one137

Theme: 

DNSMasq

Dnsmasq provides DNS, DHCP, router advertisement and network boot for small networks infrastrutures.

The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types (A, AAAA, CNAME, etc).

Why

Because *.one137.dev is mapped to dockerhost, when a Wireguard client or any other Docker container requests :443 on one of these domains, the route is as follow:

  1. Client: 10.8.0.2 on utun6
  2. wg-easy:
    1. 10.8.0.1 on wg0
    2. 10.100.0.3 on eth0@if68 (40-wireguard-easy_static)
  3. dockerhost:
    1. 10.100.0.1 on br-556c30b41c98 (40-wireguard-easy_static)
    2. 192.168.1.101 on enp6s18
    3. 172.18.0.1 on br-58d3a89e5f29 (30-pihole_default)
  4. ct-npm: 172.18.0.3 on eth0 (30-pihole_default)

And 172.18.0.1 appears as the client in NPM’s logs. ( TODO That being said, I don’t understand why traffic coming from say 192.168.1.66 doesn’t also show up as 172.18.0.1, as steps 3.2-4 should be the same).

The problem with that is

  1. It’s impossible to distinguish traffic coming from Wireguard, because traffic coming from any Docker container is tagged as coming from 172.18.0.1 (the gateway of the first subnet with NPM inside). For security reasons, requests from containers to *.one137.dev (other containers, proxmox, etc.) should be blocked, as there’s no reason they’d talk.
  2. It’s inelegant. ct-npm is also present on 40-wireguard-easy_static at 10.100.0.4, so the whole roundtrip to dockerhost’s physical interface (steps 3.x) is not needed. 10.100.0.3 (WG) can talk to 10.100.0.4 (NPM) directly.

That being said, adding DNSMasq makes the WG setup more complex and it’s debatable whether it’s a net positive.

Setup

There is no official nor linuxserver Docker image for dnsmasq. 4km3’s image seems currently well maintained and very minimal (it’s just an alpine-based entrypoint).

Add a dnsmasq service with static IP (10.100.0.2) to Wireguard Server’s stack, as shown here.

Make sure NPM is also on the WG network and with a static IP, for example in 80-npm.yml (full config):

  networks:
    40-wireguard-easy_static:
      ipv4_address: 10.100.0.4

For DNSMasq, create /srv/docker/volumes/dnsmasq-wireguard/dnsmasq.conf, using that same NPM IP:

log-facility=- # logs to stderr for docker logs
address=/one137.dev/10.100.0.x # NPM's IP on 40-wireguard-easy_static

Wireguard-easy must itself be given a static IP (10.100.0.3) and its default DNS (WG_DEFAULT_DNS) must be set to DNSMarq’s IP (10.100.0.2).

Finally, |NPM’s access control must be updated, to explicitly allow connections from the Wireguard server: - Access lists > LAN & Wireguard > Access > allow 10.100.0.3/32 - Proxy hosts > https://one137.dev > Edit > Advanced > add “allow 10.100.0.3/32” in “location /”

Backlinks