How to use local DNS server? about wg-access-server HOT 5 CLOSED

Your config looks correct here. I actually run a similar setup for my own home network using a pihole container.

I've networked both wg-access-server and pihole within a shared docker-network. I expose the containers using standard port binding i.e. --port 53:53.

When I change my configuration to use the pihole's LAN ip rather than it's docker network hostname (i.e. to match your config) I get the same error.

I'll do some digging and see what I can find.

from wg-access-server.

From running a tcpdump sudo tcpdump -i any -n udp port 53 on my docker host I can see a difference in routing between the two approaches.

When attaching wg-access-server and pihole to a shared docker network (i.e. docker network create) and using their docker-network IPs (or hostnames):

# wg-access-server is `172.18.0.2`
# pihole is `172.18.0.4`
14:53:07.442081 IP 172.18.0.2.49694 > 172.18.0.4.53: 5217+ A? www.msftconnecttest.com. (41)
14:53:07.442180 IP 172.18.0.2.49694 > 172.18.0.4.53: 5217+ A? www.msftconnecttest.com. (41)
# ...
14:53:07.462756 IP 172.18.0.4.53 > 172.18.0.2.49694: 5217 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
14:53:07.462801 IP 172.18.0.4.53 > 172.18.0.2.49694: 5217 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)

When using pihole's LAN ip address from wg-access-server

# wg-access-server is 172.17.0.3
# pihole is 192.168.0.50
14:48:31.943458 IP 172.17.0.3.46070 > 192.168.0.50.53: 21285+ A? www.msftconnecttest.com. (41)
14:48:31.943913 IP 172.17.0.1.34227 > 172.17.0.8.53: 21285+ A? www.msftconnecttest.com. (41)
# ...
14:48:31.964630 IP 172.17.0.8.53 > 172.17.0.1.34227: 21285 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)
14:48:31.964989 IP 172.17.0.1.53 > 172.17.0.3.46070: 21285 4/0/0 CNAME v4ncsi.msedge.net., CNAME ncsi.4-c-0003.c-msedge.net., CNAME 4-c-0003.c-msedge.net., A 13.107.4.52 (139)

I think this shows the issue. When using the LAN IP docker's networking breaks DNS responses coming back to wg-access-server. The DNS response is expected from 192.168.0.50:53 but wg-access-server sees a response from 172.17.0.1:53.

wg-access-server logs an i/o timeout because as far as it's concerned it never received a reply from 192.168.0.50:53.

I believe this is the root cause; i'll need to skill up a bit on the fundamentals at play here in regards to docker's networking to figure out a solution.

from wg-access-server.

Given I don't have a solution for you yet I recommend placing your vpn + dns containers in the same docker network and then using the dns server's hostname rather than it's LAN ip to connect (so that wg-access-server connects to it via the shared docker-network)

from wg-access-server.

sounds like good advice, I'll give it a try asap. Thanks for digging that deep into the issue. I'll close the issue for now.

from wg-access-server.

I recommend placing your vpn + dns containers in the same docker network

Sorry to jump in and reopen the issue, but I attempted to follow this advice. When I did so in a single docker compose, I found that wg-access-server would use port 53, preventing pi-hole from launching, so I couldn't run both in the same container. Sometimes it would be the opposite way around, with pi-hole launching but wg-access-server not, but either way the only way I saw to fix it was to place them in separate docker-composes and therefore in separate docker networks. Any updates on the underlying issue of not receiving a reply from the correct ip? I also tried setting the upstream ip to that of the dns filter's docker network as it appears to the host (instead of that of the host itself), but no dice.

from wg-access-server.