I am using an Ubuntu 22.04.1 LTS server to run wg-easy. I use portainer to manage my docker containers. When my Windows 11 client connects to the Wireguard server, I am able to access both the internet and my local network over the VPN. On this local network, I am running another Ubuntu 22.04.1 LTS server on a separate machine as an AdGuard Home DNS provider, also via a docker container.
I am having the following problematic experience when connected to the VPN from a remote network:
When I try to use the hostnames I have configured in the AdGuard DNS rewrite page over SSH, HTTP/HTTPS, or ICMP (when pinging), the DNS fails to resolve the hostname. In a browser, I am given an ERR_NAME_NOT_RESOLVED
. Over SSH or ICMP, the processes inform me that they could not resolve hostname/find host <hostname>
. If I use nslookup
, however, the process reports that it is using the DNS IP I have specified (that of the AdGuard machine) and the hostnames are resolved without issue (which is why this SuperUser post doesn't answer this question, despite its similarity).
There is an exception to this experience that may point to a fault with AdGuard rather than with Wireguard: Only the device that hosts the AdGuard server is accessible via HTTP/HTTPS, SSH, and ICMP when using its hostname. The other sever, despite having its hostname specified in the same place in my AdGuard settings, is not.
Something else that may be of interest or perhaps unrelated is that while a forward DNS lookup will run without issue, the reverse is not true, and nslookup
is unable to resolve the IP addresses it produces back to hostnames.
In effect, this means that I can freely access the internet and I am also able to access devices on the same local network via their IP addresses, but I am not able to access these devices by their hostnames.
My Wireguard client-side configuration follows:
[Interface]
PrivateKey = <my private key>
Address = 10.8.0.3/24
DNS = 192.168.68.105 // this is the local IP of the AdGuard machine
[Peer]
PublicKey = <my public key>
PresharedKey = <my pre-shared key>
AllowedIPs = 0.0.0.0/0, ::/0, 192.168.68.105/32
Endpoint = <my home router's public domain name>:51820
I took the advice of an old Reddit post I came across and added 192.168.68.105/32
to my AllowedIPs list to ensure that DNS traffic was also being routed as advised here, but this did not fix the issue. I understand that I am pursuing a form of split tunnelling here, and so I have checked that the default wg-easy IP address range (10.8.0.x), which I am using, doesn't conflict with my local subnet (192.168.68.0/24) so far as I understand.
I have attached terminals to both the wg-easy container on the one machine and the AdGuard container on the other, and I have determined that the wg-easy container is able to reach the AdGuard machine over the network, but the reverse is not true. This is not necessarily a problem however, since docker containers are set up this way by default in terms of incoming and outgoing traffic rules. I have confirmed that manually mapping the IP addresses and host names via the .../etc/hosts file on the client does fix this issue, but this firstly seems like a symptomatic treatment rather than a way to address the root cause of the issue, and secondly is not a convenient solution to apply to every device that would make use of the VPN. One last thing to note is that the Wireguard container is using the portainer-configured network of its stack, while the AdGuard container is running in network: host
mode, so it shares the IP of the device it is running on.
Please help me reconfigure this network so that I can use my Wireguard VPN from a remote network and still use the hostnames of the local devices to connect to them.
info edit: I attached an arbitrary network device and gave it a DNS mapping in AdGuard, and it too was only pingable via IP address over the VPN, meaning that the hostname of the AdGuard machine itself is definitely the only one being resolved successfully (quite narcissistic really)
2nd info edit: ipconfig /all reports that my 'Connection-specific DNS Suffix' is blank for both my default WiFi adapter and the Wireguard adapter
nslookup home01
? If not, trynslookup home01 192.168.68.105
to force it to use the dns server. To resolve IPs to hostnames, you need to have reverse lookup records (rDNS) on your DNS server.home01.local
? You may need to add that domain suffix to the vpn network on the windows client (or add it to the vpn server's client settings). This might get done automatically when internal (via dhcp usually), but needs to be added when remote. You can see these asConnection-specific DNS Suffix
when you runipconfig /all
nslookup
or not)?