VPN mode (one WireGuard)

[ignoramous]

Rethink supports connecting to multiple WireGuard upstreams, but then DNS resolution couldn't be tunneled to any ONE of them (but could be to ALL of them, which is wasteful: #979).

Some folks would prefer to run just ONE WireGuard, but in true "VPN" style with DNS queries (and possibly ICMP) also tunneled through it. Doing so would also help simplify / partially address:

• Split DNS #1040
• VPN proxy does not give the apps access to VPN's private network #1016

---

Apparently, when i was using the official Wireguard app it would catch DNS queries and route them to my desired resolver from the exit point.

I am now using a weird Pi-Hole setup with a single-board PC at my home running it, Quad9 as the upstream resolver, and i'm routing all of my Wireguard peer's DNS to it, so all DNS queries appear to be coming from my exit point after all.

The problem is, this only works on my home Wi-Fi, because my Pi-Hole is not exposed to the internet and is only accessible over VPN or from home. I rely on Wireguard to access it remotely, but i can't do it with RethinkDNS if i'm not on my home Wi-Fi.

[supsm]

could [tunneled] be to ALL of them

Could you elaborate on this? I only have 1 wireguard upstream but I have not been able to figure out how to use it as dns resolver. Doesn't seem like the other issues have any clues either.

[ignoramous]

Could you elaborate on this? I only have 1 wireguard upstream but I have not been able to figure out how to use it as dns resolver.

This feature isn't in v055a. It is ready for v055b but we are unsure if we'll expose enabling WireGuard DNSes to end users, yet. But in "one WireGuard" mode, WireGuard's DNS will override whatever DNS is set with Rethink (DNSCrypt, DoH, DoT, ODoH etc).

[user1939]

I would anticipate that this feature / option would be highly desirable for many users.

In my situation, I have got my own DNS and WireGuard (WG) server on the same cloud/virtual server.

I use personal and work profile, in each I have RDNS (v055a) and both of them connects to the WG server, i.e. one WG connection in true VPN style.

I use DoH in RDNS to connect to the DNS server, but because all queries are going over clearnet, I have to open an external port on the server and that is accessible for anyone.

Thus, it would be very desirable for RDNS to overwrite any DNS in Android and RDNS and tunnel everything through WG.

In such case, RDNS does not have to really use DoH/DoT as all DNS traffic would go through encrypted WG to the DNS server. Simple option of IPv4 DNS on local network of the WG server would fulfill the need.

Obviously, for those who do not have DNS server, DNS should use DoH/Dot for all queries to public DNS servers tunnelled thought WG.

When we may expect v055b?

[ignoramous]

Thus, it would be very desirable for RDNS to overwrite any DNS in Android and RDNS and tunnel everything through WG.

This is a slightly different feature (tunneling DoH/DNSCrypt/etc over any user-set WireGuard endpoint), which has also been implemented.

One-WireGuard is really just that one WireGuard profile active. This means, no way to exclude apps from its tunnel or use custom DNS (DNS set in WireGuard's profile will instead be used, instead).

[user1939]

My apologies for any lack of clarity or misunderstanding.

I think the way how you have described it is going to address the current inconvenience of reaching an external DNS server, which is on the same server as WireGuard, with DoH/DoT over clearnet.

I would find highly desirable feature if RDNS use only one active WireGuard profile in each RDNS (personal and work profile) with all applications using its tunnel and DNS set in WireGuard's profile, i.e overwrites any another DNS used by Android. Thus, for this DoH/DoT would not be necessary.

However, I appreciate that other users may need or want to use external DNS server with DoH/DoT and use WireGuard tunnel for it.

Do you know when v055b may become available?

[ignoramous]

applications using its tunnel and DNS set in WireGuard's profile, i.e overwrites any another DNS used by Android. Thus, for this DoH/DoT would not be necessary.

You got it. One-WireGuard will forward DNS as set in the active WireGuard profile.

Tunneling DoH/DNSCrypt/etc through WireGuard is a different feature, and more importantly, mutually exclusive with this One-WireGuard feature: #543 / #979 etc

Do you know when v055b may become available?

May be this week, if nothing critical comes up in our day-to-day testing (but from experience, there's something severe or the other that we stumble upon every single day)...

[YellowRoseCx]

I'm looking forward to this change. sometimes with enough finagling I can get DNS to be proxied but it's completely random

[LostRuins]

I also have another issue with the existing mode this may resolve - currently I have to manually revise the list of Add / Remove Applications for the WireGuard proxy every single time I install any new app.

When I click Select All, it only snapshots the installed applications at that time and the whitelist doesn't update after the fact, so you can end up in a state where most of the apps in your phone go through the WireGuard VPN, but one or two newly added apps do not and potentially leak privacy sensitive info. Worse still, this is not obvious to the user as your other apps will indeed show you are on the VPN.

[GitteGitty]

This new feature sounds great, thank you very much, I am looking forward to it.
But I have one question. If all DNS traffic is then routed through wireguard, is it at the same time still possible to use the DNS-settings that RethinkDNS offers? For example Blocklists, block specific domains etc.?
Thank you very much!

[ignoramous]

Local blocklists will be effective, yes. But otherwise, WireGuard will answer all DNS queries.

[GitteGitty]

Great, thank you!

[ignoramous]

Impl in v055b: https://github.com/celzero/rethink-app/releases/tag/v0.5.5b