WireGuard/DNS setup at home

mrrhq · 04-06-2019, 04:29 PM

I really need some help getting WireGuard to work properly from my Debian machine to my server at home.

Here are the goals that I want to achieve:

- Securely connect and tunnel all network connections from my Debian laptop to WireGuard local VPN at home
- Access the DNS of my router ONLY without ANY DNS LEAKS
- Ping all devices and connect/access all devices on the 192.168.1.0/24 subnet/network
- I want to avoid using wg-quick/resolveconf, and would prefer to just use systemd's networkd and resolved ONLY

Here is the current scenario of what's working, what's not working, and problems that I am facing:

- I can successfully establish a WireGuard peer connection from my laptop to my router at home using a properly resolved endpoint URL
- I can successfully connect to the Internet from my laptop (at hostname "lt-main")
- I believe the connection to the Internet is using the public-facing DNS server, but NOT my router's DNS server (at hostname "rt-main")
- I cannot ping or SSH to my router at its IP address (192.168.0.1) or with the name "rt-main" using the DNS domain search name "home" that I have set up on my router
- All of the above limitations (except for testing subnetwork access) are achievable from my phone, but NOT from my laptop

ONE MORE THING to keep in mind that that my router assigns NORMAL IPs at the broadcast range of 192.168.0.0/24 for DHCP, with the router's IP being at 192.168.0.1
HOWEVER, the SUBNET IPs that I have set WireGuard to use are in the 192.168.1.0/24 broadcast range, with the WireGuard PEER/GATEWAY being at 192.168.1.1 !!!

I would PREFER TO HAVE THE VPN IPs KEPT THIS WAY IN THIS SEPARATED SUBNET, as was recommended by people for some reason.... I guess it has to do with extra security or whatever.

I really want to point out again that MY PHONE WORKS JUST FINE WITH WIREGUARD! But it's just this freaking laptop that's having issues, and I don't know why... It's so frustrating...

Another thing is keep in mind that I have ZERO, and I mean Z-E-R-O experience with most networking concepts like routing and routing tables. NO idea how they work.
If anyone has any SOLUTIONS for this problem, please let me know. I have been struggling at this stupid problem for about 3 DAYS!

Also, one of the reasons I've been struggling with this problem for so long was that, for some reason, it was never, ever fully explained to me WHY
I would need to change the "AllowedIPs" section on my server to NOT be the default gateway at 0.0.0.0/0, but instead, it should just one IP (with a subnet mask of /32)
such as 192.168.1.3/32

So I have fixed that error myself. So basically, on the server side, before then, "AllowedIPs" on my laptop would be "(none)", and the "AllowedIPs" for my Smartphone (hostname "pd-phone") was the default gateway 0.0.0.0/0, so I was like, huh, this is strange, why is AllowedIPs set to none?? That didn't sound right at all. Turns out, it wasn't right. I didn't know before then that I wasn't supposed to have two default gateway destinations on two different peers like that on my WireGuard server. Anyway, I guess I learned my lesson there, and just set the AllowedIPs to be more restrictive now, so now my laptop is 192.168.1.3/24 and my smartphone is now 192.168.1.4/24 now, so hooray, I solved at least one networking problem without anyone's help.

But this one still stumps me. I'm nearly 99% sure it has to do with some networking/routing BS on my laptop that I have no time or willingness to learn or understand at the current time... Can anyone help me out, please?

(With ALL of that out of the way, here is some debugging information below that may be useful...)

----

# Systemd Networkd from lt-main Client
```
# networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier configured
2 wg0 wireguard routable configured
3 wlp1s0 wlan routable configured

3 links listed.
```
----

# Systemd Resolve from lt-main Client
```
# resolvectl
Global
LLMNR setting: yes
MulticastDNS setting: yes
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 3 (wlp1s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 2001:558:feed::1
DNS Servers: 2001:558:feed::2
2001:558:feed::1

Link 2 (wg0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: no
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
DNS Domain: home
```
----

# IP Route From lt-main Client
```
# ip route
default via 192.168.0.1 dev wlp1s0 proto dhcp src 192.168.0.14 metric 1024
192.168.0.0/24 dev wlp1s0 proto kernel scope link src 192.168.0.14
192.168.0.1 dev wlp1s0 proto dhcp scope link src 192.168.0.14 metric 1024
```
----

# IP Addr from lt-main Client
```
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.1.3/32 scope global wg0
valid_lft forever preferred_lft forever
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 18:cf:5e:fc:6a:03 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.14/24 brd 192.168.0.255 scope global dynamic wlp1s0
valid_lft 84751sec preferred_lft 84751sec
inet6 2601:1c2:280:200:1acf:5eff:fefc:6a03/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 345600sec preferred_lft 345600sec
inet6 fe80::1acf:5eff:fefc:6a03/64 scope link
valid_lft forever preferred_lft forever
```
----

# WG Show from lt-main Client
```
# wg show
interface: wg0
public key: <REDACTED>
private key: (hidden)
listening port: 42551

peer: <REDACTED>
endpoint: 71.34.102.49:51820
allowed ips: 0.0.0.0/0
latest handshake: 23 seconds ago
transfer: 2.89 KiB received, 15.39 KiB sent
persistent keepalive: every 25 seconds
```
----

# WG Show from rt-main Server
```
# wg show
interface: wg0
public key: <REDACTED>
private key: (hidden)
listening port: 51820

peer: <REDACTED> (wg-lt-main)
endpoint: 67.160.156.8:42551
allowed ips: 192.168.1.3/32
latest handshake: 54 seconds ago
transfer: 17.62 KiB received, 724.62 KiB sent
persistent keepalive: every 25 seconds

peer: <REDACTED> (wg-pd-phone)
endpoint: 67.160.156.8:59302
allowed ips: 192.168.1.4/32
latest handshake: 1 minute, 2 seconds ago
transfer: 863.62 KiB received, 5.65 MiB sent
persistent keepalive: every 25 seconds
```
----

# Client file "/etc/systemd/network/wg0.netdev" from lt-main
```
[NetDev]
Name=wg0
Kind=wireguard
Description=wg-lt-main

[WireGuard]
PrivateKey=<REDACTED>
ListenPort=auto

[WireGuardPeer]
PublicKey=<REDACTED>
AllowedIPs=0.0.0.0/0
Endpoint=tyvm.mooo.com:51820
PersistentKeepalive=25
```
----

# Client file "/etc/systemd/network/wg0.network" from lt-main
```
[Match]
Name=wg0

[Network]
Address=192.168.1.3/32
DNS=192.168.0.1
Domains=home

[Route]
Gateway=192.168.0.1
Destination=0.0.0.0/0
#GatewayOnlink=true # Commented out for now
```
----

# Client file "/etc/systemd/network/wireless.network" from lt-main
```
[Match]
Name=wlp1*

[Network]
DHCP=yes

[DHCP]
UseDNS=no
UseDomains=no
```

mrrhq · 04-13-2019, 03:20 PM

Bump.

I edited the post to have a lot more details.