Development discussion of WireGuard
 help / color / Atom feed
* DNS Issues with Wireguard for Windows
@ 2020-07-10 23:31 Andrew Burkett
  2020-07-14 17:00 ` Matthew Nichols
  2020-07-23 12:02 ` Simon Rozman
  0 siblings, 2 replies; 5+ messages in thread
From: Andrew Burkett @ 2020-07-10 23:31 UTC (permalink / raw)
  To: wireguard

I was running into dns issues with wireguard on windows using the
released gui app. It seems like a bug with wireguard, but not sure if
it was actually something about my networking configs that messed it
up. I was able to work around the issue by changing the wireguard
config (in a way that seemed odd to me), but I thought it might be
useful to share what I was seeing in case its helpful to others or if
it is in fact a bug in wireguard. I'll share the configs at the bottom
of the email, but I'm just going to describe what I'm seeing first.

My basic setup is I have wireguard running on a linux box functioning
as a server/router to a remote network. I've got a windows desktop
connecting to the linux box via wireguard. There are dns servers on
the remote network that I would like to use from the desktop. I added
the dns servers from the remote network to my desktop wireguard
config. Everything was working fine for awhile. At some point, my
windows box started complaining about not being connected to the
internet. I was able to pinpoint it with some confidence to dns
requests failing when wireguard was connected. Even though windows was
complaining about not having a network connection, my browser still
worked though it seemed slow so I assumed it was trying a dns server
and then falling back to a different one after a timeout (at least
that was my guess). The "cause" of the problem was adding
192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network
in my case is 10.98.1.0/24 and the rest of the network is under
10.0.X.X) After adding it and waiting for a couple hours windows will
inevitably claim that there is no internet access from my network
adapter. Sometimes nslookup and ping still work fine, sometimes they
start to report errors. My solution that reliably fixes it is to add
my local dns server (which is my local router in this case
192.168.86.1) to the dns section of the wireguard config, which seems
like an odd fix since I'm not actually sending local dns traffic to
wireguard.

I couldn't figure out how to use wireshark to view wireguard traffic
on windows to see what's happening to the dns requests, nor do I know
of another way to view traffic (If someone wants to point me at how to
do that, or some other way to view network traffic on windows, I'm
happy to look at it).

Anyway, thanks for the software. It's the best vpn software I've used by a mile.

Andrew

My Local Gateway/DNS is 192.168.86.1
My Local IP is in 192.168.86.0/24 subnet

Working Config 1

[Interface]
PrivateKey = XXXXX
Address = 10.98.1.103/32
DNS = 10.0.X.X, 10.0.Y.Y

[Peer]
PublicKey = XXXXXX
AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
Endpoint = XXXXXXX

Working Config 2

[Interface]
PrivateKey = XXXXX
Address = 10.98.1.103/32
DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1

[Peer]
PublicKey = XXXXXX
AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32
Endpoint = XXXXXXX

NonWorking Config

[Interface]
PrivateKey = XXXXX
Address = 10.98.1.103/32
DNS = 10.0.X.X, 10.0.Y.Y

[Peer]
PublicKey = XXXXXX
AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32
Endpoint = XXXXXXX

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: DNS Issues with Wireguard for Windows
  2020-07-10 23:31 DNS Issues with Wireguard for Windows Andrew Burkett
@ 2020-07-14 17:00 ` Matthew Nichols
  2020-07-23 12:02 ` Simon Rozman
  1 sibling, 0 replies; 5+ messages in thread
From: Matthew Nichols @ 2020-07-14 17:00 UTC (permalink / raw)
  To: wireguard

I was just looking into a similar issue recently and it looks like WireGuard on Windows adds firewall rules blocking all DNS servers except for its configured DNS servers, with no option to disable.

I know for us it would be very helpful to at least have an option to disable this behavior, as it is very surprising behavior that makes more complicated setups more difficult to impossible to do correctly.

