Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS filter list doesn't work while wireguard is turned on #1448

Open
seensoul opened this issue May 18, 2024 · 7 comments
Open

DNS filter list doesn't work while wireguard is turned on #1448

seensoul opened this issue May 18, 2024 · 7 comments

Comments

@seensoul
Copy link

seensoul commented May 18, 2024
edited

First of all, big thank you for this marvelous software that defends our privacy.
I noticed some kind of bug, if it's bug.
When I set up RethinkDNS and set up some of privacy lists to block traffic, it's working fine. But, when I turn on wireguard configured to connect with MullvadVPN, I noticed, that RethinkDNS is no more blocking traffic from configured lists, all requests to e. g. Google are passing (without Wireguard they were blocked according to my privacy list blocking Google).

So, I want both: first to use RethinkDNS and its lists to block malicious app, and at the end send traffic over Wireguard to Mullvad IP.

Is it a bug, or I'm doing something wrong?
Thank you and best regards

====== Reproducing this issue ======

  1. Set up some privacy lists like Privacy, Google, Apple, etc.
  2. Check the log if they are blocking traffic properily,
  3. Now add a Wireguard tunnel to real VPN server, e. g. Mullvad.
  4. Now look at logs. Traffic blocked before is now strangely allowed, just don't know why
@ignoramous
Copy link
Collaborator

ignoramous commented May 18, 2024
edited

But, when I turn on wireguard configured to connect with MullvadVPN, I noticed, that RethinkDNS is no more blocking traffic from configured lists, all requests to e. g. Google are passing (without Wireguard they were blocked according to my privacy list blocking Google).

  1. Are you using WireGuard in "Simple" mode or "Advanced" mode?
    • In "Simple" mode, WireGuard's DNS is used.
    • In "Advanced" mode, user-set DNS (DNS over HTTPS, Oblivious DNS over HTTPS, DNSCrypt, RDNS+ etc) is used.
  2. If you're using On-device blocklists (available only on F-Droid and Website/GitHub flavours), then domain blocking should work regardless of the WireGuard modes ("Simple" / "Advanced").

@seensoul
Copy link
Author

Thank you for reply.

It's something weird, because after I posted a comment here I have changed something and it worked well.
I used the Advanced Wireguard Configuration.
And yes it worked, all my lists worked, blocked Google and other spying stuff. and then tunneling it via Wireguard to Mullvad VPN.

But now I see only "Waiting" or "Error" on WIreguard config and only DNS works, WIreguard stopped working.
I downloaded another config from Mullvad.net site, but no one works.

Maybe I could debug this issue?
Should I download Mullvad.net config for Android or for Linux? I downloaded Android configs.

@ignoramous
Copy link
Collaborator

ignoramous commented May 20, 2024
edited

Import those configs in the official WireGuard app (playstore, website) and see if it works?

If not, are you technical? If so, put Rethink in Verbose mode in Configure -> Settings -> Log level and look for clues in the output from adb logcat | grep -i "golog".

@seensoul
Copy link
Author

Thank you @ignoramous :) Let's catch this bug :)

Well, I put the config to wireguard app and it works. Connects to Mullvad and works just fine.
Am I enough technical? :) Let's see :)
I'll try to provide some logs from adb, just a moment

@seensoul
Copy link
Author

Well well, I have something :)
I'm enough technical to find grep replacement for Windows, its findstr, but I couldn't find how to use -i on windows (ignore letters case), but I've found, that Rethink uses GoLog letters and here you are :)

I
log.txt

ignoramous referenced this issue in celzero/firestack May 24, 2024
@ignoramous
ipn/multihost: preserve prev addrs on refresh
177d6a5
@ignoramous
Copy link
Collaborator

Well well, I have something :)

Thanks for the logs, we've identified a fix for WireGuard not working.

As for DNS filters (blocklist) not working, the logs you shared tell us that certain domain names are explicitly trusted / allowed. You can check for these in Configure -> Firewall -> IP & Port rules (swipe over to Domain rules) and in Configure -> Firewall -> Per app IP / Domain rules (swipe over to Domain rules).

@Lanius-collaris
Copy link

Well well, I have something :) I'm enough technical to find grep replacement for Windows, its findstr, but I couldn't find how to use -i on windows (ignore letters case), but I've found, that Rethink uses GoLog letters and here you are :)

Try /i?

/i Ignores the case of the characters when searching for the string.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/findstr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ignoramous @Lanius-collaris @seensoul