Development discussion of WireGuard
 help / color / mirror / Atom feed
* Add local DNS forwarder to Windows client
@ 2020-11-03 10:31 Yves Goergen
  2020-11-10  8:14 ` Tomcsanyi, Domonkos
  0 siblings, 1 reply; 13+ messages in thread
From: Yves Goergen @ 2020-11-03 10:31 UTC (permalink / raw)
  To: wireguard

Hello,

I've already used WireGuard to connect to private networks and it's
quite easy once you figure out how to set it up. (Most tutorials are
outdated and haven't been updated, new ones haven't been written.) One
thing that's really missing however is DNS support. All I can do now
is connect to IP addresses. Names are not resolvable on the other
side. If I add the "DNS" directive to my client configuration, it
replaces the local DNS resolver and *all* lookups go to that server
instead. This isn't working either because I'm on two local networks
and each has its own local DNS server that can only resolve its own
local names (and forward the rest to the internet).

Specifying both networks' DNS servers also fails because when
resolving a name, one of them is chosen at random (and the other one
isn't regarded) and then you won't be able to resolve some of the
names some of the time. This is also very frustrating. And it wouldn't
scale to multiple active tunnels.

The solution I've read about is to set up a local DNS forwarder that
can be configured so that it uses multiple servers and queries each of
them and returns only a positive response. This way it could query
both local LAN DNS servers and for local names, only one of them would
resolve the name. This is a bit complicated to do if you're not
permanently connected to a VPN, or if you move from one local DHCP
network to another (like with a laptop). And it requires additional
software, setup and configuration, and probably intensive maintenance
and care. All of this makes WireGuard a pretty ugly alternative to
OpenVPN where all of this already works. Despite all the disadvantages
of OpenVPN.

I'm asking if it's possible to integrate such a local DNS forwarder
into the Windows client application. I imagine it would start up
automatically once the first tunnel is activated. And it would replace
the local system's DNS server setting for as long as it's active (like
the tunnel-configured DNS server already does). And it would query the
original locally configured DNS server and all configured DNS servers
for the active tunnels. It would then be able to resolve local names
and tunnel-remote names without any additional work on the user end.
The user wouldn't have to perform many complex tasks upon activating
or deactivating a tunnel. This would make WireGuard be as simple and
productive as I believe it was intended to be (but isn't yet).

This probably stops working as soon as other VPN software is used in
parallel, but the current "DNS" setting has the same limitation, it's
better than nothing and most of the time, you only run a single VPN
software.

Please let me know what you think of it.

-Yves

^ permalink raw reply	[flat|nested] 13+ messages in thread
* Re: Add local DNS forwarder to Windows client
@ 2020-11-11 11:31 Stefan Puch
  0 siblings, 0 replies; 13+ messages in thread
From: Stefan Puch @ 2020-11-11 11:31 UTC (permalink / raw)
  To: wireguard

Hi Yves,

i can reassure you, the problem is not exotic. I had exact the same question in
mind when thinking whether I should move from OpenVPN to Wireguard (I'd like to).

For all people working in home office therse days where they're using some kind
of SOHO router (e.g. Speedport, Fritz!Box, what ever) I like to "push" them the
companies DNS server for the time they are connected without forcing them to
install additional software / python sript, modifying hosts file with static
IPs. Although OpenVPN has many disadvantages, the way it is possible to just
push a search list or name server is very comfortable.

My experiences with tutorial are exactly the same as yours and I (as a non
expert) would like to ask whats the intended solution on windows systems to
include a companies remote DNS server for the (limited) time period connected to
a VPN by leaving the local DNS (mostly handled by the SOHO routers) untouched?

Maybe I missed something, but adding the "DNS" directive to the client
configuration has exactly the behavior Yves elaborated on and so far I didn't
find an alternative solution.

Kind regards
Stefan

> Hello,
>
> I've already used WireGuard to connect to private networks and it's
> quite easy once you figure out how to set it up. (Most tutorials are
> outdated and haven't been updated, new ones haven't been written.) One
> thing that's really missing however is DNS support. All I can do now
> is connect to IP addresses. Names are not resolvable on the other
> side. If I add the "DNS" directive to my client configuration, it
> replaces the local DNS resolver and *all* lookups go to that server
> instead. This isn't working either because I'm on two local networks
> and each has its own local DNS server that can only resolve its own
> local names (and forward the rest to the internet).
>
> Specifying both networks' DNS servers also fails because when
> resolving a name, one of them is chosen at random (and the other one
> isn't regarded) and then you won't be able to resolve some of the
> names some of the time. This is also very frustrating. And it wouldn't
> scale to multiple active tunnels.
>
> The solution I've read about is to set up a local DNS forwarder that
> can be configured so that it uses multiple servers and queries each of
> them and returns only a positive response. This way it could query
> both local LAN DNS servers and for local names, only one of them would
> resolve the name. This is a bit complicated to do if you're not
> permanently connected to a VPN, or if you move from one local DHCP
> network to another (like with a laptop). And it requires additional
> software, setup and configuration, and probably intensive maintenance
> and care. All of this makes WireGuard a pretty ugly alternative to
> OpenVPN where all of this already works. Despite all the disadvantages
> of OpenVPN.
>
> I'm asking if it's possible to integrate such a local DNS forwarder
> into the Windows client application. I imagine it would start up
> automatically once the first tunnel is activated. And it would replace
> the local system's DNS server setting for as long as it's active (like
> the tunnel-configured DNS server already does). And it would query the
> original locally configured DNS server and all configured DNS servers
> for the active tunnels. It would then be able to resolve local names
> and tunnel-remote names without any additional work on the user end.
> The user wouldn't have to perform many complex tasks upon activating
> or deactivating a tunnel. This would make WireGuard be as simple and
> productive as I believe it was intended to be (but isn't yet).
>
> This probably stops working as soon as other VPN software is used in
> parallel, but the current "DNS" setting has the same limitation, it's
> better than nothing and most of the time, you only run a single VPN
> software.
>
> Please let me know what you think of it.
>
> -Yves


^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2020-11-15 21:43 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-03 10:31 Add local DNS forwarder to Windows client Yves Goergen
2020-11-10  8:14 ` Tomcsanyi, Domonkos
2020-11-10  8:44   ` Der PCFreak
2020-11-10 15:38     ` Yves Goergen
2020-11-10 16:04       ` Matthias Urlichs
2020-11-10 18:08       ` Lech Perczak
2020-11-15 18:42         ` Yves Goergen
2020-11-15 21:10           ` Matthias Urlichs
2020-11-15 21:43           ` "Tomcsányi, Domonkos"
2020-11-11  7:36       ` Der PCFreak
     [not found]   ` <CADJb3qTGhm8a=aAA8_6ZgEHHFyBZyOch_GRBkC1p4yym28fN-Q@mail.gmail.com>
2020-11-10 10:47     ` Fwd: " Yves Goergen
2020-11-10 22:24     ` Tomcsanyi, Domonkos
2020-11-11 11:31 Stefan Puch

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).