-----Original Message-----
From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Andrew Burkett
Sent: Friday, July 10, 2020 5:31 PM
To: wireguard@lists.zx2c4.com
Subject: DNS Issues with Wireguard for Windows

I was running into dns issues with wireguard on windows using the released gui app. It seems like a bug with wireguard, but not sure if it was actually something about my networking configs that messed it up. I was able to work around the issue by changing the wireguard config (in a way that seemed odd to me), but I thought it might be useful to share what I was seeing in case its helpful to others or if it is in fact a bug in wireguard. I'll share the configs at the bottom of the email, but I'm just going to describe what I'm seeing first.

My basic setup is I have wireguard running on a linux box functioning as a server/router to a remote network. I've got a windows desktop connecting to the linux box via wireguard. There are dns servers on the remote network that I would like to use from the desktop. I added the dns servers from the remote network to my desktop wireguard config. Everything was working fine for awhile. At some point, my windows box started complaining about not being connected to the internet. I was able to pinpoint it with some confidence to dns requests failing when wireguard was connected. Even though windows was complaining about not having a network connection, my browser still worked though it seemed slow so I assumed it was trying a dns server and then falling back to a different one after a timeout (at least that was my guess). The "cause" of the problem was adding
192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in my case is 10.98.1.0/24 and the rest of the network is under
10.0.X.X) After adding it and waiting for a couple hours windows will inevitably claim that there is no internet access from my network adapter. Sometimes nslookup and ping still work fine, sometimes they start to report errors. My solution that reliably fixes it is to add my local dns server (which is my local router in this case
192.168.86.1) to the dns section of the wireguard config, which seems like an odd fix since I'm not actually sending local dns traffic to wireguard.

I couldn't figure out how to use wireshark to view wireguard traffic on windows to see what's happening to the dns requests, nor do I know of another way to view traffic (If someone wants to point me at how to do that, or some other way to view network traffic on windows, I'm happy to look at it).

Anyway, thanks for the software. It's the best vpn software I've used by a mile.

Andrew

My Local Gateway/DNS is 192.168.86.1
My Local IP is in 192.168.86.0/24 subnet

Working Config 1

[Interface]
PrivateKey = XXXXX
Address = 10.98.1.103/32
DNS = 10.0.X.X, 10.0.Y.Y

[Peer]
PublicKey = XXXXXX
AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
Endpoint = XXXXXXX

Working Config 2

[Interface]
PrivateKey = XXXXX
Address = 10.98.1.103/32
DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1

[Peer]
PublicKey = XXXXXX
AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint = XXXXXXX

NonWorking Config

[Interface]
PrivateKey = XXXXX
Address = 10.98.1.103/32
DNS = 10.0.X.X, 10.0.Y.Y

[Peer]
PublicKey = XXXXXX
AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint = XXXXXXX

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: DNS Issues with Wireguard for Windows
  2020-07-10 23:31 DNS Issues with Wireguard for Windows Andrew Burkett
  2020-07-14 17:00 ` Matthew Nichols
@ 2020-07-23 12:02 ` Simon Rozman
  2020-07-23 16:21   ` Brian Gregory
  2020-07-23 18:03   ` Andrew Burkett
  1 sibling, 2 replies; 5+ messages in thread
From: Simon Rozman @ 2020-07-23 12:02 UTC (permalink / raw)
  To: Andrew Burkett, wireguard

WireGuard for Windows adds a firewall rules to block all DNS traffic except to the DNS servers listed in the WireGuard config. This is by design (preventing data leakage).

