On 4 Feb 2020, at 17:39, Ryan Quinn
<jollyrogue(a)dangertoaster.com> wrote:
I have a Fedora 31 box acting as a Wireguard VPN server. Everything with Wireguard is
working great. Traffic is flowing in both directions, and my packets are protected. DNS is
getting resolved by Quad9.
As an enhancement, I've installed PowerDNS Recursor on the server to respond to DNS
queries. The recursor is working fine for the server, but I can't get the Wireguard
clients access to the recursor. I'm assuming this is a problem with my firewalld
rules, but I don't have a lot of experience building Linux based routers, which means
it could be anything.
The DNS for your clients I would expect to be:
DNS = 192.168.13.1
and not include the 9.9.9.9 because your 192.168.13.1 DNS server will
deal with using 9.9.9.9 if its not a locally defined name I'm guessing?
Can you use "dig" on the client to test dns lookups?
When I got stuck I found the IRC #wireguard channel on freenode
had people that are knowledgable and helped me.
Barry
Thoughts on what I'm missing here?
Firewalld Default Zone:
firewall-cmd --list-all
FedoraServer (active)
target: default
icmp-block-inversion: no
interfaces: ens3 ens7
sources:
services: dhcpv6-client ssh wireguard
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" source ipset="sshguard6" drop
rule family="ipv4" source ipset="sshguard4" drop
----------
Internal Zone with the Wireguard interface and network added to it:
firewall-cmd --list-all --zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: wg0
sources: 192.168.13.0/24
services: dhcpv6-client dns ssh wireguard
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
------------
If it helps...
Wireguard Client Config:
[Interface]
PrivateKey = <private key>
Address = 192.168.13.10/32
DNS = 192.168.13.1, 9.9.9.9
[Peer]
PublicKey = <server public key>
PresharedKey = <psk>
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = wgg.domain.tld:2350
PersistentKeepalive = 25
----------
Wireguard server config:
[Interface]
PrivateKey = <private key>
Address = 192.168.13.1/24
ListenPort = 2350
[Peer]
PublicKey = <client public key>
AllowedIPs = 192.168.13.10/32
PreSharedKey = <psk>
_______________________________________________
users mailing list -- users(a)lists.fedoraproject.org
To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org