> On 4 Feb 2020, at 17:39, Ryan Quinn <jollyrogue@xxxxxxxxxxxxxxxxx> wrote: > > I have a Fedora 31 box acting as a Wireguard VPN server. Everything with Wireguard is working great. Traffic is flowing in both directions, and my packets are protected. DNS is getting resolved by Quad9. > > As an enhancement, I've installed PowerDNS Recursor on the server to respond to DNS queries. The recursor is working fine for the server, but I can't get the Wireguard clients access to the recursor. I'm assuming this is a problem with my firewalld rules, but I don't have a lot of experience building Linux based routers, which means it could be anything. The DNS for your clients I would expect to be: DNS = 192.168.13.1 and not include the 9.9.9.9 because your 192.168.13.1 DNS server will deal with using 9.9.9.9 if its not a locally defined name I'm guessing? Can you use "dig" on the client to test dns lookups? When I got stuck I found the IRC #wireguard channel on freenode had people that are knowledgable and helped me. Barry > > Thoughts on what I'm missing here? > > Firewalld Default Zone: > > firewall-cmd --list-all > FedoraServer (active) > target: default > icmp-block-inversion: no > interfaces: ens3 ens7 > sources: > services: dhcpv6-client ssh wireguard > ports: > protocols: > masquerade: yes > forward-ports: > source-ports: > icmp-blocks: > rich rules: > rule family="ipv6" source ipset="sshguard6" drop > rule family="ipv4" source ipset="sshguard4" drop > ---------- > > Internal Zone with the Wireguard interface and network added to it: > > firewall-cmd --list-all --zone=internal > internal (active) > target: default > icmp-block-inversion: no > interfaces: wg0 > sources: 192.168.13.0/24 > services: dhcpv6-client dns ssh wireguard > ports: > protocols: > masquerade: yes > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > ------------ > If it helps... > > Wireguard Client Config: > > [Interface] > PrivateKey = <private key> > Address = 192.168.13.10/32 > DNS = 192.168.13.1, 9.9.9.9 > > [Peer] > PublicKey = <server public key> > PresharedKey = <psk> > AllowedIPs = ::/0, 0.0.0.0/0 > Endpoint = wgg.domain.tld:2350 > PersistentKeepalive = 25 > > ---------- > > Wireguard server config: > > [Interface] > PrivateKey = <private key> > Address = 192.168.13.1/24 > ListenPort = 2350 > > [Peer] > PublicKey = <client public key> > AllowedIPs = 192.168.13.10/32 > PreSharedKey = <psk> > _______________________________________________ > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx