Posted: Sat Dec 16, 2023 18:31 Post subject: WG config question
I have a question about WG config also. What is this "Ignore WAN DNS" that's mentioned in the v37 client setup manual. I can't find it anywhere on my router. Firmware 54248.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sat Dec 16, 2023 18:47 Post subject: Re: WG config question
johnnyNobody999 wrote:
I have a question about WG config also. What is this "Ignore WAN DNS" that's mentioned in the v37 client setup manual. I can't find it anywhere on my router. Firmware 54248.
basic setup page> WAN interface --- its only visible if you use Dynamic IP or PPPoE
now we know you are using static IP ...
with same success you can use commands in DNSmasq advanced config --
no-resolv ---this command tells DNSmasq to ignore any other DNS server set anywhere
server=9.9.9.9 -- this command tells DNSmasq the server you want to use pick any you'd like add as many as you need... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Dec 16, 2023 18:50; edited 1 time in total
If you configure the WAN interface via DHCP or use PPPoE, the WAN interface is assigned a DNS server by the upstream router or ISP.
The option "ignore WAN DNS" ignores this assigned DNS server.
However, if you configure the WAN interface manually, you must also enter the DNS servers yourself.
Therefore, the option "ignore WAN DNS" makes little sense if you configure the WAN interface manually as you have to enter the servers manually yourself as already mentioned.
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Sun Dec 17, 2023 7:25 Post subject: Re: WG config question
johnnyNobody999 wrote:
I have a question about WG config also. What is this "Ignore WAN DNS" that's mentioned in the v37 client setup manual. I can't find it anywhere on my router. Firmware 54248.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Dec 17, 2023 8:31 Post subject:
johnnyNobody999 wrote:
I take it that dnscrypt-proxy can't be used with WG to avoid DNS leak? I don't know how this can be avoided since there has to be DNS queries.
DNScrypt-proxy, SmartDNS, Stubby and ect..all those work in conjunction with DNSmasq...(preferred way)...so, to prevent DNS leaks...what ever you use, it will be forwarded trough DNSmasq and in general all DNSmasq requests are parsed inside the WG or VPN channel..so, yes those are encrypted...however in vary rare setup cases...also with some odd DNS providers, you can experience DNS leaks...but, those are very very rare occasions...so follow the guide...egc recommended!
As is was explained ignore option is to force the use of your DNS selection...so, add DNS either in the x3 box's or specify at DNSmasq advanced box...or just use SmartDNS...leave anything else blank and when add your preferred servers at SmartDNS config...tick Use Additional Servers Only option..
For SmartDNS https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896&start=240dont forget that SmartDNS encryption will work only if you have an OpenSSL support on your router...so, low grade routers will not encrypt the DNS requests... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Posted: Sun Dec 17, 2023 23:53 Post subject: Re: WG config question
egc wrote:
johnnyNobody999 wrote:
I have a question about WG config also. What is this "Ignore WAN DNS" that's mentioned in the v37 client setup manual. I can't find it anywhere on my router. Firmware 54248.
I guess I don't understand DNS leak. I followed the instructions in that DNS guide but when I go to dnsleak.com it always identifies all of the DNS servers that dnscrypt-proxy provides. I don't see how one can prevent a "leak". The DNS Servers via Tunnel" is set to the IP of the router with dnscrypt-proxy (which is the same router where WG server is running).
Anyway, I have some weird stuff going on with WG where the server shows no handshaking but the client on the other end shows handshaking and data transfer happening. And some corruption must be happening because some of the client public keys don't match the client public key on the server. And exporting some of the client configurations to a file is incorrect (interface address is wrong, allowed IPs are wrong). For example, when I go to export the 12th client config it turns out to be the 11th client config while the 13th config comes out as the 13th config. I don't believe that I made any mistakes.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Dec 18, 2023 7:48 Post subject:
54248 is old and doesn't contain the last WG fixes...moreover "I guess I don't understand DNS leak. I followed the instructions in that DNS guide but when I go to dnsleak.com it always identifies all of the DNS servers that dnscrypt-proxy provides. " yes this is what it was explained...all it will be parsed inside the WG channel..so it will report the dns-proxy or whatever settings you had...
To find more about DNS leaks you need to specialize in tcpdump or wireshark for testing your network...if you dig in the forum there would be some advises how to probe your network...here and there..
If you have 11-13 congfigs in your WG than how full is your NVram..as routers have some limits, especially regarding NVRAM and complex configs... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913