RE: DNS Issues with Wireguard for Windows

[Simon Rozman <simon@rozman.si>]

WireGuard for Windows adds a firewall rules to block all DNS traffic except to the DNS servers listed in the WireGuard config. This is by design (preventing data leakage).

Regards,
Simon

> -----Original Message-----
> From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Andrew
> Burkett
> Sent: Saturday, July 11, 2020 1:31 AM
> To: wireguard@lists.zx2c4.com
> Subject: DNS Issues with Wireguard for Windows
> 
> I was running into dns issues with wireguard on windows using the
> released gui app. It seems like a bug with wireguard, but not sure if it
> was actually something about my networking configs that messed it up. I
> was able to work around the issue by changing the wireguard config (in a
> way that seemed odd to me), but I thought it might be useful to share
> what I was seeing in case its helpful to others or if it is in fact a
> bug in wireguard. I'll share the configs at the bottom of the email, but
> I'm just going to describe what I'm seeing first.
> 
> My basic setup is I have wireguard running on a linux box functioning as
> a server/router to a remote network. I've got a windows desktop
> connecting to the linux box via wireguard. There are dns servers on the
> remote network that I would like to use from the desktop. I added the
> dns servers from the remote network to my desktop wireguard config.
> Everything was working fine for awhile. At some point, my windows box
> started complaining about not being connected to the internet. I was
> able to pinpoint it with some confidence to dns requests failing when
> wireguard was connected. Even though windows was complaining about not
> having a network connection, my browser still worked though it seemed
> slow so I assumed it was trying a dns server and then falling back to a
> different one after a timeout (at least that was my guess). The "cause"
> of the problem was adding
> 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in
> my case is 10.98.1.0/24 and the rest of the network is under
> 10.0.X.X) After adding it and waiting for a couple hours windows will
> inevitably claim that there is no internet access from my network
> adapter. Sometimes nslookup and ping still work fine, sometimes they
> start to report errors. My solution that reliably fixes it is to add my
> local dns server (which is my local router in this case
> 192.168.86.1) to the dns section of the wireguard config, which seems
> like an odd fix since I'm not actually sending local dns traffic to
> wireguard.
> 
> I couldn't figure out how to use wireshark to view wireguard traffic on
> windows to see what's happening to the dns requests, nor do I know of
> another way to view traffic (If someone wants to point me at how to do
> that, or some other way to view network traffic on windows, I'm happy to
> look at it).
> 
> Anyway, thanks for the software. It's the best vpn software I've used by
> a mile.
> 
> Andrew
> 
> My Local Gateway/DNS is 192.168.86.1
> My Local IP is in 192.168.86.0/24 subnet
> 
> Working Config 1
> 
> [Interface]
> PrivateKey = XXXXX
> Address = 10.98.1.103/32
> DNS = 10.0.X.X, 10.0.Y.Y
> 
> [Peer]
> PublicKey = XXXXXX
> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24
> Endpoint = XXXXXXX
> 
> Working Config 2
> 
> [Interface]
> PrivateKey = XXXXX
> Address = 10.98.1.103/32
> DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1
> 
> [Peer]
> PublicKey = XXXXXX
> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> XXXXXXX
> 
> NonWorking Config
> 
> [Interface]
> PrivateKey = XXXXX
> Address = 10.98.1.103/32
> DNS = 10.0.X.X, 10.0.Y.Y
> 
> [Peer]
> PublicKey = XXXXXX
> AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint =
> XXXXXXX