我的环境 #

• WireGuard隧道用于访问内部网络
• 内部网络由Active Directory域控制器提供DNS服务
• 客户端通过隧道使用这些DNS服务器
• Linux客户端搭配WireGuard隧道使用域控制器DNS时，DNS解析完全正常

遇到的问题 #

Windows客户端连接WireGuard隧道后无法正常浏览网络，具体表现：

• Ping域名失败，但nslookup可以正常解析域名
• 可以通过IP地址Ping通DNS服务器
• 可以Ping通外部IP（比如1.1.1.1）
• Wireshark抓包显示DNS请求已发出，但没有收到回复
• WireGuard服务器的防火墙日志没有显示这些DNS请求被拦截

想请教各位我哪里配置出错了？

相关配置信息 #

WireGuard服务器配置 #

# cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.101.0.1/16
SaveConfig = true
PostUp = ufw route allow in on wg0 out on enp6s0
PostUp = ufw route allow in on enp6s0 out on wg0
PostUp = ufw route allow in on wg0 out on enp1s0
PostUp = ufw route allow in on enp1s0 out on wg0
PostUp = iptables -t nat -I POSTROUTING -o enp6s0 -j MASQUERADE
PostUp = iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp6s0
PreDown = ufw route delete allow in on wg0 out on enp1s0
PreDown = ufw route delete allow in on enp6s0 out on wg0
PreDown = ufw route delete allow in on enp1s0 out on wg0
PreDown = iptables -t nat -D POSTROUTING -o enp6s0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <snipped>

WireGuard服务器路由表 #

# ip route
default via <wan_gateway> dev enp1s0 proto static
10.0.0.0/16 dev enp6s0 proto kernel scope link src 10.0.25.20
10.0.0.0/16 via 10.0.1.254 dev enp6s0 proto static metric 100
10.101.0.0/16 dev wg0 proto kernel scope link src 10.101.0.1
<wan_ip_block>/22 dev enp1s0 proto kernel scope link src <wireguard_public_ip>

WireGuard服务器防火墙规则 #

# ufw status
Status: active

To                         Action      From
--                         ------      ----
51820/udp                  ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
3389                       ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
135/tcp                    ALLOW       Anywhere
389/tcp                    ALLOW       Anywhere
636/tcp                    ALLOW       Anywhere
3268/tcp                   ALLOW       Anywhere
3269/tcp                   ALLOW       Anywhere
53/tcp                     ALLOW       Anywhere
88/tcp                     ALLOW       Anywhere
445/tcp                    ALLOW       Anywhere
123/tcp                    ALLOW       Anywhere
464/tcp                    ALLOW       Anywhere
137/tcp                    ALLOW       Anywhere
138/tcp                    ALLOW       Anywhere
139/tcp                    ALLOW       Anywhere
135/udp                    ALLOW       Anywhere
137/udp                    ALLOW       Anywhere
138/udp                    ALLOW       Anywhere
389/udp                    ALLOW       Anywhere
445/udp                    ALLOW       Anywhere
1512/udp                   ALLOW       Anywhere
42/udp                     ALLOW       Anywhere
42/tcp                     ALLOW       Anywhere
1512/tcp                   ALLOW       Anywhere
500/udp                    ALLOW       Anywhere
49152:65535/tcp            ALLOW       Anywhere
49152:65535/udp            ALLOW       Anywhere
464                        ALLOW       Anywhere
5985:5986/tcp              ALLOW       Anywhere
53/udp                     ALLOW       Anywhere
51820/udp (v6)             ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
3389 (v6)                  ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
135/tcp (v6)               ALLOW       Anywhere (v6)
389/tcp (v6)               ALLOW       Anywhere (v6)
636/tcp (v6)               ALLOW       Anywhere (v6)
3268/tcp (v6)              ALLOW       Anywhere (v6)
3269/tcp (v6)              ALLOW       Anywhere (v6)
53/tcp (v6)                ALLOW       Anywhere (v6)
88/tcp (v6)                ALLOW       Anywhere (v6)
445/tcp (v6)               ALLOW       Anywhere (v6)
123/tcp (v6)               ALLOW       Anywhere (v6)
464/tcp (v6)               ALLOW       Anywhere (v6)
137/tcp (v6)               ALLOW       Anywhere (v6)
138/tcp (v6)               ALLOW       Anywhere (v6)
139/tcp (v6)               ALLOW       Anywhere (v6)
135/udp (v6)               ALLOW       Anywhere (v6)
137/udp (v6)               ALLOW       Anywhere (v6)
138/udp (v6)               ALLOW       Anywhere (v6)
389/udp (v6)               ALLOW       Anywhere (v6)
445/udp (v6)               ALLOW       Anywhere (v6)
1512/udp (v6)              ALLOW       Anywhere (v6)
42/udp (v6)                ALLOW       Anywhere (v6)
42/tcp (v6)                ALLOW       Anywhere (v6)
1512/tcp (v6)              ALLOW       Anywhere (v6)
500/udp (v6)               ALLOW       Anywhere (v6)
49152:65535/tcp (v6)       ALLOW       Anywhere (v6)
49152:65535/udp (v6)       ALLOW       Anywhere (v6)
464 (v6)                   ALLOW       Anywhere (v6)
5985:5986/tcp (v6)         ALLOW       Anywhere (v6)
53/udp (v6)                ALLOW       Anywhere (v6)
Anywhere on enp6s0         ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on enp6s0
Anywhere on enp1s0         ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on enp1s0
Anywhere (v6) on enp6s0    ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on enp6s0
Anywhere (v6) on enp1s0    ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on enp1s0

Windows客户端配置 #

[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32

[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820

备注：内容来源于stack exchange，提问作者Kheldar Ambar