Passing DNS requests through Wireguard outbound

[bart3nder]

Hi!
Is it possible to pass DNS requests through wireguard outbound too? Because when you set wireguard as the outbound (first one), and you test for dns leak, it will still be resolved by your server resolver, not the wireguard server. e.g, if the server is located in Germany and the wireguard node is located in USA, the DNS leak locations will be from Germany server (unlike the IP which is successfully from USA).

[us254]

To pass DNS requests through the Wireguard outbound, you can configure Xray to intercept DNS traffic and route it through the desired outbound.

"outbounds": [
  {
    "protocol": "freedom",
    "tag": "direct"
  },
  {
    "protocol": "freedom",
    "settings": {
      "domainStrategy": "UseIPv4"
    },
    "proxySettings": {
      "tag": "wireguard"
    },
    "tag": "warp-IPv4"
  },
  {
    "protocol": "freedom",
    "settings": {
      "domainStrategy": "UseIPv6"
    },
    "proxySettings": {
      "tag": "wireguard"
    },
    "tag": "warp-IPv6"
  }
],
"routing": {
  "rules": [
    {
      "type": "field",
      "port": 53,
      "outboundTag": "wireguard"
    }
  ]
}

In this configuration, we have defined two Wireguard-related outbounds: warp-IPv4 and warp-IPv6. Both of these outbounds use the freedom protocol with specific domain strategies (UseIPv4 and UseIPv6). Additionally, they are tagged with wireguard in the proxySettings section.

Next, we have a routing rule that matches DNS traffic on port 53 and routes it through the wireguard outbound.

By configuring Xray in this way, DNS requests should be passed through the Wireguard outbound, allowing them to be resolved by the Wireguard server rather than the server resolver. This should help prevent DNS leaks and ensure that the DNS resolution location matches the IP location provided by the Wireguard server.

[bart3nder]

Hi, thanks for your answer, unfortunately the provided solution didnt work. I edited to this:

"outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      },
      "proxySettings": {
        "tag": "wireguard"
      },
      "tag": "warp-IPv4"
    },
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv6"
      },
      "proxySettings": {
        "tag": "wireguard"
      },
      "tag": "warp-IPv6"
    },
    {
        "protocol": "wireguard",
        "settings": {
            "secretKey": "xxxxxxxxxx",
            "address": [
                "10.2.0.2/32"
            ],
            "peers": [
                {
                    "publicKey": "xxxxxxxxxx",
                    "allowedIPs": [
                        "0.0.0.0/0"
                    ],
                    "endpoint": "xxxxxxxxxx"
                }
            ],
            "reserved":[0, 0, 0],
            "mtu": 1280
        },
        "tag": "wireguard"
    },
    {
      "protocol": "blackhole",
      "tag": "blocked"
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
        {
          "type": "field",
          "port": 53,
          "outboundTag": "wireguard"
        },
      {
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "type": "field"
      },
      {
        "type": "field", // Block BitTorrent protocol
        "outboundTag": "blocked",
        "protocol": [
          "bittorrent"
        ]
      }
    ]

But it didn't change client IP to wireguards server IP nor fixed the DNS resolution problem. For second try I just added the routing part to my previous config, but it didnt work again, It was the same:

"outbounds": [
    {
        "protocol": "wireguard",
        "settings": {
            "secretKey": "xxxxxxxxxx",
            "address": [
                "10.2.0.2/32"
            ],
            "peers": [
                {
                    "publicKey": "xxxxxxxxxx",
                    "allowedIPs": [
                        "0.0.0.0/0"
                    ],
                    "endpoint": "xxxxxxxxxx"
                }
            ],
            "reserved":[0, 0, 0],
            "mtu": 1280
        },
        "tag": "wireguard"
    },
    {
      "protocol": "blackhole",
      "tag": "blocked"
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
        {
          "type": "field",
          "port": 53,
          "outboundTag": "wireguard"
        },
      {
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "type": "field"
      },
      {
        "type": "field", // Block BitTorrent protocol
        "outboundTag": "blocked",
        "protocol": [
          "bittorrent"
        ]
      }
    ]

P.S:

1. what is the difference between using proxySettings to forward traffic to wireguard outbound and using wireguard outbound as first and toppest outbound? (Like the second config)
2. Can I achieve the same when I have another network interface? Like instead of wireguard module in Xray Core or ... I forward traffic to eth9 interface and DNS queries too (I know I can forward traffic to another interface using sockopt, Im asking for DNS part)

[us254]

Is it possible to pass DNS requests through wireguard outbound?

