I have run into the same issue. The best answer of course is not to rely
on DNS but rather to provide the endpoint IP address. That of course is
not always possible so I had to come up with what is best described as a
very ugly hack. Very ugly. I use it to setup a 2nd VPN so it doesn't
interfere with how astlinux manages startup/shutdown of VPNs.
In the firewall custom config I created a function that spawns off a
background task which waits for DNS to come alive and then does whatever
needs to be done (or fails after a timeout). It has been a long time since
I wrote this, so I probably forgot some of the details. But this is a
copy/paste from my custom firewall script with some very custom stuff
removed. If the DNS service is detected as working, then I call another
function start_vpn which is also in the same script... I've included a
"simplified" version of that below too.
I sure wish there was an easier way.
wait_for_DNS()
{
local any_host="google.com"
local RETRY PID
local TIMEOUT=6
echo "[CUSTOM RULE] spawn background to wait for DNS service"
(
RETRY=6
while [ $RETRY -gt 0 ]; do
RETRY=$((RETRY - 1))
local IPV4="$(host -t A $any_host | sed -n -r -e 's#^.* has address
([0-9.]+)$#\1#p')"
if [ -n "$IPV4" ]; then
#
=============================================================================
# DNS Service must be up so safe to continue
start_vpn "$VPN2IF" "$VPN2IP" "$VPN2IPV6" "$VPN2DNS"
#
=============================================================================
exit
else
logger -s -t CUSTOM_RULE -p user.info "DNS service not up, sleep
for 5 seconds"
sleep 5
fi
done
logger -s -t CUSTOM_RULE -p user.error "Time out waiting for DNS
service, dependent rules not set"
) &
PID=$!
while [ $TIMEOUT -gt 0 ] && kill -0 $PID >/dev/null 2>&1; do
TIMEOUT=$((TIMEOUT - 1))
sleep 1
done
}
wait_for_DNS
start_vpn()
{
local if_name="$1"
local if_ip="$2"
local if_ipv6="$3"
local if_dns="$4"
local INTNETS=""
if [ -n "$if_name" ]; then
if ip link show dev $if_name >/dev/null 2>&1; then
echo "[CUSTOM RULE] VPN interface ($if_name) already exists, delete
it"
ip link delete dev $if_name
fi
if ip link add dev $if_name type wireguard &&
ip address add dev $if_name ${if_ip}/32 &&
[ -n "$if_ipv6" ] && ip address add dev $if_name ${if_ipv6}/64 ||
true &&
wg setconf $if_name /mnt/kd/wireguard/${if_name}.conf &&
ip link set mtu 1340 up dev $if_name;
then
echo "[CUSTOM RULE] VPN interface ($if_name) created"
# logger -s -t CUSTOM_RULE -p user.info "VPN interface ($if_name)
created"
else
echo "[CUSTOM RULE] VPN2IF ($if_name) create failed"
logger -s -t CUSTOM_RULE -p user.error "VPN interface ($if_name)
create failed"
fi
# route DNS IP address over the VPN in default routing table
ip route add $if_dns dev $if_name
# create a new routing table (400) with default route to VPN interface
# and send all packets marked with 0x8 bit to that table
ip route add default dev $if_name table 400
ip rule add from $INTIP/24 fwmark 0x8/0x8 table 400 priority 2000
>/dev/null 2>&1
ip4tables -t mangle -A PREROUTING -d $INTIP/24 -j ACCEPT
# make sure traffic from my internal interface is permitted to forward
to/from the VPN interface
ip4tables -A FORWARD_CHAIN -i $INTIF -o $if_name -j ACCEPT
ip4tables -A FORWARD_CHAIN -i $if_name -o $INTIF -j ACCEPT
# and NAT traffic over the VPN
ip4tables -t nat -A NAT_POSTROUTING_CHAIN -s $INTIP/20 ! -d $INTIP/24
-o $if_name -j MASQUERADE
if [ -n "$if_ipv6" ]; then
# create a new routing table (400) with default route to VPN interface
# and send all packets marked with 0x8 bit to that table
ip -6 route add default dev $if_name table 400
INTNETS=$(ip -6 -o addr show dev $INTIF scope global | awk '$3 ==
"inet6" { split($4, field, "/"); print field[1]; next; }')
for net in $INTNETS; do
ip -6 rule add from $net/$DHCPV6_CLIENT_PREFIX_LEN fwmark 0x8/0x8
table 400 priority 2000 >/dev/null 2>&1
ip6tables -t mangle -A PREROUTING -d $net/$DHCPV6_CLIENT_PREFIX_LEN
-j ACCEPT
done
# make sure traffic from my internal interface is permitted to
forward to/from the VPN interface
ip6tables -A FORWARD_CHAIN -i $INTIF -o $if_name -j ACCEPT
ip6tables -A FORWARD_CHAIN -i $if_name -o $INTIF -j ACCEPT
# and NAT traffic over the VPN
for net in $INTNETS; do
ip6tables -t nat -A POSTROUTING -s $net/$DHCPV6_CLIENT_PREFIX_LEN
-o $if_name -j MASQUERADE
done
else
# the VPN does not support IPv6 so drop all attempts to connect by
IPv6
ip6tables -I FORWARD_CHAIN -i $INTIF dst -j DROP
fi
fi
}
On Mon, Oct 31, 2022 at 11:04 PM Michael Knill <
michael.kn...@ipcsolutions.com.au> wrote:
> Hi Group
>
>
>
> When using Wireguard with hostnames, I have noticed that if there is no
> DNS available, Wireguard prevents Astlinux from booting up for a very long
> period of time as it sits and waits for the resolution of the hostname it
> has in the peer configuration.
>
>
>
> Is there a way to prevent this from happening as its very problematic?
>
>
>
> Regards
>
>
>
> *Michael Knill*
>
> Managing Director
>
>
>
> D: +61 2 6189 1360
>
> P: +61 2 6140 4656
>
> E: michael.kn...@ipcsolutions.com.au
>
> W: ipcsolutions.com.au
>
>
>
> [image: Icon Description automatically generated]
>
> *Smarter Business Communications*
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
