Question for those who use WireGuard

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Question for those who use WireGuard

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#290179 25-Oct-2021 21:40

I've been using WireGuard VPN to be able to connect to my home LAN remotely for quite some time, however I noticed some behaviour today that made me question if I knew just what I thought it was doing, or indeed how private the data in the tunnel is.

Was at a mate's place who's ISP (Spark) has some very strict content filters done at the ISP level, not at his home network level. I have WireGuard configured on my phone to connect back to my unRaid server in "Remote Tunneled Access" mode - access to both my network and internet as if I was at home on my LAN. Connecting to his WiFi and then turning WireGuard on I could access addresses on my home LAN - WireGuard was connected correctly. I then searched for a few terms that would trigger his ISP's content filter, and I was redirected to the "access denied" page from Spark. I thought this wasn't possible? Surely my search should have been directed through the tunnel and out my home ISP? How is his ISP capturing the data in the tunnel between my phone and my server? We both use different ISPs (I'm on Voyager), so it was obvious that it was Spark filtering/restricting my VPN traffic, not Voyager.

Things I tried:

Connect to my home lan via data/WireGuard - no restrictions.
Connect to my home lan via mate's Wifi/WireGuard - content restrictions.
Check "My IP" while connected via mate's WiFi/WireGuard - showed my home static address.

Interestingly, I turned on the bundled VPN in the latest Opera mobile browser while connected to mate's WiFI - "My IP" showed an address in Sweden, and the same searches that would trigger the content filter while connected to my VPN would now work without restriction.

This experience has shaken my faith in using WireGuard on insecure networks, say coffee shops etc, as it seems as if a "man in the middle" is able to read the supposedly-encrypted traffic between my device and my server. I'd really appreciate if someone was able to cast some light on just what is going on here.

Thanks.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2801097 25-Oct-2021 22:16

I'm not familiar with wireguard specifically, but I can think of a couple of scenarios:

A: The Spark content restriction is by DNS, and you're still using their DNS issued via DHCP from his router to your device. Readily testable by disabling DHCP set DNS and using cloudflare, google, or another public resolver.

B: You've managed to end up with some sort of split horizon config going on when you want a full tunnel (but given your 3rd point I'm leaning towards A)

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

KiwiSurfer

1453 posts

Uber Geek

ID Verified

Lifetime subscriber

#2801098 25-Oct-2021 22:17

Sounds like your device is using the local LAN DNS servers rather than the one on your own LAN?

siyuan

189 posts

Master Geek

Lifetime subscriber

#2801099 25-Oct-2021 22:19

Are you sure you have set 0.0.0.0/0 or ::/0 in the allowed IPs? These will route your traffic through your WireGuard peer.

networkn

Networkn
32351 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2801100 25-Oct-2021 22:19

Which default gateway is showing as being used when the VPN is connected ?

michaelmurfy

meow
13252 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2801101 25-Oct-2021 22:28

This sounds like you've got a bit of a misconfiguration.

I've got Wireguard running on a single board computer personally which is configured to send all traffic over the VPN if I am out - this way, I am using my own internet connection when I connect back to it as everything, including DNS is tunneled. I have full bets this will work with Sparks content filtering.

Taken from: https://forums.unraid.net/topic/84226-wireguard-quickstart/ there are several ways you can configure Wireguard on UnRaid:

Remote Tunneled is the way to go as it'll also tunnel the internet connection. It is important that you specify some local DNS servers on your end network in your Wireguard configuration (and not just leave this blank as it'll automatically use whatever DNS servers are on the end client) and also redeploy the configuration every time you make wireguard configuration changes on the remote (UnRaid) end.

Other than that, assuming you've got everything set up correctly then you'll have no problems with a full tunnel. I personally use my own VPN to tunnel on untrusted networks (or to break past network restrictions where necessary) with success but it just sounds like you're missing DNS from your configuration to me.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#2801158 26-Oct-2021 09:40

Awesome, thanks very much for the pointers.

I've got 0.0.0.0/0 set in the allowed IPs and it is definitely set to Remote Tunnel. It would appear that I haven't correctly configured the DNS - when I open the client and look at the settings for "Interface", DNS servers is blank.

I'll look into how I set those correctly - I guess I'd like it to use my Pi Hole so I don't get served ads when browsing via the VPN.

Thanks again all.

timmmay

20580 posts

Uber Geek

Trusted

Lifetime subscriber

#2801184 26-Oct-2021 10:32

I can't help as such, but when I use a standard VPN back to my Fritzbox I know DNS is tunneled because Pi Hole ad blocking works. I use Wireguard to get out to a US based server sometimes, not sure what DNS it uses.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#2801201 26-Oct-2021 10:47

Thanks timmmay. I've been playing with changing the DNS for Wireguard in the client, but so far making changes to that to point at my Pi Hole or my router is just breaking access. It might be something I need to do at the server end to allow access to the Pi Hole - but in saying that, with the VPN on I can point at the local address and access that with no issues.

Someone will have done this before me, just need to find where!

timmmay

20580 posts

Uber Geek

Trusted

Lifetime subscriber

#2801249 26-Oct-2021 11:33

I put a quick tutorial on how to get Android VPN working with Fritzbox somewhere on Geekzone, if that helps. Android 12 is marking the algorithm as insecure, but Android 11 was ok with it.