Yes, it is possible to pass DNS requests through the Wireguard outbound connection. In the configuration file, there is a specific section for DNS configuration that allows you to intercept and forward DNS queries. By using the appropriate settings, you can ensure that DNS requests are processed through the Wireguard server instead of your server resolver.

In your case, if you set Wireguard as the first outbound connection and test for DNS leaks, the DNS resolution should be done by the Wireguard server located in the USA, not your server resolver in Germany. This means that the DNS leak location should match the IP location of the Wireguard server.

make sure to configure the routing rules properly so that DNS requests tagged with dns-in are processed through the outbound tagged dns-out. Additionally, check if any specific settings related to non-IP queries (such as A or AAAA records) need to be configured to prevent non-IP DNS traffic from leaking or being processed.

what is the difference between using proxySettings to forward traffic to wireguard outbound and using wireguard outbound as first and toppest outbound? (Like the second config)

When you use proxySettings, you explicitly specify the outbound tag for traffic forwarding. On the other hand, when you set Wireguard outbound as the first and topmost outbound, all traffic, including DNS requests, will automatically be routed through Wireguard without explicitly specifying the outbound tag.

[us254]

• adding resolution preference settings for WireGuard outbound connections.

{
    "tag": "outbound-wireguard",
    "protocol": "wireguard",
    "settings": {
        "mtu": 1280,
        "secretKey": "OMpOkugnsUGxa+JnUAoN2DIpnmwCS3kgVZTEmpXcYGE=",
        "reserved":[67,145,173],
        "peers": [
            {
                "endpoint": "162.159.192.2:2408",
                "publicKey": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
                "allowedIPs": [
                    "0.0.0.0/0",
                    "::/0"
                ]
            }
        ],
        "address": [
            "172.16.0.2/32",
            "2606:4700:110:8301:cd13:e428:aaca:478d/128"
        ],
        "domainStrategy": "ForceIP"  // Add this configuration, you can fill in "ForceIP", "ForceIPv6", "ForceIPv4", "ForceIPv6v4", "ForceIPv4v6"
    }
}

[bart3nder]

Hello again. As you can see, It doesnt work.

Also are you using AI for solution?

[ghost]

What is your inbounds? How are you ensuring that DNS requests enter Xray inbounds?

[us254]

Without seeing the entire configuration, especially the inbounds part, it's difficult to diagnose the exact issue. However, a proposed solution would have two main components:

1. Inbounds Configuration: Ensure there is an inbounds entry in the Xray configuration that is correctly capturing DNS requests. This could look something like:

"inbounds": [
  {
    "protocol": "dokodemo-door",
    "port": 53,
    "settings": {
      "network": "tcp,udp",
      "address": "1.1.1.1",
      "port": 53,
      "followRedirect": false
    },
    "tag": "dns-in"
  }
]

This would capture DNS requests, tagged as dns-in, and direct them to an external DNS resolver like 1.1.1.1.

2. Routing Configuration: Modify the routing configuration to direct traffic tagged as dns-in to route through the WireGuard outbound.

"routing": {
  "rules": [
    {
      "type": "field",
      "inboundTag": ["dns-in"],
      "outboundTag": "wireguard"
    },
    // ... other rules
  ]
}

[bart3nder]

Ok, since both of you guys mentioned the inbounds and full config, here is mine:

