I have a Fedora 31 box acting as a Wireguard VPN server. Everything with Wireguard is working great. Traffic is flowing in both directions, and my packets are protected. DNS is getting resolved by Quad9.
As an enhancement, I've installed PowerDNS Recursor on the server to respond to DNS queries. The recursor is working fine for the server, but I can't get the Wireguard clients access to the recursor. I'm assuming this is a problem with my firewalld rules, but I don't have a lot of experience building Linux based routers, which means it could be anything.
Thoughts on what I'm missing here?
Firewalld Default Zone:
firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 ens7 sources: services: dhcpv6-client ssh wireguard ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" source ipset="sshguard6" drop rule family="ipv4" source ipset="sshguard4" drop ----------
Internal Zone with the Wireguard interface and network added to it:
firewall-cmd --list-all --zone=internal internal (active) target: default icmp-block-inversion: no interfaces: wg0 sources: 192.168.13.0/24 services: dhcpv6-client dns ssh wireguard ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
------------ If it helps...
Wireguard Client Config:
[Interface] PrivateKey = <private key> Address = 192.168.13.10/32 DNS = 192.168.13.1, 9.9.9.9
[Peer] PublicKey = <server public key> PresharedKey = <psk> AllowedIPs = ::/0, 0.0.0.0/0 Endpoint = wgg.domain.tld:2350 PersistentKeepalive = 25
----------
Wireguard server config:
[Interface] PrivateKey = <private key> Address = 192.168.13.1/24 ListenPort = 2350
[Peer] PublicKey = <client public key> AllowedIPs = 192.168.13.10/32 PreSharedKey = <psk>
On 4 Feb 2020, at 17:39, Ryan Quinn jollyrogue@dangertoaster.com wrote:
I have a Fedora 31 box acting as a Wireguard VPN server. Everything with Wireguard is working great. Traffic is flowing in both directions, and my packets are protected. DNS is getting resolved by Quad9.
As an enhancement, I've installed PowerDNS Recursor on the server to respond to DNS queries. The recursor is working fine for the server, but I can't get the Wireguard clients access to the recursor. I'm assuming this is a problem with my firewalld rules, but I don't have a lot of experience building Linux based routers, which means it could be anything.
The DNS for your clients I would expect to be:
DNS = 192.168.13.1
and not include the 9.9.9.9 because your 192.168.13.1 DNS server will deal with using 9.9.9.9 if its not a locally defined name I'm guessing?
Can you use "dig" on the client to test dns lookups?
When I got stuck I found the IRC #wireguard channel on freenode had people that are knowledgable and helped me.
Barry
Thoughts on what I'm missing here?
Firewalld Default Zone:
firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 ens7 sources: services: dhcpv6-client ssh wireguard ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" source ipset="sshguard6" drop rule family="ipv4" source ipset="sshguard4" drop
Internal Zone with the Wireguard interface and network added to it:
firewall-cmd --list-all --zone=internal internal (active) target: default icmp-block-inversion: no interfaces: wg0 sources: 192.168.13.0/24 services: dhcpv6-client dns ssh wireguard ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
If it helps...
Wireguard Client Config:
[Interface] PrivateKey = <private key> Address = 192.168.13.10/32 DNS = 192.168.13.1, 9.9.9.9
[Peer] PublicKey = <server public key> PresharedKey = <psk> AllowedIPs = ::/0, 0.0.0.0/0 Endpoint = wgg.domain.tld:2350 PersistentKeepalive = 25
Wireguard server config:
[Interface] PrivateKey = <private key> Address = 192.168.13.1/24 ListenPort = 2350
[Peer] PublicKey = <client public key> AllowedIPs = 192.168.13.10/32 PreSharedKey = <psk> _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
-
Barry Scott -
Ryan Quinn