Trying to install wireguard - Checking DNS resolver failed

Troubleshooting
21

You need to ensure for Pihole to be configured to LISTEN on all local interfaces

I can confirm that is setup on my pihole.

Your settings look similar to mine.
I seem to be missing the 192.168.0.0/24 assuming this is the IP of the modem in bridgemode.
Your PI has 192.168.2.x as IP? Trying to understand which is which in your wireguard setting.

I guess I will start over by resetting modem and Fritzbox to start fresh with default settings.

My understanding is, the only required adjustments after reset are to set up port forwarding of 51820 on both (modem → Fritzbox IP and Fritzbox → PI hole IP) and disable ipv6 on the Fritzbox.

Or is there anything else to take into consideration like setting the PI IP as the fritzbox’ DNS?
Or setting a static IP of the Fritzbox to match the PI IP address range (my PI has a static IP of 192.168.200.2 so should the Fritzbox be set to 192.168.200.x), my modem has 192.168.0.1?
Or should the Fritzbox get its IP via DHCP from the modem leading to 192.168.0.2 and therefore not matching the address range of the PI.

In the meantime and to be sure I stop messing/guessing around, could you post all (your) relevant modem (in bridg mode) and Fritzbox settings to be sure I am not misconfiguring them. I have a tendency to do so as you rightly noticed :wink:

Hope this isn’t too much to ask for as you probably have other things to do as well.

I just want to solve this once and for all and promise to be quiet afterwards :wink:

22

ok let me explain my setup

  1. Internet Hybrid router
  • responsible for WAN access
  • local IP 192.168.2.1 of the router
  • local network IP range 192.168.2.0/24
  1. FritzBox
  • connected in bride mode to the Hybrid router
  • inside the FritzBox it’s called “available connection via WAN” within the internet connection details
  • external IP to the hybrid router 192.168.2.100 (assigned via DHCP) from the Hybrid router. But it could be static IP as well, doesn’t matter
  • internal IP 192.168.0.1
  • network IP range 192.168.0.0/24
  • Inside the FritzBox, DNS is pointing to DietPi/PiHole (FritzBox > Access Data > DNS-Server)
  • DHCP Server disabled on my FritzBox
  1. DietPi system
  • internal IP 192.168.0.11 static
  • WireGuard VPN server IP 10.9.0.1
  1. PiHole
  • Acting as DNS as well as DHCP Server
  • PiHole connects to global upstream DNS server for DNS resolution
  • enabled to listen on all local interfaces
  1. local clients
  • all local clients receive their IP address from PiHole
  • all local clients use PiHole as DNS server directly
  • There is no involvement of the FritzBox for DNS resolution
  1. Port Forwarding
  • Internet > Hybrid router > FritzBox > DietPi
  • Port 51820 UDP
  1. WireGuard Client
  • DNS set to PiHole / VPN server IP 10.9.0.1
  • allowed IP are

192.168.0.0/24 - to be able to reach the local network
192.168.2.0/24 - to be able to reach the hybrid router
10.9.0.0/24 - to be able to pass DNS request to the tunnel


Ok this is just a brief overlook. Hope it’s understandable :slight_smile:

23

Many thanks for this.

At first glance, the Fritzbox not being the DHCP server is different to my setup as well as the PI address range.

I will (try to) replicate your setup 1:1 and will report back how it goes.

Have you changed the IP address of the hybrid router to 192.168.2.1? Mine has 192.168.0.1 as factory default.

24

There is no need to replicate the setup. Just replace the IP range with yours. As well the FritzBox could stay DHCP. That’s not a problem. I have chosen PiHole DHCP as I have more options to configure it. Like I distribute local NTP time server settings via DHCP.

At the end all this has no impact in your VPN connection and how DNS is used on the VPN client side.

Have you changed the IP address of the hybrid router to 192.168.2.1? Mine has 192.168.0.1 as factory default.

This depends on the router manufacturers I guess. I’m using a Speedport from German Telekom.

25

So, I went through the setup once again, point by point and think I have set it up as it should be following your great overview.

VPN and adblocking works when I am at home (yeah), VPN works when I am away (on mobile data, yeah) but:
ad blocking does not work when outside of my home network.


If you could have a look at my settings below and check if you notice anything wrong.

Internet router in bridge mode (ISP: pyur)
IPv4 address: 192.168.2.1
DHCP is deactivated (fritzbox behind gets a static IP assigned)

Port forwarding from internet router to fritzbox:
51820 via UDP forwarded to 192.168.2.2 (fritzbox)

Fritzbox
Internet → account information → Internet Connection
Static IP: 192.168.2.2
Subnet: 255.255.255.0
Default gateway: 192.168.2.1
Primary DNS server: 1.1.1.1
Secondary DNS server: 1.1.1.1

Internet → account information → DNS Server
selected Use other DNSv4 servers
DNSv4 servers (preferred and alternative): 192.168.200.2

Internet → account information → IPv6
IPv6 support disabled

Internet → permit access → port sharing from fritzbox to dietpi
IP address: 192.168.200.2 (the dietpi)
Port assigned externally IPv4: 51820

Home Network->IPv4 addresses
(local) IPv4 address: 192.168.200.1
Subnet mask: 255.255.255.0

DHCP active: 192.168.200.100-200
local DNS server: 192.168.200.2


Dietpi
Static IP: 192.168.200.2/24
Gateway: 192.168.200.1
IPv6 disabled
Pihole listens on all interfaces
Unbound installed and working, upstream DNS servers: 127.0.0.1#5335

Wireguard client for my smartphone (android)
DNS servers: 10.9.0.1
Allowed IPs: 192.168.2.0/24, 192.168.200.0/24, 10.9.0.0/24

I am out of ideas why I still don’t have ad blocking when I am connecting via mobile data (VPN works though, i.e.I can access the PI, pihole, nextcloud etc) from the outside). Everything (incl ad blocking) works when I am at home connected via WiFi.

Many thanks in advance
-T

26

the issue seems to be the client side as the client did not use PiHole as DNS server. Do you see any DNS request inside PiHole Query Log from the WireGuard client? What happen if you set Allowed IPs to 0.0.0.0/0 to pass the entire traffic into the tunnel? (even if it is slow). As well let’s switch PiHole to Listen on all interfaces, permit all origins by running pihole -a -i all.

We well we could try to trace DNS traffic using tcpdump, once you pass the entire traffic into the tunnel. This way we should see where the DNS request are going to.

27

if I set Allowed IPs to 0.0.0.0/0 to pass the entire traffic through the tunnel then I see my requests in the Pihole query log. I don’t see them if I set the allowed IPs to 192.168.2.0/24, 192.168.200.0/24, 10.9.0.0/24

I also activated Listen on all interfaces, permit all origins, but that didn’t help.

How would tracking the DNS traffic work with tcpdump once the allowed ips is set to 0.0.0.0/0?

28

looks like a setting on client side preventing the adblock once you set allowed IPs to 192.168.2.0/24, 192.168.200.0/24, 10.9.0.0/24
I don’t think you need to change anything on your home network or server settings

Let’s try to set following on the client

  • allowed IPs = 192.168.0.0/16
  • DNS = 192.168.200.2

On DietPi we could perform some DNS tracing

  • dietpi-software install 15
  • once installed, DNS traffic can be traced as follow
tcpdump -i any -c500 -nn port 53 and src <WG Client IP 10.9.0.x>
29

I changed allowed IPs to: 192.168.0.0/16
I changed the DNS to 192.168.200.2
(both in the wireguard client config on my smartphone

and then I opened a session on my PI to check tcpdump with

tcpdump -i any -c500 -nn port 53 and src <WG Client IP 10.9.0.x>

Result: No output in the terminal, no matter which webpage I opened on my smartphone (while being on mobile data).
But there were some logs appearing when I opened the youtube app, e.g.

09:21:02.322465 IP 10.9.0.2.7760 > 192.168.200.2.53: 4360+ A? play.googleapis.com. (37)




09:21:08.639165 IP 10.9.0.2.10098 > 192.168.200.2.53: 31099+ A? www.youtube.com. (33)
30

did you set any specific DNS server on your mobile device? Or in the browser? Did you tried to use a different browser or a different app (like a news paper app)?

31

I havent set any specific DNS in my phone (stats certainly show that my PI is being used as only DNS when I am on Wifi, I cannot check that when I am on mobile data though).

Turns out, google chrome and vivaldi show two DNS servers checking with https://www.perfect-privacy.com/de/tests/dns-leaktest

Firefox only shows my public IP and therefore blocks ads as expected when I am on mobile data.

So, Chrome and chrome-based phone browsers are bad as they use hard-coded DNS servers it seems.

Can you confirm your end? Which browser are you using?

32

Not sure if this is really a good test. Anyway, on my mobile it doesn’t matter if I use Chrome, Edge or Firefox. Ads are blocked on all my Apps and browser.

Maybe some setting in Chrome. Probably you could try to reset the app like delete data, delete temp data, try to uninstall updates as much as possible. Once done install it from play store again.

33

Not sure if this is really a good test

What is a good test then?

I set chrome to factory default (and reinstalled) and still same result. Ads are not being blocked, tcpdump doesnt show any output.

I am on Android 9 (fwiw)

34

And must permit all origins, because the android client is more than a hop away.
Also make sure that the browsers are not using hardcoded DNS or DNS over HTTPS

35

And must permit all origins, because the android client is more than a hop away.

I did but that didnt change anything unfortunately.

Also make sure that the browsers are not using hardcoded DNS or DNS over HTTPS

How would I do that?
I only know that firefox ‘seems’ different to chrome as on firefox ads are being blocked. I didnt find a settings on chrome to disable any predefined DNS (if google would even present that to the user)

36

It would help to troubleshoot a bit. Install tcpdump and verify that you can see packets in and out.
tcpdump -evn udp port 53 try to resolv something from the android, then hit Ctrl-c, copy the output and paste here.
Firefox also has an option to use DNS over HTTPS and it is visible under proxy settings.

37

I resolved https://dietpi.com
There was NO terminal output using google chrome on my Android (on mobile data).

Using Firefox gave me this:

12:04:18.210314 b8:27:eb:cd:43:a1 > 2c:3a:fd:25:52:bf, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 51864, offset 0, flags [none], proto UDP (17), length 67)
    192.168.200.2.10697 > 173.245.59.176.53: 57555% [1au] A? dieTpi.cOm. (39)
12:04:18.228748 2c:3a:fd:25:52:bf > b8:27:eb:cd:43:a1, ethertype IPv4 (0x0800), length 219: (tos 0x0, ttl 58, id 43469, offset 0, flags [DF], proto UDP (17), length 205)
    173.245.59.176.53 > 192.168.200.2.10697: 57555*- 3/0/1 dieTpi.cOm. A 172.67.173.4, dieTpi.cOm. A 104.21.96.47, dieTpi.cOm. RRSIG (177)
12:04:19.312236 b8:27:eb:cd:43:a1 > 2c:3a:fd:25:52:bf, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 47404, offset 0, flags [none], proto UDP (17), length 67)
    192.168.200.2.33236 > 173.245.58.167.53: 10152% [1au] A? DiEtpi.CoM. (39)
12:04:19.324875 2c:3a:fd:25:52:bf > b8:27:eb:cd:43:a1, ethertype IPv4 (0x0800), length 219: (tos 0x0, ttl 58, id 37310, offset 0, flags [DF], proto UDP (17), length 205)
    173.245.58.167.53 > 192.168.200.2.33236: 10152*- 3/0/1 DiEtpi.CoM. A 104.21.96.47, DiEtpi.CoM. A 172.67.173.4, DiEtpi.CoM. RRSIG (177)

I couldnt find any proxy settings on the android firefox.

38

Well we are running in circle. I guess we already know that some apps seems to use a different DNS than other apps. But this is something special on the client/mobile device. And honestly, I don’t know how this is possible. On my Android mobile device this is not the case.

In fact, Wireguard is working as server, PiHole is accepting the request but due to whatever reason Chrome mobile app is using a different DNS than the one specify in the Wireguard client.

39

Then let’s leave it here.

Many thanks for your efforts. Much appreciated. At least the home setup is working flawlessly.

Some things will remain a mystery.

Thanks again.

T

40

probably you have another mobile device you can test on.