OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version openwrt-19.07
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by IOPEN Devel Team - 04.10.2021

FS#4062 - wireguard fails to route to non-VPN addresses at far-end

Hardware : Ubiquiti Routerstation Pro
Software : OpenWrt 19.07.6, r11278-8055e38794
Updated : 2021-10-03

Problem does not occur with an OpenVPN tunnel providing the same functionality.

Problem occurs with the following combination :

1 : Wireguard tunnel from RSPro gateway (device wgc21) to a CentOS 7 server (device wg21) which uses the 2 non-public DNS servers in the data centre that it’s located in.

2 : RSPro networking DNS settings are the 2 data centre server addresses.

3 : The RSPro has routes to those DNS servers via dev wgc21

4 : RSPro iptables MASQUERADEs packets going out interface wgc21

On the RSPro’s local network, doing “$ host” gets a REFUSED reply. Browsers report failure to resolve.

On a local machine, a Wireshark remote capture on the RSPro’s wgc21 interface shows the DNS request packets (with DST=data_centre_dns_server), and a remote capture on the server’s wg21 interface doesn’t show them.

ssh sessions from local machines via the RSPro to the server’s wg21 address succeed.

How to reproduce : As above.

Workaround :

RSPro networking DNS addresses changed to 2 addresses on the wg21 network, and on the remote server two iptables PREROUTING rules added that DNAT those 2 addresses to the data centre DNS addresses.


Available keyboard shortcuts


Task Details

Task Editing