* WireGuard macOS App doesn't set system default DNS @ 2020-08-03 9:15 Alexander Skwar [not found] ` <AM0PR07MB614721A4B6B17011C3DFF7C0964D0@AM0PR07MB6147.eurprd07.prod.outlook.com> 0 siblings, 1 reply; 4+ messages in thread From: Alexander Skwar @ 2020-08-03 9:15 UTC (permalink / raw) To: wireguard Hello I'm having issues with the macOS App. tl;dr: It doesn't set the system DNS to the IP of my resolver which is only reachable once the tunnel is up. Here's my "clients" (macOS) configuration: ##################################################################### [Interface] PrivateKey = ...= Address = 172.31.0.3/24 DNS = 10.136.16.2 [Peer] PublicKey = ...= AllowedIPs = 10.136.16.0/22, 169.254.169.253/32 Endpoint = wg.....ch:51820 ##################################################################### Matching "server" configuration (Debian 10): ##################################################################### [Interface] Address = 172.31.0.1/24 Listenport = 51820 PrivateKey = ...= PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE [Peer] # alexander-mac-1 PublicKey = kw6A7iN/sF0k2bePr15M10e6Ufhp7sJVWhZcZvGcrT8= AllowedIPs = 172.31.0.3/32 ##################################################################### When I activate this tunnel on my mac and do a "dig" or "host" query for some name which only the private resolver 10.136.16.2 knows, I get an NXDOMAIN (query failed). When I do "dig @10.136.16.2 $sameName", the name gets resolved (ie. when I manually s). This shows that the routing is working fine. As some extra tests, I set "DNS = 208.67.222.222" (OpenDNS) and tried to resolve their test site www.internetbadguys.com. It resolves to 146.112.61.108, which means that OpenDNS is used (I'm normally not using it). It also shows on https://welcome.opendns.com/. Same result with setting "DNS = 1.1.1.1" and then going to https://1.1.1.1/help - DNS is set. This means that the macOS App *IS* able to set the system default DNS, but for some reason doesn't set it to my private DNS IP of 10.136.16.2. There is ONE (bad) work around: When I set "AllowedIPs = 0.0.0.0/0", then the App DOES set the system default DNS to 10.136.16.2. The log of the application doesn't show anything regarding DNS. Pasted at https://paste.ee/p/ziqrg. Well… Why does the macOS App refuse to set the DNS to 10.136.16.2? Versions used: App version: 0.0.20191105 (16) Go backend version: 0.0.20191013 macOS: Catalina 10.15.5 (19F101) Cheers, Alexander ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <AM0PR07MB614721A4B6B17011C3DFF7C0964D0@AM0PR07MB6147.eurprd07.prod.outlook.com>]
* Re: WireGuard macOS App doesn't set system default DNS [not found] ` <AM0PR07MB614721A4B6B17011C3DFF7C0964D0@AM0PR07MB6147.eurprd07.prod.outlook.com> @ 2020-08-03 12:14 ` Alexander Skwar 2020-08-06 13:18 ` Shulhan 0 siblings, 1 reply; 4+ messages in thread From: Alexander Skwar @ 2020-08-03 12:14 UTC (permalink / raw) To: Gijs Conijn; +Cc: wireguard Hello Erik, yes, I know that the DNS is private. This is why I have that on my macOS configuration: # … AllowedIPs = 10.136.16.0/22, 169.254.169.253/32 # … Cheers, Alexander Am Mo., 3. Aug. 2020 um 14:02 Uhr schrieb Gijs Conijn <egc112@msn.com>: > > The DNS you are using is private and only works if routed through the tunnel. > > You have to add the DNS address to the allowed IP's so that it is routed via the tunnel. > > Regards, Erik DDWRT user > > Alexander Skwar <alexanders.mailinglists+nospam@gmail.com> schreef op 3 augustus 2020 11:15:21 CEST: >> >> Hello >> >> I'm having issues with the macOS App. tl;dr: It doesn't set the system >> DNS to the IP of my resolver which is only reachable once the tunnel >> is up. >> >> Here's my "clients" (macOS) configuration: >> >> ##################################################################### >> [Interface] >> PrivateKey = ...= >> Address = 172.31.0.3/24 >> DNS = 10.136.16.2 >> >> [Peer] >> PublicKey = ...= >> AllowedIPs = 10.136.16.0/22, 169.254.169.253/32 >> Endpoint = wg.....ch:51820 >> ##################################################################### >> >> Matching "server" configuration (Debian 10): >> >> ##################################################################### >> [Interface] >> Address = 172.31.0.1/24 >> Listenport = 51820 >> PrivateKey = ...= >> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o >> wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE >> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD >> -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE >> >> [Peer] # alexander-mac-1 >> PublicKey = kw6A7iN/sF0k2bePr15M10e6Ufhp7sJVWhZcZvGcrT8= >> AllowedIPs = 172.31.0.3/32 >> ##################################################################### >> >> When I activate this tunnel on my mac and do a "dig" or "host" query >> for some name which only the private resolver 10.136.16.2 knows, I get >> an NXDOMAIN (query failed). >> When I do "dig @10.136.16.2 $sameName", the name gets resolved (ie. >> when I manually s). This shows that the routing is working fine. >> >> As some extra tests, I set "DNS = 208.67.222.222" (OpenDNS) and tried >> to resolve their