[FS#4062] wireguard fails to route to non-VPN addresses at far-end

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Mon Oct 4 01:25:33 PDT 2021


A new Flyspray task has been opened.  Details are below. 

User who did this - IOPEN Devel Team (iopen) 

Attached to Project - OpenWrt/LEDE Project
Summary - wireguard fails to route to non-VPN addresses at far-end
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Very Low
Reported Version - openwrt-19.07
Due in Version - Undecided
Due Date - Undecided
Details - Hardware : Ubiquiti Routerstation Pro
Software : OpenWrt 19.07.6, r11278-8055e38794
Updated  : 2021-10-03

Problem does not occur with an OpenVPN tunnel providing the same functionality.

Problem occurs with the following combination :

1 : Wireguard tunnel from RSPro gateway (device wgc21) to a CentOS 7 server (device wg21) which uses the 2 non-public DNS servers in the data centre that it's located in.

2 : RSPro networking DNS settings are the 2 data centre server addresses.

3 : The RSPro has routes to those DNS servers via dev wgc21

4 : RSPro iptables MASQUERADEs packets going out interface wgc21

On the RSPro's local network, doing "$ host foo.com" gets a REFUSED reply.  Browsers report failure to resolve.

On a local machine, a Wireshark remote capture on the RSPro's wgc21 interface shows the DNS request packets (with DST=data_centre_dns_server), and a remote capture on the server's wg21 interface doesn't show them.

ssh sessions from local machines via the RSPro to the server's wg21 address succeed.

How to reproduce : As above.

Workaround :

RSPro networking DNS addresses changed to 2 addresses on the wg21 network, and on the remote server two iptables PREROUTING rules added that DNAT those 2 addresses to the data centre DNS addresses.

More information can be found at the following URL:

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the openwrt-bugs mailing list