Wireguard can't access DNS server on host

Grunskin · 17 June 2020 09:51

So I just configured the wireguard image and I got it running. I can access all my local IP’s and stuff but there is one thing I can’t figure out.
The DNS won’t work if I set it to my hosts internal IP.
I have pretty much everything running in containers, from nginx, mariadb, pi-hole etc.
I use pi-hole as my internal DNS but if I make my wireguard client use my internal IP as DNS it wont work.
The thing is that I can access all nginx on the same IP and all other services that are running inside containers.

I can even specify it to use my routers DNS and it will work. But when I try to use the host IP (which looks up DNS just fine internally) it stops working. I just get a timeout.

I can’t figure out why the DNS won’t work if I use the host IP (192.168.9.2) but it will work if I use any other DNS server, including my routers (192.168.9.2).

It would make more sense if I could access 192.168.9.2 at all, but all other services work except DNS.

Does anyone have any clues to what could be wrong here?

My compose file below:

version: "2.1"
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Stockholm
      - SERVERURL=wg.domain.com #optional
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
    volumes:
      - /etc/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Client config below:

[Interface]
PrivateKey = <private key here>
ListenPort = 51820
Address = 10.13.13.2/32
DNS = 10.13.13.1

[Peer]
PublicKey = <public key here>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = wg.domain.com:51820

Server config below:

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <private key here>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <public key here>
AllowedIPs = 10.13.13.2/32

The reason I want to use pi-hole as DNS over wireguard is because I have local dns entries in pi-hole which points to my local IPs.

aptalca · 17 June 2020 13:41

I’m confused about this part. What does the host ip have anything to do with this?

Is pihole running as a container on the host?

Is the wireguard host set up to use pihole as it’s dns? Because when you set dns to auto, it uses whatever dns the wireguard container and its host is set up to use.

Grunskin · 17 June 2020 13:52

Yes pi-hole is running as a container on the host, as are the other containers I mentioned.
Lets start with the wireguard container. If I set it to use for example 1.1.1.1 the dns will work (from inside the container).
If I set it to use 192.168.9.2 (the host) dns won’t work. If I do a dns query I just get a timeout.

Let’s say I have the wireguard container use 1.1.1.1, as it works, and I set the wireguard client (my computer) to the same, all DNS querys will work. If I change the client to 192.168.9.2 I will get a timeout on evey DNS query.

From the client when connected to wireguard I can ping 192.168.9.2, I can reach it over http and https, mariadb, influxdb, mqtt etc. but Not DNS for some reason. I can even access pi-hole over the web ui but not anything that is going to port 53 for some weird reason.

I can’t really figure out why only DNS querys won’t work and everything else will.

Grunskin · 17 June 2020 13:57

ah I just installed dnsutils on the container so I could try out dig for troubleshooting.
This is what I got:

root@a520d6f73159:/# dig internal.domain.com @192.168.9.2
;; reply from unexpected source: 172.17.0.1#53, expected 192.168.9.2#53
;; reply from unexpected source: 127.0.0.11#53, expected 192.168.9.2#53

If I set the wireguard container to use pi-holes container IP (172.17.0.1) I get a correct DNS response.
I will look in to this tonight.

Grunskin · 17 June 2020 20:02

I found someone with the same problem regarding the DNS on stackoverflow

The issue is iptables UDP nat for DNS server. You’re querying the host IP while it’s the docker bridge network’s response.

To fix it is to either run the container with --net=host or use the container IP of the DNS container in resolv.conf

Is there another way to do this since using --net=host breaks access to internet (might be able to fix with iptables, I don’t know?) and the IP of the DNS container might change when I run up/down etc.