test site www.internetbadguys.com. It resolves to >> 146.112.61.108, which means that OpenDNS is used (I'm normally not >> using it). It also shows on https://welcome.opendns.com/. >> Same result with setting "DNS = 1.1.1.1" and then going to >> https://1.1.1.1/help - DNS is set. >> >> This means that the macOS App *IS* able to set the system default >> DNS, but for some reason doesn't set it to my private DNS IP of >> 10.136.16.2. >> There is ONE (bad) work around: When I set "AllowedIPs = 0.0.0.0/0", >> then the App DOES set the system default DNS to 10.136.16.2. >> >> The log of the application doesn't show anything regarding DNS. >> Pasted at https://paste.ee/p/ziqrg. >> >> Well… Why does the macOS App refuse to set the DNS to 10.136.16.2? >> >> Versions used: >> App version: 0.0.20191105 (16) >> Go backend version: 0.0.20191013 >> macOS: Catalina 10.15.5 (19F101) >> >> >> Cheers, >> Alexander -- Alexander -- => Google+ => http://plus.skwar.me <== => Chat (Jabber/Google Talk) => a.skwar@gmail.com <== ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: WireGuard macOS App doesn't set system default DNS 2020-08-03 12:14 ` Alexander Skwar @ 2020-08-06 13:18 ` Shulhan 2020-08-06 13:47 ` Alexander Skwar 0 siblings, 1 reply; 4+ messages in thread From: Shulhan @ 2020-08-06 13:18 UTC (permalink / raw) To: Alexander Skwar; +Cc: Gijs Conijn, wireguard > On 3 Aug 2020, at 19.14, Alexander Skwar <alexanders.mailinglists+nospam@gmail.com> wrote: > > Hello Erik, > > yes, I know that the DNS is private. This is why I have that on my macOS > configuration: > > # … > AllowedIPs = 10.136.16.0/22, 169.254.169.253/32 > # … > Did you set DNS servers manually in "Advanced" section? If yes, try to clear it. I use macOS too and everything works fine. Did the DNS server 10.136.16.2 is the same VM as WireGuard server? If it's in the same VM, maybe you can try the IP address of server peer instead of IP internal of VM. I hope that give some hints. Regards, Shulhan ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: WireGuard macOS App doesn't set system default DNS 2020-08-06 13:18 ` Shulhan @ 2020-08-06 13:47 ` Alexander Skwar 0 siblings, 0 replies; 4+ messages in thread From: Alexander Skwar @ 2020-08-06 13:47 UTC (permalink / raw) To: Shulhan; +Cc: Gijs Conijn, wireguard Hello Shulhan Am Do., 6. Aug. 2020 um 15:18 Uhr schrieb Shulhan <ms@kilabit.info>: > > > On 3 Aug 2020, at 19.14, Alexander Skwar <alexanders.mailinglists+nospam@gmail.com> wrote: > > > > Hello Erik, > > > > yes, I know that the DNS is private. This is why I have that on my macOS > > configuration: > > > > # … > > AllowedIPs = 10.136.16.0/22, 169.254.169.253/32 > > # … > > > > Did you set DNS servers manually in "Advanced" section? If yes, try to clear it. No, I haven't set DNS servers in the Advanced section. > I use macOS too and everything works fine. Hm. Using the script from https://github.com/myspaghetti/macos-virtualbox/ I created a macOS running in a VirtualBox as a VM. In this VM, I installed WireGuard and imported my config. The issue could be reproduced. To make it clear: nothing else, besides WireGuard and the bloat ware from Apple was installed and the issue exists. This rules out that there is any conflicting software installed or any bad configuration on my side. It just leaves macOS and WireGuard. On my normal (non-VM) system (where I have the same issues), I also have OpenVPN and the system built-in VPN (IPsec) installed and configured to use (not so on the VM). These tools are able to set the DNS. So this also rules out that there's an issue with macOS. FWIW, "wg-quick" (wireguard-tools) is able to set DNS (but fails to properly revert, if multiple tunnels had been brought up at the same time - but that's a different issue). > Did the DNS server 10.136.16.2 is the same VM as WireGuard server? No, it's not. And it's not limited to 10.136.16.2 as DNS server, WireGuard also doesn't set it to e.g. 1.1.1.1 or 5.132.191.104 (OpenNIC). It only sets it, when AllowedIPs=0.0.0.0/0. My configuration (where WireGuard does NOT set DNS): [Interface] PrivateKey = ...= Address = 172.31.0.3/24 DNS = 5.132.191.104 [Peer] PublicKey = ...= AllowedIPs = 10.136.16.0/22 Endpoint = wg.....ch:51820 That WireGuard does NOT set the DNS is also visible in the output of the "dig" command. Eg.: alex@Alexanders-MacBook-Pro ~ % dig ct.de ; <<>> DiG 9.10.6 <<>> ct.de ... ;; SERVER: 192.168.43.2#53(192.168.43.2) ... (192.168.43.2 is the IP of my router; it shows that the default wasn't changed.) When I use AllowedIPs=0.0.0.0/0, the dig output has this line: ;; SERVER: 1.1.1.1#53(1.1.1.1) Ie. 1.1.1.1 was used as the IP of system DNS. Thanks again, Alexander ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-06 14:18 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-03 9:15 WireGuard macOS App doesn't set system default DNS Alexander Skwar [not found] ` <AM0PR07MB614721A4B6B17011C3DFF7C0964D0@AM0PR07MB6147.eurprd07.prod.outlook.com> 2020-08-03 12:14 ` Alexander Skwar 2020-08-06 13:18 ` Shulhan 2020-08-06 13:47 ` Alexander Skwar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).