Trying to install wireguard - Checking DNS resolver failed Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
Totila
Posts: 56
Joined: Sun Aug 04, 2019 8:29 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Totila »

You need to ensure for Pihole to be configured to LISTEN on all local interfaces
I can confirm that is setup on my pihole.

Your settings look similar to mine.
I seem to be missing the 192.168.0.0/24 assuming this is the IP of the modem in bridgemode.
Your PI has 192.168.2.x as IP? Trying to understand which is which in your wireguard setting.

I guess I will start over by resetting modem and Fritzbox to start fresh with default settings.

My understanding is, the only required adjustments after reset are to set up port forwarding of 51820 on both (modem -> Fritzbox IP and Fritzbox -> PI hole IP) and disable ipv6 on the Fritzbox.

Or is there anything else to take into consideration like setting the PI IP as the fritzbox' DNS?
Or setting a static IP of the Fritzbox to match the PI IP address range (my PI has a static IP of 192.168.200.2 so should the Fritzbox be set to 192.168.200.x), my modem has 192.168.0.1?
Or should the Fritzbox get its IP via DHCP from the modem leading to 192.168.0.2 and therefore not matching the address range of the PI.

In the meantime and to be sure I stop messing/guessing around, could you post all (your) relevant modem (in bridg mode) and Fritzbox settings to be sure I am not misconfiguring them. I have a tendency to do so as you rightly noticed ;)

Hope this isn't too much to ask for as you probably have other things to do as well.

I just want to solve this once and for all and promise to be quiet afterwards ;)
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Joulinar »

ok let me explain my setup

1) Internet Hybrid router
- responsible for WAN access
- local IP 192.168.2.1 of the router
- local network IP range 192.168.2.0/24

2) FritzBox
- connected in bride mode to the Hybrid router
- inside the FritzBox it's called "available connection via WAN" within the internet connection details
- external IP to the hybrid router 192.168.2.100 (assigned via DHCP) from the Hybrid router. But it could be static IP as well, doesn't matter
- internal IP 192.168.0.1
- network IP range 192.168.0.0/24
- Inside the FritzBox, DNS is pointing to DietPi/PiHole (FritzBox > Access Data > DNS-Server)
- DHCP Server disabled on my FritzBox

3) DietPi system
- internal IP 192.168.0.11 static
- WireGuard VPN server IP 10.9.0.1

4) PiHole
- Acting as DNS as well as DHCP Server
- PiHole connects to global upstream DNS server for DNS resolution
- enabled to listen on all local interfaces

5) local clients
- all local clients receive their IP address from PiHole
- all local clients use PiHole as DNS server directly
- There is no involvement of the FritzBox for DNS resolution

6) Port Forwarding
- Internet > Hybrid router > FritzBox > DietPi
- Port 51820 UDP

7) WireGuard Client
- DNS set to PiHole / VPN server IP 10.9.0.1
- allowed IP are
> 192.168.0.0/24 - to be able to reach the local network
> 192.168.2.0/24 - to be able to reach the hybrid router
> 10.9.0.0/24 - to be able to pass DNS request to the tunnel


Ok this is just a brief overlook. Hope it's understandable :)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Totila
Posts: 56
Joined: Sun Aug 04, 2019 8:29 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Totila »

Many thanks for this.

At first glance, the Fritzbox not being the DHCP server is different to my setup as well as the PI address range.

I will (try to) replicate your setup 1:1 and will report back how it goes.

Have you changed the IP address of the hybrid router to 192.168.2.1? Mine has 192.168.0.1 as factory default.
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Joulinar »

There is no need to replicate the setup. Just replace the IP range with yours. As well the FritzBox could stay DHCP. That's not a problem. I have chosen PiHole DHCP as I have more options to configure it. Like I distribute local NTP time server settings via DHCP.

At the end all this has no impact in your VPN connection and how DNS is used on the VPN client side.
Have you changed the IP address of the hybrid router to 192.168.2.1? Mine has 192.168.0.1 as factory default.
This depends on the router manufacturers I guess. I'm using a Speedport from German Telekom.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Totila
Posts: 56
Joined: Sun Aug 04, 2019 8:29 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Totila »

So, I went through the setup once again, point by point and think I have set it up as it should be following your great overview.

VPN and adblocking works when I am at home (yeah), VPN works when I am away (on mobile data, yeah) but:
ad blocking does not work when outside of my home network.


If you could have a look at my settings below and check if you notice anything wrong.

