WIreguard VPN: Allow Local Route to Subnet without DNS Leaks
fedilink
18
WIreguard VPN: Allow Local Route to Subnet without DNS Leaks
fedilink

I have finally figured out how to add local routes to another VLAN subnet in Wireguard without leaking DNS, and figured that I would share. In this case, I am running an Unbound DNS server on the gateway.

In a Wireguard config file you can add “PreUp” and “PostDown” system commands to run stuff before and after the tunnel connects. Unfortunately with some Linux networking (NetworkManager in this case) it will keep using the DHCP assigned DNS server, and if a local route to the DNS server is available it will use it for some things and therefore leak.

To prevent this, you can use the Pre/Post commands to force the LAN DNS server to match the Wireguard tunnel’s DNS server, and simply return it to normal after the tunnel is closed.

This only works with wg-quick, not the NetworkManager Wireguard plugin since that does not overwrite the resolv.conf or run the PreUp/PostDown commands as far as I can tell.

Example:

PreUp = ip route add 192.168.3.0/24 via 192.168.1.1 dev enp4s0
PreUp = nmcli conn modify enp4s0 ipv4.ignore-auto-dns yes
PreUp = nmcli conn modify enp4s0 ipv4.dns "10.2.0.1"
PreUp = systemctl restart NetworkManager
PostDown = ip route del 192.168.3.0/24 via 192.168.1.1 dev enp4s0
PostDown = nmcli conn modify enp4s0 ipv4.ignore-auto-dns no
PostDown = nmcli conn modify enp4s0 ipv4.dns "192.168.1.1"
PostDown = systemctl restart NetworkManager
Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 124 users / day
  • 1.05K users / week
  • 1.3K users / month
  • 4.58K users / 6 months
  • 1 subscriber
  • 3.89K Posts
  • 98.2K Comments
  • Modlog