Looking to replace WireGuard Windows Client

Home Forums Discussions Support Portal Looking to replace WireGuard Windows Client

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #12163
    alanplum
    Participant

    Hi,

    We currently use the official Wireguard Windows Client, but ever since they introduced the new kernel mode driver we have been finding issues. Rolling back to 0.4.7 with the WinTun seems to resolve, which is why I have come across your software.

    I did a test install using an existing config file, and whilst the tunnel is up (running as a service) I can ping the internal network, DNS requests are not working as expected.

    We use DNS=172.16.0.1 in our config that points to *our* DNS inside the tunnel, but it seems that WireSock isnt honouring that.

    I tested it by connecting to a mobile hotspot, which has both IPv6/IPv4.  Our internal network is IPv4 only. It seems that nslookup is insisting on using the IPv6 link local rather than using 172.16.0.1, and therefore not resolving our internal servers, from our internal DNS.

    Any ideas on what is wrong here?  To be clear, the existing config works fine with the office WG client, and does as expected.

    #12165
    Vadim Smirnov
    Keymaster

    Hmm, while standard WireGuard adds a virtual NIC with an assigned IP address along with the appropriate DNS servers, Wiresock implements the same using Network Address Translation (NAT). For example, the outgoing DNS request is NAT translated to the DNS server taken from the configuration file. However, meanwhile, an IPv4 DNS query is only translated to IPv4, and IPv6 is only translated to IPv6. There is no address translation between IPv4 and IPv6 DNS queries.

    I’m not 100% sure, but I suspect your case may be related to these IPv4/IPv6 DNS server differences. If you’re interested, we could analyze this issue in more detail to find a workaround.

    P.S. You can try disabling IPv6 on your mobile hotspot to see if this is the case.

    #12167
    alanplum
    Participant

    Just to be clear….none of our *wireguard client configs* use IPv6, but the *laptops themselves* may on the local network..  If it helps, when I nslookup using the WG client, i get this…(This is dual stack on my LAN at home)

    nslookup someserver

    SERVER: mydnsserver.mydomain.com

    ADDRESS: 172.16.0.1

    SO definitely going to the correct IPv4 server. (I dont have an IPv6 DNS server)

    When using your software it returns some arbitrary link local V6 DNS server.  I mean I could disable IPv6 on the laptop and test again, but wouldn’t want that as a solution.

    Please see below for a sample client config with secrets removed:

    [Interface]
    Address = 10.172.16.10/24
    ListenPort = 51800
    PrivateKey = *MASKED*
    DNS = 172.16.0.1,172.16.0.6

    [Peer]
    PublicKey = *MASKED*
    PresharedKey = *MASKED*
    AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
    Endpoint = MYIPV4:51800
    PersistentKeepalive = 25

    You can see in the AllowedIPs, I *do* shove IPv6 traffic down the tunnel but there is nothing at the other end to deal with it…It was to future proof.

    Thanks for taking the time…..

    #12168
    Vadim Smirnov
    Keymaster

    Thanks for the details. One question though, how nslookup works without WG (stock or wiresock) activated? Does it try to use the IPv6 DNS servers?

    #12170
    alanplum
    Participant

    So I’ve just tested this using my iPhone hotspot.

    When connecting to my iPhone hotspot using Wifi, it seems the laptop definitely gets both an IPv6 (public)and an IPv4 (albeit private). Its a 172.20.x.x address so they must be doing 464XLAT or something…but anyway….*without* WG connected, it does indeed nslookup to the IPv6 link-local, (like wiresock when it is connected to the tunnel) but as soon as I activate WG, then NSLOOKUP resumes to 172.16.0.1.  This is what I was expecting WireSock to do, but it didn’t appear to be doing it.

    Hope that helps a bit?

    #12171
    Vadim Smirnov
    Keymaster

    Yes, that explains what’s going on. Wiresock does not change your network settings or add another DNS server from the WG configuration. Instead, it translates and forwards DNS requests to the DNS server from WG configuration instead of the original one. But it does not convert IPv4 DNS requests to IPv6 and vice versa. I’ll think about what can be done about it. However, if your laptop is configured with an IPv4 DNS server in addition to an IPv6 server, then all other applications (such as browsers) should work fine. NSLOOKUP should also work fine if you manually set the DNS server to any IPv4 address. For example, using server 8.8.8.8 or any other IPv4 address will force nslookup to use the DNS server from the WG configuration.

    #12172
    alanplum
    Participant

    Yes I see. In which case, it won’t work for us currently…sadly.

    We use WireGuard for Remote Working, but all traffic (except local) is tunnelled, and must use our internal DNS server specified in the config. Unfortunately I can’t control the end users internet, so if they are dual stack, and their router pushes an IPv6 DNS server via SLAAC which will overrule an IPv4 DNS pushed by DHCP, then that’s the issue.