Regards,
Simon

> -----Original Message-----
> From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Andrew
> Burkett
> Sent: Saturday, July 11, 2020 1:31 AM
> To: wireguard@lists.zx2c4.com
> Subject: DNS Issues with Wireguard for Windows
> 
> I was running into dns issues with wireguard on windows using the
> released gui app. It seems like a bug with wireguard, but not sure if it
> was actually something about my networking configs that messed it up. I
> was able to work around the issue by changing the wireguard config (in a
> way that seemed odd to me), but I thought it might be useful to share
> what I was seeing in case its helpful to others or if it is in fact a
> bug in wireguard. I'll share the configs at the bottom of the email, but
> I'm just going to describe what I'm seeing first.
> 
> My basic setup is I have wireguard running on a linux box functioning as
> a server/router to a remote network. I've got a windows desktop
> connecting to the linux box via wireguard. There are dns servers on the
> remote network that I would like to use from the desktop. I added the
> dns servers from the remote network to my desktop wireguard config.
> Everything was working fine for awhile. At some point, my windows box
> started complaining about not being connected to the internet. I was
> able to pinpoint it with some confidence to dns requests failing when
> wireguard was connected. Even though windows was complaining about not
> having a network connection, my browser still worked though it seemed
> slow so I assumed it was trying a dns server and then falling back to a
> different one after a timeout (at least that was my guess). The "cause"
> of the problem was adding
> 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in
> my case is 10.98.1.0/24 and the rest of the network is under
> 10.0.X.X) After adding it and waiting for a couple hours windows will
> inevitably claim that there is no internet access from my network
> adapter. Sometimes nslookup and ping still work fine, sometimes they
> start to report errors. My solution that reliably fixes it is to add my
> local dns server (which is my local router in this case
> 192.168.86.1) to the dns section of the wireguard config, which seems
> like an odd fix since I'm not actually sending local dns traffic to
> wireguard.
> 
> I couldn't figure out how to use wireshark to view wireguard traffic on
> windows to see what's happening to the dns requests, nor do I know of
> another way to view traffic (If someone wants to point me at how to do
> that, or some other way to view network traffic on windows, I'm happy to
> look at it).
> 
> Anyway, thanks for the software. It's the best vpn software I've used by
> a mile.
> 
> Andrew
> 
> My Local Gateway/DNS is 192.168.86.1
> My Local IP is in 192.168.86.0/24 subnet
> 
> Working Config 1
> 
> [Interface]
> PrivateKey = XXXXX
> Address = 10.98.1.103/32
> DNS = 10.0.X.X, 10.0.Y.Y
> 
> [Peer]
> PublicKey = XXXXXX
> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
> Endpoint = XXXXXXX
> 
> Working Config 2
> 
> [Interface]
> PrivateKey = XXXXX
> Address = 10.98.1.103/32
> DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1
> 
> [Peer]
> PublicKey = XXXXXX
> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> XXXXXXX
> 
> NonWorking Config
> 
> [Interface]
> PrivateKey = XXXXX
> Address = 10.98.1.103/32
> DNS = 10.0.X.X, 10.0.Y.Y
> 
> [Peer]
> PublicKey = XXXXXX
> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> XXXXXXX

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: DNS Issues with Wireguard for Windows
  2020-07-23 12:02 ` Simon Rozman
@ 2020-07-23 16:21   ` Brian Gregory
  2020-07-23 18:03   ` Andrew Burkett
  1 sibling, 0 replies; 5+ messages in thread
From: Brian Gregory @ 2020-07-23 16:21 UTC (permalink / raw)
  To: wireguard

I wish, or I think I wish anyway, that it would redirect all DNS traffic 
to the DNS servers listed in the configuration.

That's normally the way I run my local gateway, it redirects all DNS 
traffic to it's DNS cache which does not resolve various undesirable 
sites (malware etc.).

Brian Gregory.
bdgregory@gmail.com
www.Brian-Gregory.me.uk
(Home)

