0

Nextdns + DD-Wrt + Wireguard

Is there any way to get Nexdns working together with Wireguard tunnel on DD-Wrt?

I see on my nextdns webpage that, in case the tunnel is enabled, the endpoint address of the tunnel is linked, however nextdns is not active at that moment, probably because my id is not reporting back to nextdns. 

Anyone know how to fix this?

9 replies

null
    • aioyups
    • 2 yrs ago
    • Reported - view

    The problem might be the router is using wireguard dns instead of nextdns. The way to check it is simple, you just need to use DoH in your PC and set it according to your nextdns DoH. If it works then you know the problem is your router wireguard setting.

    • Dju_Robski
    • 2 yrs ago
    • Reported - view

    I know it's a router issue. But even if the tunnel is set to use the Nextdns servers, it's not using my nextdns id. And without the id, there's no filtering going on.

      • aioyups
      • 2 yrs ago
      • Reported - view

      Dju Robski well then it's simple, however since you didn't mention your condition in detail then I'll just assume you can't/don't want to use DoH/DoT method and you already successfully linked your vpn server public IP to nextdns and you don't really need your router to act as a dns server. If all the condition above are correct then we can proceed to next step.

      1. Make all your client dns point directly to nextdns server IP instead of router IP. You can set this in setup > basic setup, then fill static dns 1 and static dns 2 your nextdns address. And uncheck force dns redirection.

      2. Config your firewall to redirect outgoing port of both nextdns dns address above from port 53 to port 5353. (I'll assume you already know how to do this, if not you can google it). Then it's done. 😉

    • Dju_Robski
    • 2 yrs ago
    • Reported - view

    Thanks aioyups! Will give it a try!

    • Dju_Robski
    • 2 yrs ago
    • Reported - view

    aioyups Unfortunately, didn't work.  Found some firewall stuff on the internet and added this stuff below to my firewall script (without the #'s offcourse). I must have done it wrong probably :)

    #DNS portforward 53
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:53
    #punch DNS hole for port 53
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.28.222 --dport 53 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.28.222 --dport 53 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.30.222 --dport 53 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.30.222 --dport 53 -j ACCEPT

    #DNS portforward 5353
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to 45.90.28.222:5353
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 45.90.28.222:5353
    #iptables -t nat -I PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to 45.90.30.222:5353
    #iptables -t nat -I PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 45.90.30.222:5353
    #punch DNS hole for port 5353
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.28.222 --dport 5353 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.28.222 --dport 5353 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p tcp -s 45.90.30.222 --dport 5353 -j ACCEPT
    #iptables -t nat -I PREROUTING -i br0 -p udp -s 45.90.30.222 --dport 5353 -j ACCEPT

    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 53 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 5353 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 5353 -j DNAT --to 45.90.28.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p tcp --dport 5353 -j DNAT --to 45.90.30.222:53
    #iptables -t nat -I PREROUTING -i br0 -s 192.168.10.0/23 -p udp --dport 5353 -j DNAT --to 45.90.30.222:53

    #iptables -I FORWARD -d 45.90.28.222 -p tcp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.28.222 -p udp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p tcp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p udp --dport 53 -j ACCEPT
    #iptables -I FORWARD -d 45.90.28.222 -p tcp --dport 5353 -j ACCEPT
    #iptables -I FORWARD -d 45.90.28.222 -p udp --dport 5353 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p tcp --dport 5353 -j ACCEPT
    #iptables -I FORWARD -d 45.90.30.222 -p udp --dport 5353 -j ACCEPT

      • aioyups
      • 2 yrs ago
      • Reported - view

      Dju Robski duh so many rules but that's not what I mean since it's still standard port.

      For most cases you just need to put these 2 rules. Go ahead and try it.

      #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.28.222:5353
      #iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 45.90.30.222:5353

      • Balan_Cosmin
      • 2 yrs ago
      • Reported - view

      aioyups Where do I put does rules to work in Wireguard config?

    • CahJowo
    • 2 yrs ago
    • Reported - view

    You can try using Linked IP in Wireguard

    • HelloYellow
    • 2 yrs ago
    • Reported - view

Content aside

  • 2 yrs agoLast active
  • 9Replies
  • 695Views
  • 5 Following