{
    "log": {
        "loglevel": "warning"
    },
    "api": {
        "services": [
            "HandlerService",
            "LoggerService",
            "StatsService"
        ],
        "tag": "api"
    },
    "stats": {},
    "policy": {
    "levels": {
          "0": {
            "handshake": 2,
            "connIdle": 120,
            "statsUserUplink": true,
            "statsUserDownlink": true
          }
    },
    "system": {
          "statsInboundUplink": true,
          "statsInboundDownlink": true,
          "statsOutboundUplink": true,
          "statsOutboundDownlink": true
        }
  },
    "inbounds": [
        {
            "tag": "DOKODEMO",
            "listen": "127.0.0.1",
            "port": 62789,
            "protocol": "dokodemo-door",
            "settings": {
                "address": "127.0.0.1"
            },
            "tag": "api",
            "sniffing": null
            },
        {
            "tag": "REALITY",
            "listen": "::",
            "port": 4433,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "xxxxxxxxxxxxxx", // Required, execute ./xray uuid generation, or a string of 1-30 bytes
                        "flow": "xtls-rprx-vision", // Optional, if any, client must enable XTLS
                        "email": "general@vless-vision-reality"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "show": false, // Optional, if true, output debugging information
                    "dest": "example.com:443", // Required, the format is the same as the dest of VLESS fallbacks
                    "xver": 0, // Optional, the format is the same as xver of VLESS fallbacks
                    "serverNames": [ // Required, the serverName list available to the client, does not support * wildcards
                        "example.com:443"
                    ],
                    "privateKey": "xxxxxxxxxxxxxx", // Required, execute ./xray x25519 to generate
                    "shortIds": [ // Required, the shortId list available to the client, which can be used to distinguish different clients
                        "",
                        "0123456789abcdef" // 0 to f, the length is a multiple of 2, the maximum length is 16
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"                
                ]
            }
        }
  ],
"outbounds": [
    {
        "protocol": "wireguard",
        "settings": {
            "secretKey": "xxxxxxxxxxxxxx",
            "address": [
                "10.2.0.2/32"
            ],
            "peers": [
                {
                    "publicKey": "xxxxxxxxxxxxxx",
                    "allowedIPs": [
                        "0.0.0.0/0"
                    ],
                    "endpoint": "xxxxxxxxxxxxxx"
                }
            ],
            "reserved":[0, 0, 0],
            "mtu": 1280
        },
        "tag": "wireguard"
    },
    {
      "protocol": "blackhole",
      "tag": "blocked"
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
          "type": "field",
          "domain": [
              "geosite:category-ads-all",
              "geosite:category-porn"
          ],
          "outboundTag": "blocked"
      },
      {
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "type": "field"
      },
     {
        "type": "field",
        "ip": [
          "geoip:private",
          "geoip:ir"
        ],
        "outboundTag": "blocked"
      },
      {
        "type": "field",
        "outboundTag": "blocked",
        "domain": [
          "regexp:\\.ir$"
        ]
      },
      {
        "type": "field", // Block BitTorrent protocol
        "outboundTag": "blocked",
        "protocol": [
          "bittorrent"
        ]
      }
    ]
  }
}

[ghost]

As @us254 has written, it looks like you are not routing DNS packets to your outbounds named wireguard. Are you trying to build a 2-hop like this?

+-------------+
|             |
| Client PC   |
|             |
| v2rayN      | Outbound VLESS Reality
|             |
+------+------+
       |
       |
       V
+-------------+
|             |
| Relay VPS   | Inbound VLESS Reality
|             |
| Xray        | Outbound WireGuard
|             |
+------+------+
       |
       |
       V
+-------------+
|             |
| Remote VPS  | Inbound WireGuard
|             |
| WireGuard   | Outbound Freedom
|             |
+------+------+
       |
       |
       V
 World Wide Web

[bart3nder]

This is my raw config, I tried the suggested solution and it didnt work, I thought maybe Im doing it wrong and I was hoping maybe you guys could help me figure it out.
Also, yes it is what Im trying to achieve.

[ghost]

I suspect the answer is to force Xray's built-in DNS server to send its queries through your outbound, something like #1141, but I do not know exactly how you would do that.

[bart3nder]

Interesting topic, I'll ask there. Thank you!

[us254]

Solution 1: Explicitly route DNS requests through WireGuard:

1. Add an inbound for capturing DNS traffic:

{
  ...
  "inbounds": [
    {
      "protocol": "dokodemo-door",
      "port": 53,
      "tag": "dns-in",
      ...
    },
    ...
  ],
  ...
}

This snippet configures a "dokodemo-door" inbound with port 53 and a tag "dns-in". This ensures Xray captures all DNS requests.

2. Configure routing rules:

{
  ...
  "routing": {
    "rules": [
      {
        "type": "field",
        "inboundTag": ["dns-in"],
        "outboundTag": "wireguard"
      },
      ...
    ]
  },
  ...
}

This rule specifies that DNS requests tagged as "dns-in" are routed through the "wireguard" outbound.

3. Additional settings:

• Consider adding "domainStrategy": "ForceIP" to your WireGuard outbound for better compatibility. This forces Xray to resolve DNS requests through IP addresses.

Solution 2: Use DoH/DoT:

1. Configure Xray's built-in DNS server to use DoH/DoT:

{
  ...
  "dns": {
    "tag": "dns",
    "servers": [
      "https://dns.google/dns-query" // Google DoH
    ]
  },
  ...
}

This uses Google's DoH server (8.8.8.8#853) for DNS resolution. Choose a reliable DoH/DoT provider.

[bart3nder]

Thanks again for your answer, the problem still exists. Based on first solution if I dont set DNS server address like 1.1.1.1, It wont work and if I set something, It will be the resolver not the wireguard nodes:


Server config is also edited as proposed config.

[atamelo]

here https://github.com/atamelo/xray/blob/master/server_config.json is the xray server config that:

1. intercepts all dns (udp, 53) in the tunnel
2. overrides it to always go to 9.9.9.9
3. lets it out in the wild via a WARP/Wireguard tunnel (dns-out)