = 10.8.2.1/32

#PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
#PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
#SaveConfig = true

[Peer]
## Android or other device
PublicKey = REMOVED
AllowedIPs = 10.8.2.2/32

Client config:

[Interface]
Address = 10.8.2.2/32
DNS = 64.6.64.6
PrivateKey = REMOVED

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = REMOVED:24532
PersistentKeepalive = 25
PublicKey = REMOVED

Here are my automatically created iptables on the host: https://pastebin.com/5rNZMawr

I will have to keep trying to figure the iptables out.

cmulk commented 4 years ago

Please try the latest version, I think your DNS issue was probably being caused by the wireguard script not being able to properly set the DNS settings in the client container. Should be resolved now