VPN: can't get WireGuard & AdGuard working

imc67

First of all: thanks @girish for the new VPN app!!!

I immediately (to be sure) deleted the OVPN app and installed a fresh new VPN app.

Here my findings:

• In the settings added my AdGuard DNS server ip (same as the Cloudron IP where also the VPN app is installed)
• Created a profile and installed the WireGuard profile in the WireGuard app on my iPhone
• Switched the VPN tunnel on and .... connection is there (according to the VPN app info) but no traffic
• In AdGuard I do see this kind of incoming requests: lb._dns-sd._udp.6.0.0.192.in-addr.arpa but no "normal" DNS requests
• In AdGuard the following User IP's are allowed: 10.8.0.0/24, 172.18.0.0/24, my ISP IP, my Cloudron IP, 10.9.0.0/24
• Also the connected IP to AdGuard is the IP where my iPhone is connected to (in this case my home ISP), so not the WireGuard server IP or the local network IP, this is very strange IMHO.

I'm curious for what I'm doing wrong?
(edited: I'm on Cloudron 8.1.0 is that a RC?)

girish

IIRC, I have tried this before and it has not worked in the past. The devices are unable to reach the DNS via the tunnel, not sure why. I think you will notice that if you use some other public DNS, that works... I will investigate this at some point.

imc67

Before with only OpenVPN it did work, so it’s probably something with routing?

girish

@imc67 good point, didn't realize. indeed, I did a quick test. even now, it works even now with OpenVPN. Just not in WireGuard.

Curiously, after I connect to WireGuard, I can ping just fine (ICMP) but cannot make DNS requests. Puzzling.

robi

@girish dump the routes for both OVPN and WG connections?

Since one seems to have access to a local DNS while the other doesn't.
Otherwise it sounds like hair-pinning issue.

sponch

same here but definitely worked for some hours ...
DNS requests come to Adguard - ping, tracerout etc. don't work ...

sponch

mh...seems to be a firewall problem. When I allow "any IP" (TCP and UDP) on Hetzner-Firewall it works flawlessly... adding the Cloudron IP to the firewall doesn't work....Any idea anybody?

girish

@sponch so you are saying when you change the Hetzner firewall, AdGuard+WireGuard works?

sponch

just double checked... I thought it would...
probably used the wrong profile for my 1st test.
Sorry for the misinformation...

girish

For me, from the mobile, AdGuard works fine. Just not from the laptop (linux).

girish

I pushed a fixed in the firewall for this. It's part of 8.2.3, you have to update Cloudron and hopefully that fixes this.

sponch

@girish That sounds great. I am on 8.2.1 and can't see any updates. Is there a way to force updating?

sponch

@girish YOU'RE GREAT! Wiregueard working now with Adguard after 8.2.3 Updater