search

tusc / wireguard-kmod

WireGuard for UDM series routers
https://www.wireguard.com/
350 stars 18 forks source link

Unable to use USG DNS with WG client? #28

Closed htilly closed 2 years ago

htilly commented 2 years ago

Everything works perfect beside the fact that I can't get local DNS to work.

Client config:

[Interface]
PrivateKey = KEY
Address = 172.16.201.6/24
DNS = 172.16.200.1 (USG DNS server. Works over LAN)

[Peer]
PublicKey = KEY
AllowedIPs = 0.0.0.0/0
Endpoint = EXTERNAL_IP:51820

Server config:

[Interface]
Address = 172.16.201.1/24
ListenPort = 51820
PrivateKey = KEY

[Peer]
PublicKey = KEY
AllowedIPs = 172.16.201.6/32

All other internal traffic to the LAN, 172.16.200.0/24, work just fine.

I have not created a network nor static routes or FW rules in the USG. Since the DNS is hosted on the USG it self, do I need to create the WG network in order for the USG firewall to accept / route the traffic.. And if so, will this messup the WG traffic?

austin12block commented 2 years ago

I am having the same issue on my UDMP. I however, have tried creating a network within Unifi settings, no change.

peacey commented 2 years ago

Hi @austin12block and @htilly,

The problem is dnsmasq is configured to only listen for requests from certain interfaces. You need to add the wg0 (or your wireguard interface name) to the dnsmasq config. You just need to run these commands after you run wg-quick up,

echo "interface=wg0" > /run/dnsmasq.conf.d/custom_listen.conf
killall -9 dnsmasq

Alternatively, you can add those commands to PostUp in your wireguard config's Interface section, e.g.:

PostUp = sh -c 'echo "interface=wg0" > /run/dnsmasq.conf.d/custom_listen.conf; killall -9 dnsmasq'
PreDown = sh -c 'rm -f /run/dnsmasq.conf.d/custom_listen.conf; killall -9 dnsmasq'

Please try the following solution and see if it works for you guys.

Also @htilly, do you mean UDM, not USG right?

@austin12block, you should NOT create a network with the same subnet as the wireguard interface in your Unifi settings. It will confuse the routing and packets will not make it to the wireguard interface (instead going to the other network half the time).

austin12block commented 2 years ago

Hi @peacey I have added the commands you gave to my wg0.conf and it is working wonderfully. Thank you for the assistance!

htilly commented 2 years ago

Thanks @peacey!

Works perfect, and yes, I meant the USG. Might be worth mentioning about the DNS in the https://github.com/tusc/wireguard-kmod#configuration ?

Thanks again.

peacey commented 2 years ago

@htilly glad it worked. But sorry, you said USG again. This project is for the UDM, not USG, so I'm surprised it's working on the USG.

Can you tell us your USG firmware version, and also your kernel version by running uname -a? This is the first time I've seen someone use this on the USG, so very curious.

htilly commented 2 years ago

@peacey must be autocorrection :-) Let's try it again: UDM

:-)