Networking Oddity
from Hellmo_Luciferrari@lemm.ee to selfhosted@lemmy.world on 10 Feb 13:47
https://lemm.ee/post/55134932
from Hellmo_Luciferrari@lemm.ee to selfhosted@lemmy.world on 10 Feb 13:47
https://lemm.ee/post/55134932
Hello Selfhosted!
So I have an interesting issue. I have a docker host, and that host i have a Caddy container. I have that setup to handle reverse proxying. I have it setup to be local only. I have a pihole and a wireguard server. And can connect to my network successfully.
The part that confuses me is that while on network everything works great. While on VPN I can connect to services by IP:Port. If I use mobile data with VPN, I can’t use the site addresses. x.domain.xxx (for privacy sake I’m leaving my domain out of the post.) But when I connect to WiFi, any WiFi, and connect to VPN I can go to the address I have setup for reverse proxying.
I am unsure how to troubleshoot this. Any pointers would be appreciated.
threaded - newest
You have a DNS problem. How is that set up?
I have DNS handled by my PiHole (using unbound as-can upstream DNS)
On my PiHole, I have an A record for the docker box, and then CNAME records pointing to the A name record.
It makes little sense why it works on an offsite WiFi, but not mobile data.
In that case, are you sure the VPN is actually on, when on cellular?
Absolutely, I can connect to the services via IP:Port
Beats me then. Network wise an external Wifi should follow the same rules as an external cellular connection.
I don’t have a lot of networking skill here, but could it be your WiFi connections (anywhere) are IPv4 and on mobile it forces IPv6, thus why you can connect via IP:port? Typically your wireguard host machine has IP forwarding/masquarading setup so you can reach your home LAN. Could this be an issue through the router / proxy?
Wish I knew how to test/troubleshoot this.
It may not even be the issue, I’m just spitballing, and it maybe DNS issues like others mentioned or cell provider blocking some aspect. As you probably know Wireguard can be set for all traffic to route through the tunnel, or some outside of it. Maybe cell network is not routing DNS through the tunnel, but using its own, or maybe they used a cached Domain name lookup that doesn’t have your domain IP. Again, networking/DNS etc is my blind spot. I.e. I have setup openmedia vault on a 256MB RAM arm board to serve my music and SMB shares, but I don’t understand reverse proxy LOL.
So, I of course rebooted everything i could, the box hosting my DNS/PiHole, VPN, docker box, etc. However, was remote and couldn’t reboot my modem.
I lowered my MTU on my VPN client config after rebooting my modem, and it’s working.
I don’t fully understand why it worked, but it did.
Maybe something on my ISPs end that wasn’t functioning.
It’s probably still IPv6 related. If you use something like Network Analyzer on your phone while only connected to the mobile network you may find that it only shows an IPv6 address and DNS server, no IPv4 config. That could explain the difference. Particularly if you were using the maximum typically permissible MTU. Your provider might also be doing some 6to4 tunneling somewhere that adds overhead and causes size problems.
Thank you for the info, I may try that out of curiosity
Awesome! Interesting with MTU. This was a first hit google search, seems MTU in wireguard setup plays a role also. gist.github.com/…/f16850ca48c48c79bf422e90ee5b9d9…
I’d agree with unbuckled above, it’s a DNS issue. If your mobile device is capable, use nslookup or dig to see what responses you are getting in different scenarios. It’s possible that your VPN software is leaking DNS queries out to the mobile data provider’s DNS servers while you are on mobile data and only using the correct DNS settings when you are on wifi. Possibly look for split tunnel settings in the VPN software, as this can create this type of situation.
You can also confirm this from the pihole side. Connect to the VPN via mobile data and browse to some website you don’t use often, but is not your own internal stuff. Then open the query log on your pihole and see if that domain shows up. I’d put money on that query not showing in the pihole query log.
I turned on query logging for my PiHole. I chose a random site I don’t typically browse, and confirmed I saw it logged in my PiHole. Though, I am thinking it’s likely DNS that’s causing issues.
I even tried turning off split tunneling, and it does the same thing.
I checked automatic DNS setting on my phone.
I don’t know if it will make a difference but the DNS records for my local services are CNAME records, so I am going to change it to an A/AAAA record on PiHole.
I have these set in PiHole and not my Unbound.
smells like the mobile data isnt honoring the split tunnel dns comin from the vpn. the mobile provider is doin some funny business with your dns on that device
That’s what I was thinking. Thank you
You might want to do a DNS leak test from your phone with the wireguard connection down and then with it up to make sure you’re tunneling DNS. This will be clearer if you set pihole to use something upstream that an ISP is unlikely to use - quad9 for example.
DNS leak test comes back the same mobile data with VPN as it does WiFi with VPN pointing back to DNS reflecting my upstream DNS, Quad9.
I was having issues getting my Android device to use my local DNS server over VPN, what worked for me was setting it up through RethinkDNS. There’s a setting to prevent DNS leaks by capturing all traffic on port 53 and directing it to the DNS server you set. It doesn’t feel like an elegant solution but hey, it works.
Note, you’ll have to make sure your private DNS setting is off, in the internet section of the system settings.