    It seems the WG client somehow changes whatever DNS you have on your LAN, to what is specified in the config.

    I’d be very interested in WireSock if it *could* mimic the official WG client with regards DNS, and then I think we could use it.

    #12173
    Vadim Smirnov
    Keymaster

    It looks a bit unusual that a laptop has an IPv6 DNS server but no IPv4. However, this is quite a possible setup. I think I’ll just add IPv6 to IPv4 and vice versa DNS resolution to close this question.

    #12174
    alanplum
    Participant

    Sorry, but the laptop does have both 4 and 6 DNS servers listed, but it is using the V6 DNS for lookups by default. Maybe I’m misunderstanding.

    When no tunnel is active, the laptop is using the V6 DNS server, I presume because it has a valid IPv6 address.

    When WG client tunnel is active it uses my DNS server (IPv4)

    When WireSock is active, it still uses the default IPv6 DNS, not the IPv4.

    #12175
    alanplum
    Participant

    My internal *work* network is IPv4 only, this is the network on the WireGuard Server end…DNS servers are internal only, but has forwarding enabled for internet resolution. So you can’t query them from the internet.

    Laptop…on hotspot…is on a dual stack network, so has both a public ipv6, and a private IPv4, which ultimately will NAT to WAN IPv4.
    Both IPv6 DNS and IPv4 DNS servers are pushed via SLAAC/DHCP.

    With no tunnel active, the laptop defaults to the lookups via the IPv6 DNS, even to return IPv4 addresses..as IPv6 DNS can still return an A as well as AAAA.

    With WireGuard tunnel active, nslookup always uses *my* IPv4 DNS specified in the WireGuard config file.

    With WireSock tunnel active, nslookup continues to use IPv6 DNS, even though IPv4 is available…

    Hopefully that makes more sense?

    #12176
    Vadim Smirnov
    Keymaster

    Typically, if the system is configured with both IPv4 and IPv6 DNS, DNS queries are sent to both. Thus, most applications should work fine. Please check if browsers are working good via wiresock and the only problem you are having is with using nslookup.

    The latter seems to always default to an IPv6 DNS address if available, and this is where we have some issues.

     

    #12177
    alanplum
    Participant

    I wasn’t aware that DNS requests were sent to both. An IPv4 DNS server can still return AAAA records, and an IPv6 can conversely return an A record, so would seem a bit pointless sending the query to both, but I’ll do research

    I can’t test it until tomorrow, but I’m pretty sure it wasn’t working…as in, we could not connect to any of our internal server websites, but could ping them. What I should have tried was browsing to Google, and checking what IP I was coming from, as that would suggest it was using public DNS rather than my internal DNS.

    Another test I could do is add an internal IP on an A record on our external DNS server just to see if nslookup resolves it then.

    I will try a few more tests tomorrow.

    #12178
    Vadim Smirnov
    Keymaster

    We can check what is going on by analyzing log and PCAP files:

    Troubleshooting
    If you experience any problems, then first try starting the application/service with ‘-log-level all‘ command line parameter. If you run it as an application, then it dumps the debug log directly on the console, while service will save the log into the file located in C:\ProgramData\NT Kernel Resources\WireSock VPN Client. In both cases, all processed network packets will be stored in PCAP files (can be opened and analyzed in Wireshark) in the C:\ProgramData\NT Kernel Resources\WireSock VPN Client.

    Please note that ‘-log-level all‘ exists for debug purposes only and significantly affects the application performance.

    #12179
    alanplum
    Participant

    Thanks….I’ll be sure to do that.

    #12180
    alanplum
    Participant

    Ok, I’ve done some serious testing here on my work laptop and discovered interesting things….

    I have to say…in all the configurations below, the official WG windows client works as expected, just as a base mark.

    So what I have discovered is this….These are all tests solely with WireSock..

    If you disable IPv6 in the NIC, WireSock works perfectly. All traffic tunnelled and verified by checking WAN IP.

    If you have IPv6 enabled, and use *only* an IPv4 DNS on the LAN, then WireSock tunnels all IPv4 traffic as expected, using my internal DNS for lookups.  However…if you browse to an IPv6 site…it is not tunnelled…it escapes the tunnel (proved by what’s my ip)

    If you have IPv6 enabled and use an IPv6 DNS (e.g. iPhone hotspot) then no traffic goes via the tunnel. Disabling IPv6, sends all traffic via the tunnel.

    It looks like WireSock is *leaking* IPv6?

    As you see in my config above, I have allowedIp to cover ::1, 8000::1 but is it being ignored by WireSock because I don’t have an IPv6 in my config?

    Happy to help with any logs…

Viewing 15 posts - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.