I was just looking into a similar issue recently and it looks like WireGuard on Windows adds firewall rules blocking all DNS servers except for its configured DNS servers, with no option to disable.
I know for us it would be very helpful to at least have an option to disable this behavior, as it is very surprising behavior that makes more complicated setups more difficult to impossible to do correctly. -----Original Message----- From: WireGuard <[email protected]> On Behalf Of Andrew Burkett Sent: Friday, July 10, 2020 5:31 PM To: [email protected] Subject: DNS Issues with Wireguard for Windows I was running into dns issues with wireguard on windows using the released gui app. It seems like a bug with wireguard, but not sure if it was actually something about my networking configs that messed it up. I was able to work around the issue by changing the wireguard config (in a way that seemed odd to me), but I thought it might be useful to share what I was seeing in case its helpful to others or if it is in fact a bug in wireguard. I'll share the configs at the bottom of the email, but I'm just going to describe what I'm seeing first. My basic setup is I have wireguard running on a linux box functioning as a server/router to a remote network. I've got a windows desktop connecting to the linux box via wireguard. There are dns servers on the remote network that I would like to use from the desktop. I added the dns servers from the remote network to my desktop wireguard config. Everything was working fine for awhile. At some point, my windows box started complaining about not being connected to the internet. I was able to pinpoint it with some confidence to dns requests failing when wireguard was connected. Even though windows was complaining about not having a network connection, my browser still worked though it seemed slow so I assumed it was trying a dns server and then falling back to a different one after a timeout (at least that was my guess). The "cause" of the problem was adding 192.168.7.12/32 to the AllowedIPs on the peer (the wireguard network in my case is 10.98.1.0/24 and the rest of the network is under 10.0.X.X) After adding it and waiting for a couple hours windows will inevitably claim that there is no internet access from my network adapter. Sometimes nslookup and ping still work fine, sometimes they start to report errors. My solution that reliably fixes it is to add my local dns server (which is my local router in this case 192.168.86.1) to the dns section of the wireguard config, which seems like an odd fix since I'm not actually sending local dns traffic to wireguard. I couldn't figure out how to use wireshark to view wireguard traffic on windows to see what's happening to the dns requests, nor do I know of another way to view traffic (If someone wants to point me at how to do that, or some other way to view network traffic on windows, I'm happy to look at it). Anyway, thanks for the software. It's the best vpn software I've used by a mile. Andrew My Local Gateway/DNS is 192.168.86.1 My Local IP is in 192.168.86.0/24 subnet Working Config 1 [Interface] PrivateKey = XXXXX Address = 10.98.1.103/32 DNS = 10.0.X.X, 10.0.Y.Y [Peer] PublicKey = XXXXXX AllowedIPs = 10.0.0.0/16, 10.98.1.0/24 Endpoint = XXXXXXX Working Config 2 [Interface] PrivateKey = XXXXX Address = 10.98.1.103/32 DNS = 10.0.X.X, 10.0.Y.Y , 192.168.86.1 [Peer] PublicKey = XXXXXX AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint = XXXXXXX NonWorking Config [Interface] PrivateKey = XXXXX Address = 10.98.1.103/32 DNS = 10.0.X.X, 10.0.Y.Y [Peer] PublicKey = XXXXXX AllowedIPs = 10.0.0.0/16, 10.98.1.0/24, 198.168.7.12/32 Endpoint = XXXXXXX
