Nextdns + DD-Wrt + Wireguard

Dju_Robski
3 yrs ago
9replies

Is there any way to get Nexdns working together with Wireguard tunnel on DD-Wrt?

I see on my nextdns webpage that, in case the tunnel is enabled, the endpoint address of the tunnel is linked, however nextdns is not active at that moment, probably because my id is not reporting back to nextdns.

Anyone know how to fix this?

- aioyups
- 3 yrs ago
- Reported - view
The problem might be the router is using wireguard dns instead of nextdns. The way to check it is simple, you just need to use DoH in your PC and set it according to your nextdns DoH. If it works then you know the problem is your router wireguard setting.
- Dju_Robski
- 3 yrs ago
- Reported - view
I know it's a router issue. But even if the tunnel is set to use the Nextdns servers, it's not using my nextdns id. And without the id, there's no filtering going on.
- aioyups
  
  3 yrs ago
  
  Reported - view
  Dju Robski well then it's simple, however since you didn't mention your condition in detail then I'll just assume you can't/don't want to use DoH/DoT method and you already successfully linked your vpn server public IP to nextdns and you don't really need your router to act as a dns server. If all the condition above are correct then we can proceed to next step.
  
  1. Make all your client dns point directly to nextdns server IP instead of router IP. You can set this in setup > basic setup, then fill static dns 1 and static dns 2 your nextdns address. And uncheck force dns redirection.
  
  2. Config your firewall to redirect outgoing port of both nextdns dns address above from port 53 to port 5353. (I'll assume you already know how to do this, if not you can google it). Then it's done.
- Dju_Robski
- 3 yrs ago
- Reported - view
Thanks aioyups! Will give it a try!
- Dju_Robski
- 3 yrs ago
- Reported - view
aioyups Unfortunately, didn't work. Found some firewall stuff on the internet and added this stuff below to my firewall script (without the #'s offcourse). I must have done it wrong probably :)

#DNS portforward 53
#iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 45.90.28.222:53
#iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:53
#iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 45.90.30.222:53
#iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:53
#punch DNS hole for port 53
#iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.28.222 --dport 53 -j ACCEPT
#iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.28.222 --dport 53 -j ACCEPT
#iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.30.222 --dport 53 -j ACCEPT
#iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.30.222 --dport 53 -j ACCEPT

#DNS portforward 5353
#iptables -t nat -I PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to 45.90.28.222:5353
#iptables -t nat -I PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 45.90.28.222:5353
#iptables -t nat -I PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to 45.90.30.222:5353
#iptables -t nat -I PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 45.90.30.222:5353
#punch DNS hole for port 5353
#iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.28.222 --dport 5353 -j ACCEPT
#iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.28.222 --dport 5353 -j ACCEPT
#iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.30.222 --dport 5353 -j ACCEPT
#iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.30.222 --dport 5353 -j ACCEPT

#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 53 -j DNAT --to 45.90.28.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 45.90.28.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 53 -j DNAT --to 45.90.30.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 45.90.30.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 5353 -j DNAT --to 45.90.28.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 5353 -j DNAT --to 45.90.28.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 5353 -j DNAT --to 45.90.30.222:53
#iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 5353 -j DNAT --to 45.90.30.222:53

#iptables -I FORWARD -d 45.90.28.222 -p tcp --dport 53 -j ACCEPT
#iptables -I FORWARD -d 45.90.28.222 -p udp --dport 53 -j ACCEPT
#iptables -I FORWARD -d 45.90.30.222 -p tcp --dport 53 -j ACCEPT
#iptables -I FORWARD -d 45.90.30.222 -p udp --dport 53 -j ACCEPT
#iptables -I FORWARD -d 45.90.28.222 -p tcp --dport 5353 -j ACCEPT
#iptables -I FORWARD -d 45.90.28.222 -p udp --dport 5353 -j ACCEPT
#iptables -I FORWARD -d 45.90.30.222 -p tcp --dport 5353 -j ACCEPT
#iptables -I FORWARD -d 45.90.30.222 -p udp --dport 5353 -j ACCEPT
- aioyups
  
  3 yrs ago
  
  Reported - view
  Dju Robski duh so many rules but that's not what I mean since it's still standard port.
  
  For most cases you just need to put these 2 rules. Go ahead and try it.
  
  #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:5353
  #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:5353
- Balan_Cosmin
  
  3 yrs ago
  
  Reported - view
  aioyups Where do I put does rules to work in Wireguard config?
- CahJowo
- 3 yrs ago
- Reported - view
You can try using Linked IP in Wireguard
- HelloYellow
- 3 yrs ago
- Reported - view
I had the same setup and issue and the below worked for me:

aioyups said:
#iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:5353 #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:5353

Thanks aioyups

Content aside

3 yrs agoLast active
9Replies
795Views
5 Following

Nextdns + DD-Wrt + Wireguard

9 replies

Content aside

Home

Tags