Wireguard issues with HTTPS/HTTP/websites internally

Follow

Hoby Brenner

• November 25, 2022 14:26

Something weird here... I am using Wireguard Server and I have a multi vlan setup, and using my own private internal DNS.  If I disable DNS Boost on my Wireguard client object I can resolve internally, and ping/ssh internal no issue across vlans, etc.  However oddly I can't visit my internal websites, apps via the web on alternate ports, it just hangs   Is FW intercepting these?  Even with emergency access, I seem to have issues.  Internet sites are just fine though.  I see this on my phone or computer.

FWG on multiple vlans, unifi network

0

• 

  Firewalla

  • November 25, 2022 16:33

  Firewalla does intercept DNS, and when you turn off DNS booster (which we do not recommend), all the DNS-related functions (including security blocks that requires DNS) will NOT be functional. 

  How is your private DNS server hooked up? 

  Have you tried to use the firewalla local domain or search domain?

   

   

  0

  Comment actions Permalink
• 

  Hoby Brenner

  • November 25, 2022 16:41

  Yeah, I understand how the "booster" works, DNS resolution using my server is fine, and I can do lookups local or to the internet without issue, its accessing via the browser that seems to hang.

  The local dns server is DNSMASQ based and multihomed based on which network is hitting it so I can utilize it on all my VLANs reguardless of inter vlan blocking if that segment is setup that way.   There are no issues getting to the server from the FWG, and lookups work fine, its the actually web that just hangs for some reason.

  Like I said... weird.

  If I run my own internal instance of Wireguard there are no issues.

  0

  Comment actions Permalink
• 

  Hoby Brenner

  • November 25, 2022 20:20

  After being bored, and bothered... I decided to play around with this some more and it turns out to be MTU related.

  I dropped MTU all the way back to 1280 on the WG client, and its all working now.

  Apparently its the Tmobile connection I am tethering on that requires this.

   

  0

  Comment actions Permalink
• 

  James Willhoite

  • November 28, 2022 16:50

  I had issues with my WireGuard. Suddenly I could no longer access the outside world when my WireGuard was connected.... This is WG Client on iOS connected to the WG Server on FWG. I could ping all local devices just fine, but nothing was going out. Something with my internal DNS in the WG Network was messed up. All I did was go into the Network tab, edit the WireGuard Network, adjust the WG DNS from my internal DNS back to the WG default router ip (the .1 ip address). Hit save, then edit and change back to my internal DNS, hit save and all has worked fine since then.

  0

  Comment actions Permalink
• 

  Firewalla

  • December 17, 2022 19:38

  Did you check the IP address you are trying to connect? If it changes, may take some time for the DDNS to reflect the change.

  Also, WG is connectionless, it may appear it is connected (even if there is no VPN running) 

  0

  Comment actions Permalink
• 

  James Willhoite

  • December 19, 2022 14:59

  It's connected, able to ping internal ip address, but could not access the outside world. This just happened to me yesterday again. Had restarted the Firewalla, this time, the WG Network tab had adjusted the DNS to be the WG Gateway instead of my internal DNS server. The WG client was set to the internal DNS IP Address. As soon as I re-adjusted the WG Network tab to be the same, all is good.

  0

  Comment actions Permalink
• 

  Support Team

  • December 20, 2022 02:46

  @James,

  If it happens again, please let us know, we can take a look.

  Ideally setting DNS to WG Gateway should not cause issue. This is the default setup when setting up WireGuard server. So it could be something else caused the issue.

   

  0

  Comment actions Permalink

Please sign in to leave a comment.