Internet router in bridge mode (ISP: pyur)
IPv4 address: 192.168.2.1
DHCP is deactivated (fritzbox behind gets a static IP assigned)

Port forwarding from internet router to fritzbox:
51820 via UDP forwarded to 192.168.2.2 (fritzbox)

Fritzbox
Internet -> account information -> Internet Connection
Static IP: 192.168.2.2
Subnet: 255.255.255.0
Default gateway: 192.168.2.1
Primary DNS server: 1.1.1.1
Secondary DNS server: 1.1.1.1

Internet -> account information -> DNS Server
selected Use other DNSv4 servers
DNSv4 servers (preferred and alternative): 192.168.200.2

Internet -> account information -> IPv6
IPv6 support disabled

Internet -> permit access -> port sharing from fritzbox to dietpi
IP address: 192.168.200.2 (the dietpi)
Port assigned externally IPv4: 51820

Home Network->IPv4 addresses
(local) IPv4 address: 192.168.200.1
Subnet mask: 255.255.255.0

DHCP active: 192.168.200.100-200
local DNS server: 192.168.200.2


Dietpi
Static IP: 192.168.200.2/24
Gateway: 192.168.200.1
IPv6 disabled
Pihole listens on all interfaces
Unbound installed and working, upstream DNS servers: 127.0.0.1#5335

Wireguard client for my smartphone (android)
DNS servers: 10.9.0.1
Allowed IPs: 192.168.2.0/24, 192.168.200.0/24, 10.9.0.0/24

I am out of ideas why I still don't have ad blocking when I am connecting via mobile data (VPN works though, i.e.I can access the PI, pihole, nextcloud etc) from the outside). Everything (incl ad blocking) works when I am at home connected via WiFi.

Many thanks in advance
-T
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Joulinar »

the issue seems to be the client side as the client did not use PiHole as DNS server. Do you see any DNS request inside PiHole Query Log from the WireGuard client? What happen if you set Allowed IPs to 0.0.0.0/0 to pass the entire traffic into the tunnel? (even if it is slow). As well let's switch PiHole to Listen on all interfaces, permit all origins by running pihole -a -i all.

We well we could try to trace DNS traffic using tcpdump, once you pass the entire traffic into the tunnel. This way we should see where the DNS request are going to.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Totila
Posts: 56
Joined: Sun Aug 04, 2019 8:29 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Totila »

if I set Allowed IPs to 0.0.0.0/0 to pass the entire traffic through the tunnel then I see my requests in the Pihole query log. I don't see them if I set the allowed IPs to 192.168.2.0/24, 192.168.200.0/24, 10.9.0.0/24

I also activated Listen on all interfaces, permit all origins, but that didn't help.

How would tracking the DNS traffic work with tcpdump once the allowed ips is set to 0.0.0.0/0?
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Joulinar »

looks like a setting on client side preventing the adblock once you set allowed IPs to 192.168.2.0/24, 192.168.200.0/24, 10.9.0.0/24
I don't think you need to change anything on your home network or server settings

Let's try to set following on the client
  • allowed IPs = 192.168.0.0/16
  • DNS = 192.168.200.2
On DietPi we could perform some DNS tracing
  • dietpi-software install 15
  • once installed, DNS traffic can be traced as follow

    Code: Select all

    tcpdump -i any -c500 -nn port 53 and src <WG Client IP 10.9.0.x>
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Totila
Posts: 56
Joined: Sun Aug 04, 2019 8:29 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Totila »

I changed allowed IPs to: 192.168.0.0/16
I changed the DNS to 192.168.200.2
(both in the wireguard client config on my smartphone

and then I opened a session on my PI to check tcpdump with

Code: Select all

tcpdump -i any -c500 -nn port 53 and src <WG Client IP 10.9.0.x>
Result: No output in the terminal, no matter which webpage I opened on my smartphone (while being on mobile data).
But there were some logs appearing when I opened the youtube app, e.g.

Code: Select all

09:21:02.322465 IP 10.9.0.2.7760 > 192.168.200.2.53: 4360+ A? play.googleapis.com. (37)

Code: Select all

09:21:08.639165 IP 10.9.0.2.10098 > 192.168.200.2.53: 31099+ A? www.youtube.com. (33)
User avatar
Joulinar
Posts: 4783
Joined: Sat Nov 16, 2019 12:49 am

Re: Trying to install wireguard - Checking DNS resolver failed

Post by Joulinar »

did you set any specific DNS server on your mobile device? Or in the browser? Did you tried to use a different browser or a different app (like a news paper app)?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply