From: Andrew Burkett <burkett.andrew@gmail.com>
To: Simon Rozman <simon@rozman.si>
Cc: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Re: DNS Issues with Wireguard for Windows
Date: Thu, 23 Jul 2020 11:03:00 -0700 [thread overview]
Message-ID: <CAONL4-J5tyHvt-yzFMhUW+oa6OtdBEhKxiH+ipbm_z+L+CCtuQ@mail.gmail.com> (raw)
In-Reply-To: <99D61A626FDA8A4B90A270669121BE10D0DE259A@PLANJAVA.amebis.doma>
Thanks Simon, I didn't realize it always does that. I mistakenly
thought that was only when 0.0.0.0/0 was in allowed ips. Still a bit
odd that windows networking seems to break only when I put a
particular unrelated address in allowedips, but looking through the
wireguard-windows code now, I don't see how it can be wireguard's
fault.
Andrew
On Thu, Jul 23, 2020 at 5:01 AM Simon Rozman <simon@rozman.si> wrote:
>
> WireGuard for Windows adds a firewall rules to block all DNS traffic except to the DNS servers listed in the WireGuard config. This is by design (preventing data leakage).
>
> Regards,
> Simon
>
> > -----Original Message-----
> > From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Andrew
> > Burkett
> > Sent: Saturday, July 11, 2020 1:31 AM
> > To: wireguard@lists.zx2c4.com
> > Subject: DNS Issues with Wireguard for Windows
> >
> > I was running into dns issues with wireguard on windows using the
> > released gui app. It seems like a bug with wireguard, but not sure if it
> > was actually something about my networking configs that messed it up. I
> > was able to work around the issue by changing the wireguard config (in a
> > way that seemed odd to me), but I thought it might be useful to share
> > what I was seeing in case its helpful to others or if it is in fact a
> > bug in wireguard. I'll share the configs at the bottom of the email, but
> > I'm just going to describe what I'm seeing first.
> >
> > My basic setup is I have wireguard running on a linux box functioning as
> > a server/router to a remote network. I've got a windows desktop
> > connecting to the linux box via wireguard. There are dns servers on the
> > remote network that I would like to use from the desktop. I added the
> > dns servers from the remote network to my desktop wireguard config.
> > Everything was working fine for awhile. At some point, my windows box
> > started complaining about not being connected to the internet. I was
> > able to pinpoint it with some confidence to dns requests failing when
> > wireguard was connected. Even though windows was complaining about not
> > having a network connection, my browser still worked though it seemed
> > slow so I assumed it was trying a dns server and then falling back to a
> > different one after a timeout (at least that was my guess). The "cause"
> > of the problem was adding
> > 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in
> > my case is 10.98.1.0/24 and the rest of the network is under
> > 10.0.X.X) After adding it and waiting for a couple hours windows will
> > inevitably claim that there is no internet access from my network
> > adapter. Sometimes nslookup and ping still work fine, sometimes they
> > start to report errors. My solution that reliably fixes it is to add my
> > local dns server (which is my local router in this case
> > 192.168.86.1) to the dns section of the wireguard config, which seems
> > like an odd fix since I'm not actually sending local dns traffic to
> > wireguard.
> >
> > I couldn't figure out how to use wireshark to view wireguard traffic on
> > windows to see what's happening to the dns requests, nor do I know of
> > another way to view traffic (If someone wants to point me at how to do
> > that, or some other way to view network traffic on windows, I'm happy to
> > look at it).
> >
> > Anyway, thanks for the software. It's the best vpn software I've used by
> > a mile.
> >
> > Andrew
> >
> > My Local Gateway/DNS is 192.168.86.1
> > My Local IP is in 192.168.86.0/24 subnet
> >
> > Working Config 1
> >
> > [Interface]
> > PrivateKey = XXXXX
> > Address = 10.98.1.103/32
> > DNS = 10.0.X.X, 10.0.Y.Y
> >
> > [Peer]
> > PublicKey = XXXXXX
> > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
> > Endpoint = XXXXXXX
> >
> > Working Config 2
> >
> > [Interface]
> > PrivateKey = XXXXX
> > Address = 10.98.1.103/32
> > DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1
> >
> > [Peer]
> > PublicKey = XXXXXX
> > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> > XXXXXXX
> >
> > NonWorking Config
> >
> > [Interface]
> > PrivateKey = XXXXX
> > Address = 10.98.1.103/32
> > DNS = 10.0.X.X, 10.0.Y.Y
> >
> > [Peer]
> > PublicKey = XXXXXX
> > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> > XXXXXXX
prev parent reply other threads:[~2020-07-23 18:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 23:31 Andrew Burkett
2020-07-14 17:00 ` Matthew Nichols
2020-07-23 12:02 ` Simon Rozman
2020-07-23 16:21 ` Brian Gregory
2020-07-23 18:03 ` Andrew Burkett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAONL4-J5tyHvt-yzFMhUW+oa6OtdBEhKxiH+ipbm_z+L+CCtuQ@mail.gmail.com \
--to=burkett.andrew@gmail.com \
--cc=simon@rozman.si \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).