1

I am using an Ubuntu 22.04.1 LTS server to run wg-easy. I use portainer to manage my docker containers. When my Windows 11 client connects to the Wireguard server, I am able to access both the internet and my local network over the VPN. On this local network, I am running another Ubuntu 22.04.1 LTS server on a separate machine as an AdGuard Home DNS provider, also via a docker container.

I am having the following problematic experience when connected to the VPN from a remote network:

When I try to use the hostnames I have configured in the AdGuard DNS rewrite page over SSH, HTTP/HTTPS, or ICMP (when pinging), the DNS fails to resolve the hostname. In a browser, I am given an ERR_NAME_NOT_RESOLVED. Over SSH or ICMP, the processes inform me that they could not resolve hostname/find host <hostname>. If I use nslookup, however, the process reports that it is using the DNS IP I have specified (that of the AdGuard machine) and the hostnames are resolved without issue (which is why this SuperUser post doesn't answer this question, despite its similarity).

There is an exception to this experience that may point to a fault with AdGuard rather than with Wireguard: Only the device that hosts the AdGuard server is accessible via HTTP/HTTPS, SSH, and ICMP when using its hostname. The other sever, despite having its hostname specified in the same place in my AdGuard settings, is not.

Something else that may be of interest or perhaps unrelated is that while a forward DNS lookup will run without issue, the reverse is not true, and nslookup is unable to resolve the IP addresses it produces back to hostnames. In effect, this means that I can freely access the internet and I am also able to access devices on the same local network via their IP addresses, but I am not able to access these devices by their hostnames.

My Wireguard client-side configuration follows:

[Interface]
PrivateKey = <my private key>
Address = 10.8.0.3/24
DNS = 192.168.68.105 // this is the local IP of the AdGuard machine

[Peer]
PublicKey = <my public key>
PresharedKey = <my pre-shared key>
AllowedIPs = 0.0.0.0/0, ::/0, 192.168.68.105/32
Endpoint = <my home router's public domain name>:51820

I took the advice of an old Reddit post I came across and added 192.168.68.105/32 to my AllowedIPs list to ensure that DNS traffic was also being routed as advised here, but this did not fix the issue. I understand that I am pursuing a form of split tunnelling here, and so I have checked that the default wg-easy IP address range (10.8.0.x), which I am using, doesn't conflict with my local subnet (192.168.68.0/24) so far as I understand.

I have attached terminals to both the wg-easy container on the one machine and the AdGuard container on the other, and I have determined that the wg-easy container is able to reach the AdGuard machine over the network, but the reverse is not true. This is not necessarily a problem however, since docker containers are set up this way by default in terms of incoming and outgoing traffic rules. I have confirmed that manually mapping the IP addresses and host names via the .../etc/hosts file on the client does fix this issue, but this firstly seems like a symptomatic treatment rather than a way to address the root cause of the issue, and secondly is not a convenient solution to apply to every device that would make use of the VPN. One last thing to note is that the Wireguard container is using the portainer-configured network of its stack, while the AdGuard container is running in network: host mode, so it shares the IP of the device it is running on.

Please help me reconfigure this network so that I can use my Wireguard VPN from a remote network and still use the hostnames of the local devices to connect to them.

info edit: I attached an arbitrary network device and gave it a DNS mapping in AdGuard, and it too was only pingable via IP address over the VPN, meaning that the hostname of the AdGuard machine itself is definitely the only one being resolved successfully (quite narcissistic really)

2nd info edit: ipconfig /all reports that my 'Connection-specific DNS Suffix' is blank for both my default WiFi adapter and the Wireguard adapter

Improve this question
7
  • Can you add some specific examples of what is and isn't working? When on a remote network, can you nslookup home01? If not, try nslookup home01 192.168.68.105 to force it to use the dns server. To resolve IPs to hostnames, you need to have reverse lookup records (rDNS) on your DNS server.
    – Cpt.Whale
    Commented Dec 20, 2022 at 17:25
  • Are your DNS records in a named zone like home01.local? You may need to add that domain suffix to the vpn network on the windows client (or add it to the vpn server's client settings). This might get done automatically when internal (via dhcp usually), but needs to be added when remote. You can see these as Connection-specific DNS Suffix when you run ipconfig /all
    – Cpt.Whale
    Commented Dec 20, 2022 at 17:26
  • How does the query log page look in the different cases (itself or not and/or nslookup or not)?
    – Tom Yan
    Commented Dec 20, 2022 at 17:55
  • @Cpt.Whale in my question, I did mention that I was able to use nslookup over the VPN connection and that it was using 192.168.68.105 as configured. The problem is that the browser uses a different DNS resolve method to nslookup, so far as i understand, so even though nslookup works, the browser does not. AdGuard let me set up DNS rewrites, are those the same as rDNS records?
    – A. P. Roblem
    Commented Dec 20, 2022 at 18:21
  • @TomYan could you elaborate a bit more on your question please? Which query log page are you interested in, and how can I access it? Do you mean in AdGuard?
    – A. P. Roblem
    Commented Dec 20, 2022 at 18:26

2 Answers 2

Reset to default
3

It seems that the problem with this setup was on the Wireguard side of things. Following the advice of a Reddit post that I have since unfortunately lost, deactivating the "kill-switch" that was blocking untunneled traffic in my Wireguard configuration has apparently solved the issue and allowed the DNS to behave as expected over VPN:

A screenshot of the kill-switch option in a Wireguard configuration

Improve this answer
1
  • Do you know the setting for this on the configuration files?
    – Archimedes Trajano
    Commented Jan 15 at 14:37
0

Either

  1. Set up a local caching DNS (like pi-hole) as your DHCP+DNS to transparently redirect non-local lookup queries to any DNS you configure.

  2. Create hosts-file entries to resolve local hostnames to their local IP addresses.

Note: For use with many local devices, option number 1 is less effort. However... If you require the local lookups on a single computer only, then option 1 is overkill compared to just editing a text file.

Improve this answer
2
  • Thanks for this answer, but AdGuard is already fulfilling the role of DHCP/DNS in my network as my preferred alternative to pi-hole and yet I am experiencing the aforementioned issues
    – A. P. Roblem
    Commented Dec 23, 2022 at 21:13
  • @A.P.Roblem Either AdGuard has no idea which devices are on your network OR their local hostname resolution is disabled to harden your security.
    – svin83
    Commented Dec 27, 2022 at 23:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .