0

Nextdns + DD-Wrt + Wireguard

Is there any way to get Nexdns working together with Wireguard tunnel on DD-Wrt?

I see on my nextdns webpage that, in case the tunnel is enabled, the endpoint address of the tunnel is linked, however nextdns is not active at that moment, probably because my id is not reporting back to nextdns. 

Anyone know how to fix this?

9replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • The problem might be the router is using wireguard dns instead of nextdns. The way to check it is simple, you just need to use DoH in your PC and set it according to your nextdns DoH. If it works then you know the problem is your router wireguard setting.

    Like 1
  • I know it's a router issue. But even if the tunnel is set to use the Nextdns servers, it's not using my nextdns id. And without the id, there's no filtering going on.

    Like
      • aioyups
      • aioyups
      • 2 yrs ago
      • 1
      • Reported - view

      Dju Robski well then it's simple, however since you didn't mention your condition in detail then I'll just assume you can't/don't want to use DoH/DoT method and you already successfully linked your vpn server public IP to nextdns and you don't really need your router to act as a dns server. If all the condition above are correct then we can proceed to next step.

      1. Make all your client dns point directly to nextdns server IP instead of router IP. You can set this in setup > basic setup, then fill static dns 1 and static dns 2 your nextdns address. And uncheck force dns redirection.

      2. Config your firewall to redirect outgoing port of both nextdns dns address above from port 53 to port 5353. (I'll assume you already know how to do this, if not you can google it). Then it's done. 😉

      Like 1
  • Thanks aioyups! Will give it a try!

    Like
  • aioyups Unfortunately, didn't work.  Found some firewall stuff on the internet and added this stuff below to my firewall script (without the #'s offcourse). I must have done it wrong probably :)

    #DNS portforward 53
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:53
    #punch DNS hole for port 53
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.28.222 --dport 53 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.28.222 --dport 53 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.30.222 --dport 53 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.30.222 --dport 53 -j ACCEPT

    #DNS portforward 5353
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to 45.90.28.222:5353
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 45.90.28.222:5353
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to 45.90.30.222:5353
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 45.90.30.222:5353
    #punch DNS hole for port 5353
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.28.222 --dport 5353 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.28.222 --dport 5353 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.30.222 --dport 5353 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.30.222 --dport 5353 -j ACCEPT

    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 53 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 5353 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 5353 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 5353 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 5353 -j DNAT --to 45.90.30.222:53

    #iptables -I FORWARD -d 45.90.28.222 -p tcp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.28.222 -p udp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p tcp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p udp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.28.222 -p tcp --dport 5353 -j ACCEPT
    #iptables -I FORWARD -d 45.90.28.222 -p udp --dport 5353 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p tcp --dport 5353 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p udp --dport 5353 -j ACCEPT

    Like
      • aioyups
      • aioyups
      • 1 yr ago
      • 2
      • Reported - view

      Dju Robski duh so many rules but that's not what I mean since it's still standard port.

      For most cases you just need to put these 2 rules. Go ahead and try it.

      #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:5353
      #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:5353

      Like 2
    • aioyups Where do I put does rules to work in Wireguard config?

      Like
  • You can try using Linked IP in Wireguard

    Like
Like Follow
  • 1 yr agoLast active
  • 9Replies
  • 537Views
  • 5 Following