On 23/07/2020 13:02, Simon Rozman wrote:
> WireGuard for Windows adds a firewall rules to block all DNS traffic except to the DNS servers listed in the WireGuard config. This is by design (preventing data leakage).
>
> Regards,
> Simon
>
>> -----Original Message-----
>> From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Andrew
>> Burkett
>> Sent: Saturday, July 11, 2020 1:31 AM
>> To: wireguard@lists.zx2c4.com
>> Subject: DNS Issues with Wireguard for Windows
>>
>> I was running into dns issues with wireguard on windows using the
>> released gui app. It seems like a bug with wireguard, but not sure if it
>> was actually something about my networking configs that messed it up. I
>> was able to work around the issue by changing the wireguard config (in a
>> way that seemed odd to me), but I thought it might be useful to share
>> what I was seeing in case its helpful to others or if it is in fact a
>> bug in wireguard. I'll share the configs at the bottom of the email, but
>> I'm just going to describe what I'm seeing first.
>>
>> My basic setup is I have wireguard running on a linux box functioning as
>> a server/router to a remote network. I've got a windows desktop
>> connecting to the linux box via wireguard. There are dns servers on the
>> remote network that I would like to use from the desktop. I added the
>> dns servers from the remote network to my desktop wireguard config.
>> Everything was working fine for awhile. At some point, my windows box
>> started complaining about not being connected to the internet. I was
>> able to pinpoint it with some confidence to dns requests failing when
>> wireguard was connected. Even though windows was complaining about not
>> having a network connection, my browser still worked though it seemed
>> slow so I assumed it was trying a dns server and then falling back to a
>> different one after a timeout (at least that was my guess). The "cause"
>> of the problem was adding
>> 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in
>> my case is 10.98.1.0/24 and the rest of the network is under
>> 10.0.X.X) After adding it and waiting for a couple hours windows will
>> inevitably claim that there is no internet access from my network
>> adapter. Sometimes nslookup and ping still work fine, sometimes they
>> start to report errors. My solution that reliably fixes it is to add my
>> local dns server (which is my local router in this case
>> 192.168.86.1) to the dns section of the wireguard config, which seems
>> like an odd fix since I'm not actually sending local dns traffic to
>> wireguard.
>>
>> I couldn't figure out how to use wireshark to view wireguard traffic on
>> windows to see what's happening to the dns requests, nor do I know of
>> another way to view traffic (If someone wants to point me at how to do
>> that, or some other way to view network traffic on windows, I'm happy to
>> look at it).
>>
>> Anyway, thanks for the software. It's the best vpn software I've used by
>> a mile.
>>
>> Andrew
>>
>> My Local Gateway/DNS is 192.168.86.1
>> My Local IP is in 192.168.86.0/24 subnet
>>
>> Working Config 1
>>
>> [Interface]
>> PrivateKey = XXXXX
>> Address = 10.98.1.103/32
>> DNS = 10.0.X.X, 10.0.Y.Y
>>
>> [Peer]
>> PublicKey = XXXXXX
>> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
>> Endpoint = XXXXXXX
>>
>> Working Config 2
>>
>> [Interface]
>> PrivateKey = XXXXX
>> Address = 10.98.1.103/32
>> DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1
>>
>> [Peer]
>> PublicKey = XXXXXX
>> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
>> XXXXXXX
>>
>> NonWorking Config
>>
>> [Interface]
>> PrivateKey = XXXXX
>> Address = 10.98.1.103/32
>> DNS = 10.0.X.X, 10.0.Y.Y
>>
>> [Peer]
>> PublicKey = XXXXXX
>> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
>> XXXXXXX

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: DNS Issues with Wireguard for Windows
  2020-07-23 12:02 ` Simon Rozman
  2020-07-23 16:21   ` Brian Gregory
@ 2020-07-23 18:03   ` Andrew Burkett
  1 sibling, 0 replies; 5+ messages in thread
From: Andrew Burkett @ 2020-07-23 18:03 UTC (permalink / raw)
  To: Simon Rozman; +Cc: wireguard

Thanks Simon, I didn't realize it always does that. I mistakenly
thought that was only when 0.0.0.0/0 was in allowed ips. Still a bit
odd that windows networking seems to break only when I put a
particular unrelated address in allowedips, but looking through the
wireguard-windows code now, I don't see how it can be wireguard's
fault.

