FS#4062 - wireguard fails to route to non-VPN addresses at far-end

[openwrt-bot]

iopen:

Hardware : Ubiquiti Routerstation Pro
Software : OpenWrt 19.07.6, r11278-8055e38794
Updated : 2021-10-03

Problem does not occur with an OpenVPN tunnel providing the same functionality.

Problem occurs with the following combination :

1 : Wireguard tunnel from RSPro gateway (device wgc21) to a CentOS 7 server (device wg21) which uses the 2 non-public DNS servers in the data centre that it's located in.

2 : RSPro networking DNS settings are the 2 data centre server addresses.

3 : The RSPro has routes to those DNS servers via dev wgc21

4 : RSPro iptables MASQUERADEs packets going out interface wgc21

On the RSPro's local network, doing "$ host foo.com" gets a REFUSED reply. Browsers report failure to resolve.

On a local machine, a Wireshark remote capture on the RSPro's wgc21 interface shows the DNS request packets (with DST=data_centre_dns_server), and a remote capture on the server's wg21 interface doesn't show them.

ssh sessions from local machines via the RSPro to the server's wg21 address succeed.

How to reproduce : As above.

Workaround :

RSPro networking DNS addresses changed to 2 addresses on the wg21 network, and on the remote server two iptables PREROUTING rules added that DNAT those 2 addresses to the data centre DNS addresses.

[ynezz]

OpenWrt 19.07 release is EOL, try to reproduce the issue with latest supported release and feel free to ask for issue reopening if the problem is still present, thanks.