[kwlug-disc] Remote access to machine behind CG-NAT
Khalid Baheyeldin
kb at 2bits.com
Sat Jun 28 16:41:10 EDT 2025
Anton's post led me down the path of getting a workable setup.
Basically, as Anton asserted, I left systemd-resolved as it is, and
that didn't disturb DNS on the gateway.
Then in /etc/dnsmasq.conf, I uncommented this line:
conf-dir=/etc/dnsmasq.d/,*.conf
Then created an /etc/dnsmasq.d/local.conf with the following in it:
no-resolv # Ignore /etc/resolve.conf
no-poll
bind-dynamic # See below
interface=wg0 # Only serve DNS on Wireguard's network interface
bogus-priv
domain-needed
expand-hosts
domain=home.priv
local=/home.priv/
server=9.9.9.9
server=1.1.1.1
I am not sure if the last two lines do anything, because resolved
is still active, and should handle regular DNS.
The bind-dynamic replaces bind-interfaces, because there was this
warning in syslog:
LOUD WARNING: use --bind-dynamic rather than --bind-interfaces
to avoid DNS amplification attacks via these interface(s)
/etc/hosts on the gateway that runs dnsmasq has:
host1.home.priv 10.10.0.1
host2.home.priv 10.10.0.2
host3.home.priv 10.10.0.3
And so on.
Then in each Wireguard peer, the .conf file has a line saying:
DNS = 10.10.0.1
For good measure, even though I am not sure if does anything,
I did:
sudo ufw allow 53
sudo ufw reload
And that makes DNS work on the gateway, and all the peers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250628/72e41470/attachment.htm>
More information about the kwlug-disc
mailing list