Andrew

On Thu, Jul 23, 2020 at 5:01 AM Simon Rozman <simon@rozman.si> wrote:
>
> WireGuard for Windows adds a firewall rules to block all DNS traffic except to the DNS servers listed in the WireGuard config. This is by design (preventing data leakage).
>
> Regards,
> Simon
>
> > -----Original Message-----
> > From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Andrew
> > Burkett
> > Sent: Saturday, July 11, 2020 1:31 AM
> > To: wireguard@lists.zx2c4.com
> > Subject: DNS Issues with Wireguard for Windows
> >
> > I was running into dns issues with wireguard on windows using the
> > released gui app. It seems like a bug with wireguard, but not sure if it
> > was actually something about my networking configs that messed it up. I
> > was able to work around the issue by changing the wireguard config (in a
> > way that seemed odd to me), but I thought it might be useful to share
> > what I was seeing in case its helpful to others or if it is in fact a
> > bug in wireguard. I'll share the configs at the bottom of the email, but
> > I'm just going to describe what I'm seeing first.
> >
> > My basic setup is I have wireguard running on a linux box functioning as
> > a server/router to a remote network. I've got a windows desktop
> > connecting to the linux box via wireguard. There are dns servers on the
> > remote network that I would like to use from the desktop. I added the
> > dns servers from the remote network to my desktop wireguard config.
> > Everything was working fine for awhile. At some point, my windows box
> > started complaining about not being connected to the internet. I was
> > able to pinpoint it with some confidence to dns requests failing when
> > wireguard was connected. Even though windows was complaining about not
> > having a network connection, my browser still worked though it seemed
> > slow so I assumed it was trying a dns server and then falling back to a
> > different one after a timeout (at least that was my guess). The "cause"
> > of the problem was adding
> > 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in
> > my case is 10.98.1.0/24 and the rest of the network is under
> > 10.0.X.X) After adding it and waiting for a couple hours windows will
> > inevitably claim that there is no internet access from my network
> > adapter. Sometimes nslookup and ping still work fine, sometimes they
> > start to report errors. My solution that reliably fixes it is to add my
> > local dns server (which is my local router in this case
> > 192.168.86.1) to the dns section of the wireguard config, which seems
> > like an odd fix since I'm not actually sending local dns traffic to
> > wireguard.
> >
> > I couldn't figure out how to use wireshark to view wireguard traffic on
> > windows to see what's happening to the dns requests, nor do I know of
> > another way to view traffic (If someone wants to point me at how to do
> > that, or some other way to view network traffic on windows, I'm happy to
> > look at it).
> >
> > Anyway, thanks for the software. It's the best vpn software I've used by
> > a mile.
> >
> > Andrew
> >
> > My Local Gateway/DNS is 192.168.86.1
> > My Local IP is in 192.168.86.0/24 subnet
> >
> > Working Config 1
> >
> > [Interface]
> > PrivateKey = XXXXX
> > Address = 10.98.1.103/32
> > DNS = 10.0.X.X, 10.0.Y.Y
> >
> > [Peer]
> > PublicKey = XXXXXX
> > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
> > Endpoint = XXXXXXX
> >
> > Working Config 2
> >
> > [Interface]
> > PrivateKey = XXXXX
> > Address = 10.98.1.103/32
> > DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1
> >
> > [Peer]
> > PublicKey = XXXXXX
> > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> > XXXXXXX
> >
> > NonWorking Config
> >
> > [Interface]
> > PrivateKey = XXXXX
> > Address = 10.98.1.103/32
> > DNS = 10.0.X.X, 10.0.Y.Y
> >
> > [Peer]
> > PublicKey = XXXXXX
> > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> > XXXXXXX

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-10 23:31 DNS Issues with Wireguard for Windows Andrew Burkett
2020-07-14 17:00 ` Matthew Nichols
2020-07-23 12:02 ` Simon Rozman
2020-07-23 16:21   ` Brian Gregory
2020-07-23 18:03   ` Andrew Burkett

Development discussion of WireGuard

Archives are clonable: git clone --mirror http://inbox.vuxu.org/wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git