Local DNS when connected via the Wireguard VPN server
I have a Gold SE firewall with the Wireguard VPN server enabled.
When I connect to my local network via the VPN (I'm on Linux), it doesn't look like the local DNS entries are shared with my client.
I'm just trying to ping `<device name>.lan` but get `ping: <device name>.lan: Name or service not known` in return. This, of course, works fine when I'm on my local network behind the firewalla.
-
Sorry I should have been more precise.
Yes. Pinging the device's address directly does work and the device is otherwise totally accessible using it's IP address.
In Unix if the pinging itself was the issue I would see something like:
`PING <device name>.lan (192.168.x.x) 56(84) bytes of data.`
and no more data after this. The fact that I don't see this indicates that something is going wrong with the name resolving BEFORE the ping is even attempted.
For completion-sake, this issue is for any device on my local network but as I said only when I connected to the network via the VPN. When I'm physically on the local network at home the local DNS works fine.
-
Can you try an nslookup to see if your host is overriding the DNS server? And when you're on WireGuard, do you have any privacy-related DNS settings enabled? (Some settings can be SSID-specific)
If you're using a modified WireGuard config file, you could also try to create a new client with a fresh config file.
Let me know if any of these tips help. We can also open a case for you so our engineers can take a closer look.
-
On my laptop DNS is set to automatic both for IPv4 and IPv6.
On the firewalla DNS is set to 1.1.1.1 and 1.0.0.1. DNS over HTTPS is enabled.
When I'm on my local network (not via VPN access), nslookup looks like this:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: wilier.lan
Address: 192.168.xx.xx
Name: wilier.lan
Address: 2600:8802:3000:xxx:xxx:xxx:xxx:xxx -
Have you tried to create a new WG profile and use it on your phone or other devices then see if the local DNS gets to resolve correctly? If it works on other devices, then likely your laptop has some DNS setting or the WG profile used is modified causing the issue.
On your laptop, try to dig local domains with WG network's DNS server IP and see if it returns a result:
nslookup wilier.lan [WG network DNS server IP, e.g.10.x.x.1]
-
Thanks. Trying with the WG DNS IP was a great idea. This indeed works fine and returns the correct result.
Looking further into this, it looks like 127.0.0.53 used as the DNS server address in my case (both when I'm on my local network and when I'm connected via the VPN) is because Fedora is running
systemd-resolvedas a service.Now I just have to figure out why it's not forwarding the requests to the WG DNS correctly.
-
I think I may have figured it out. Just sanity checking this with you here. If I do resolvectl status when on the VPN, I get:
Link 2 (xxxxxx)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.xx.xx.1
DNS Servers: 192.xx.xx.1
DNS Domain: lan
Default Route: no
Link 3 (xxxxx)
Current Scopes: DNS
Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.xx.xx.1
DNS Servers: 10.xx.xx.1
DNS Domain: ~.
Default Route: yesSo if I'm understanding correctly, somehow the 'lan' domain is affected to my current local network and not the VPN connection, right?
That would explain it.
-
So that was indeed the symptom but not the cause :)
I dug around some more and found the issue. Maybe this can help others in the future:
I was accessing my Firewall/Wireguard VPN from another location which also used a Firewalla router (this issue may happen with other routers though). Both networks at both locations were set to the default for the search domain which is 'lan'. So when I was on my home network, DNS queries for '.lan' where handled by my home Firewalla. When I VPN'd from the other location, because the network I was on at that location also had a search domain set to 'lan', search queries for '.lan' were routes to the local network's firewalla and not my home firewalla.
The solution is to use a search domain that is unique to one location and make sure your devices at that location use that domain for their local DNS name. That way the DNS search when connected via VPN is routed to the correct Firewalla.
Please sign in to leave a comment.
Comments
13 comments