Wireguard on Fairphone 5 broken, DNS not working

Hello

I’m kindly asking for help setting up WireGuard VPN on my Murena Fairphone 5.

What I want to do:
Set up a WireGuard VPN connection between my Murena Fairphone 5 and my home router (Fritz!Box 7520) to be a) more secure on public WiFi and b) to profit from my local PiHole DNS filtering.

What I did:
Create necessary DynDNS settings (in my case with the service https://ipv64.net/) and configure it on my Fritz!Box as I have a DSL light tunnel and no static IP addresses. Fritz!Box reports DynDNS as active and the DynDNS provider sees incoming connection-> so DynDNS works.

Setting up WireGuard within the Fritz!Box UI is pretty straight forward.
As for the Android WireGuard Client I used the official WireGuard app as APK, and the “WG Tunnel” app available in the app lounge. I scanned the QR code to add the VPN connection.

Tap on connect:
The clients try to connect with no success. It either says “connecting” or “connected” but DNS resolving is not working as no websites are able to load. The App logs spam a message “DNS host “[censored].any64.de” failed to resolve, try again - [timestamp]”

I also tried to set up IPsec VPN and swaped out DynDNS with the MyFritz Address service provided by AVM, but there are similar issues, at least for AVM, as IPsec does not provide easy readably log files on the FP5.

I came to the conclusion that this is an Android/Murena issue. I do have an iPhone 13 from the company I work for, and there the VPN is immediately established, and I can connect to my pi.hole admin interface with the local IP address from the mobile network. So my Internet provider, DynDNS, my router and the WireGuard settings are not faulty. Something only on the FP5 creates trouble with the DNS settings. (I don’t think it’s important, my FP5 mobile internet provider is 1&1 and the iPhone’s is Vodafone).

Could anyone please help me to get to the bottom of this issue?

Best Regards,

Scytale

Regain your privacy! Adopt /e/OS the deGoogled mobile OS and online servicesphone

Can you share the sanitised peer configuration? Here is an example of my peer configuration: My internal network is in 10.0.0.0/24 my vpn range is 172.16.12.0/24

Pay close attention to the DNS setting in the Interface section and what the range is set in the AllowedIP’s of the peer.

It may also be worth checking if the Fritz!Box DNS resolver is set to only respond to a range of source IP’s. I do not have a Fritz!Box, I use OpenWRT.

[Interface]
PrivateKey = <redacted>
Address = 172.16.12.50/32
# ListenPort not defined
DNS = 10.0.0.4

[Peer]
PublicKey = <redacted>
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <redacted>:51820
PersistentKeepAlive = 25

The other question is do you have network privacy enabled in the eOS settings?

Thanks @Baggypants for replying.

Thats my sanitised WG configuration:

[Interface]
PrivateKey = <redacted>
Address = 192.168.178.202/24
DNS = 192.168.178.5,192.168.178.1
DNS = fritz.box

[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
AllowedIPs = 192.168.178.0/24,0.0.0.0/0
Endpoint = <redacted>.myfritz.net:59902
PersistentKeepalive = 25

I did not change the IPs as this subnet is present on every fritz.box in default settings.
I switched the DynDNS provider to the build-in-feature from AVM which is xxx.myfritz.net.

Likewise, I created a separate WG tunnel for my company iPhone, and it connected from the mobile network just fine.
But same error on my Murena Fairphone 5 again, it can’t resolve xxx.myfritz.net.

The other question is do you have network privacy enabled in the eOS settings?

Which settings are you reffering to? I disabled “private DNS” and everything under “Advanced Privacy” app, rebooted the phone and tried to connect-> “can’t resolve host”. (in WG Tunnel app + official Wireguard app).

Within my home network the FP5 connects instantly with the VPN. So something with mobile network works different.

Edit:
If it’s important. .5 is the Pi-hole, and my Fritz.Box Router uses the Pi Hole as DNS Server.

With the DNS setting you have there they look to be in the same subnet as the vpn range. For my setup I use 10.0.0.0/24 for my existing internal lan, and 172.16.12.0/24 for my wireguard vpn network. That is why my dns is 10.0.0.4.

Are you overlapping the two networks? or do you have a seperate network and the dns resolver also has an ip in the wireguard network? I don’t know how wireguard manages the routing but from using pptp and openvpn it’s important to have them seperate.

Also you have DNS = fritz.box. Using a dns record for a dns resolver is considered a very bad idea. I’d advise you to remove it.

Finally. Which resolver is the authority for the internal domains? If it’s the fritz box I’d set fritz up to forward requests to the pi hole, and only have clients use the fritz box as a resolver. The way you have it I can guess the pihole is recieving dns queries, but doesn’t have the internal dns records to return.

The setting I was referring to is ‘Advanced Privacy > Real IP’, but you disabled it.

I get where you are coming from with proper and clean separated subnets, however AVMs Fritz!Box products are very simplistic, and I can’t change a bit besides the default subnet and who is doing DNS/DHCP. It just assigns a free IP outside the DHCP range to the remote client, and that’s it. Confusingly on iOS with pretty much the same config it just connects and there are no DNS problems and I can reach internal devices/services.

I’ll check tomorrow when I can do a little downtime and switch the DNS server back to the router, but I suspect there will be no change.

After all the local android WG client can’t even find the public IPv6 address associated to the DynDNS domain, so possible faulty IP settings inside the tunnel cant affect my problem, I guess.

On the said FP5 and on mobile connection I testet a Ping/DNS tool to get the DNS record for my fritz.net domain and I got the proper IPv6 address back. As if WG is just looking for IPv4 on Android (which there is none) and stops. At least there are some more web search results for that.

I’ve had odd issues woth /e/ not picking up ra ipv6 addresses in the past until I’ve bounced the wifi on my phone. Have you checked if it is actually picking up an ipv6 address?

2 Likes

Thanks for poking me in the right direction, a missing IPv6 addres on my FP5 in the mobile network is the key!

I checked the IP on my business iPhone and did see an IPv4 and IPv6 address connected to the mobile network, on my FP5 I got only an IPv4 address. So thats the difference between the two devices!

So i checked the settings on the inserted SIM card on the Murena OS FP5 (Internet->SIM settings/Cog->Accesspoint (APN)->my carrier (in my case “O2 DE Internet”)-> APN Roaming protocoll + APN Protocoll → switch to IPv4/IPv6

This setting was previously IPv4 only, by default, never actively changed it to IPv4 only.

But now Wireguard instantly connects and I’m happy that it finally works.

4 Likes