WireGuard for Windows adds a firewall rules to block all DNS traffic except to the DNS servers listed in the WireGuard config. This is by design (preventing data leakage).
Regards, Simon > -----Original Message----- > From: WireGuard <wireguard-boun...@lists.zx2c4.com> On Behalf Of Andrew > Burkett > Sent: Saturday, July 11, 2020 1:31 AM > To: wireguard@lists.zx2c4.com > Subject: DNS Issues with Wireguard for Windows > > I was running into dns issues with wireguard on windows using the > released gui app. It seems like a bug with wireguard, but not sure if it > was actually something about my networking configs that messed it up. I > was able to work around the issue by changing the wireguard config (in a > way that seemed odd to me), but I thought it might be useful to share > what I was seeing in case its helpful to others or if it is in fact a > bug in wireguard. I'll share the configs at the bottom of the email, but > I'm just going to describe what I'm seeing first. > > My basic setup is I have wireguard running on a linux box functioning as > a server/router to a remote network. I've got a windows desktop > connecting to the linux box via wireguard. There are dns servers on the > remote network that I would like to use from the desktop. I added the > dns servers from the remote network to my desktop wireguard config. > Everything was working fine for awhile. At some point, my windows box > started complaining about not being connected to the internet. I was > able to pinpoint it with some confidence to dns requests failing when > wireguard was connected. Even though windows was complaining about not > having a network connection, my browser still worked though it seemed > slow so I assumed it was trying a dns server and then falling back to a > different one after a timeout (at least that was my guess). The "cause" > of the problem was adding > 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in > my case is 10.98.1.0/24 and the rest of the network is under > 10.0.X.X) After adding it and waiting for a couple hours windows will > inevitably claim that there is no internet access from my network > adapter. Sometimes nslookup and ping still work fine, sometimes they > start to report errors. My solution that reliably fixes it is to add my > local dns server (which is my local router in this case > 192.168.86.1) to the dns section of the wireguard config, which seems > like an odd fix since I'm not actually sending local dns traffic to > wireguard. > > I couldn't figure out how to use wireshark to view wireguard traffic on > windows to see what's happening to the dns requests, nor do I know of > another way to view traffic (If someone wants to point me at how to do > that, or some other way to view network traffic on windows, I'm happy to > look at it). > > Anyway, thanks for the software. It's the best vpn software I've used by > a mile. > > Andrew > > My Local Gateway/DNS is 192.168.86.1 > My Local IP is in 192.168.86.0/24 subnet > > Working Config 1 > > [Interface] > PrivateKey = XXXXX > Address = 10.98.1.103/32 > DNS = 10.0.X.X, 10.0.Y.Y > > [Peer] > PublicKey = XXXXXX > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24 > Endpoint = XXXXXXX > > Working Config 2 > > [Interface] > PrivateKey = XXXXX > Address = 10.98.1.103/32 > DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1 > > [Peer] > PublicKey = XXXXXX > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint = > XXXXXXX > > NonWorking Config > > [Interface] > PrivateKey = XXXXX > Address = 10.98.1.103/32 > DNS = 10.0.X.X, 10.0.Y.Y > > [Peer] > PublicKey = XXXXXX > AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint = > XXXXXXX