I’m trying to setup Wireguard to use as a VPN on my server using this guide. I currently run Pihole on the same machine.

LAN 192.168.1.*
WG 10.14.0.*
WG Server Addr 10.14.0.1
WG Client Addr 10.14.0.10

The handshake succeeds, and I can even ping IP addresses. However, it doesn’t receive DNS responses. I checked in Wireshark and see the following:

WAN Client IP -> Server IP [Wireguard]
WG Client IP -> Server IP [DNS Request]
Server IP -> Server IP [DNS Request]
Server IP -> Server IP [DNS Response]
WG Server Addr -> WG Client Addr [DNS Response]
WG Client Addr -> WG Server Addr [ICMP Port unreachable]

I’m admittedly pretty inexperienced when it comes to routing, but I’ve been at this for days with no success. Any help would be greatly appreciated.

Edit

I now realize that it would have been relevant to mention the my Pihole instance was running inside a rootless podman container.

To test things further, I wrote a small echo server and spun it up on bare metal. Wireguard had no issues with that. My guess is that something between wireguard and specifically rootless podman was going wrong. I still don’t know what, unfortunately.

My fix was to put Pihole in a privileged podman container with a network and static IP e.g. --net bridge:ip=10.88.0.230. I also put wireguard into a privileged podman container on the same network --net bridge. Finally, I set the peer DNS to the Pihole’s static IP on the podman network (10.88.0.230).

As I said before, I still don’t know why podman wasn’t replying to the correct IP initially. I’m happy with my fix, but I’d still prefer the containers to be rootless so feel free to message me if you have any suggestions.

  • krolden
    link
    fedilink
    English
    1
    edit-2
    1 year ago

    So, you’re running two exclusive DNS resolvers, one on your router and one on your pihole box? Or just one on the pihole box and using the local address of it for all LAN dns?

    Why have a firewall on the pihole box at all? As long as it isnt in the DMZ you shouldn’t need it. I would try disabling it completely and see if dns on your wg peers starts working.

    • @ShitpostCentralOP
      link
      English
      11 year ago

      Just one on the pihole box and using the local address of it for all LAN DNS.

      It is in the DMZ. I also use the box for Jellyfin so I want it remotely accessible.

      I just tried disabling it for a short while with the same result. It still gets blocked in the 10.14.0.* network.