WireGuard and MacOS

Hey folks!

I’ve followed the examples to start a Node app, connect it to a Postrgres DB, and then also connect to that DB from my Mac (Catalina 10.15.7) via WireGuard.

I’m stuck at the last step though :sweat_smile:

I can’t seem to locally resolve private network apps and other hosts (like _apps.internal) through the WireGuard link… What follows is eerily similar to the WireGuard noob challenges post.

Details

With some stuff redacted.

  • Region: syd
  • Local config name: focus

focus.conf (from running flyctl wireguard create)

[Interface]
PrivateKey = [redacted]
Address = fdaa:0:247c:a7b:d6b:0:a:2/120
DNS = fdaa:0:247c::3

[Peer]
PublicKey = XpoqGXlKQ6rebMJVAzt4CX4za5gi1S+KU9v/wWUa6iw=
AllowedIPs = fdaa:0:247c::/48
Endpoint = syd1.gateway.6pn.dev:51820
PersistentKeepalive = 15

Starting the wireguard link

# Install wireguard.
brew install wireguard-tools

# Move the generated config so wg-quick can reference by name.
mv ./focus.conf /usr/local/etc/wireguard/focus.conf

# Start wireguard with our config.
wg-quick up focus       
 [#] wireguard-go utun
 [+] Interface for focus is utun2
 [#] wg setconf utun2 /dev/fd/63
 [#] ifconfig utun2 inet6 fdaa:0:247c:a7b:d6b:0:a:2/120 alias
 [#] ifconfig utun2 up
 [#] route -q -n add -inet6 fdaa:0:247c::/48 -interface utun2
 [#] networksetup -getdnsservers Display Ethernet
 [#] networksetup -getsearchdomains Display Ethernet
 [#] networksetup -getdnsservers USB-C Dock Ethernet
 [#] networksetup -getsearchdomains USB-C Dock Ethernet
 [#] networksetup -getdnsservers Display FireWire
 [#] networksetup -getsearchdomains Display FireWire
 [#] networksetup -getdnsservers Wi-Fi
 [#] networksetup -getsearchdomains Wi-Fi
 [#] networksetup -getdnsservers Bluetooth PAN
 [#] networksetup -getsearchdomains Bluetooth PAN
 [#] networksetup -getdnsservers Thunderbolt Bridge
 [#] networksetup -getsearchdomains Thunderbolt Bridge
 [#] networksetup -getdnsservers focus
 [#] networksetup -getsearchdomains focus
 [#] networksetup -setdnsservers Bluetooth PAN fdaa:0:247c::3
 [#] networksetup -setsearchdomains Bluetooth PAN Empty
 [#] networksetup -setdnsservers Wi-Fi fdaa:0:247c::3
 [#] networksetup -setsearchdomains Wi-Fi Empty
 [#] networksetup -setdnsservers Display FireWire fdaa:0:247c::3
 [#] networksetup -setsearchdomains Display FireWire Empty
 [#] networksetup -setdnsservers Thunderbolt Bridge fdaa:0:247c::3
 [#] networksetup -setsearchdomains Thunderbolt Bridge Empty
 [#] networksetup -setdnsservers Display Ethernet fdaa:0:247c::3
 [#] networksetup -setsearchdomains Display Ethernet Empty
 [#] networksetup -setdnsservers focus fdaa:0:247c::3
 [#] networksetup -setsearchdomains focus Empty
 [#] networksetup -setdnsservers USB-C Dock Ethernet fdaa:0:247c::3
 [#] networksetup -setsearchdomains USB-C Dock Ethernet Empty
 [+] Backgrounding route monitor

And then when we runwg

interface: utun2
  public key: ay9xmtckQr54F43i0+P0LD/UJ2nT5/Xzsgrc+V4pAXw=
  private key: (hidden)
  listening port: 50194

peer: XpoqGXlKQ6rebMJVAzt4CX4za5gi1S+KU9v/wWUa6iw=
  endpoint: 43.245.48.112:51820
  allowed ips: fdaa:0:247c::/120
  latest handshake: 1 minute, 42 seconds ago
  transfer: 1.08 KiB received, 3.59 KiB sent
  persistent keepalive: every 15 seconds

Checking if the tunnel is working withdig

dig -t txt _apps.internal

; <<>> DiG 9.10.6 <<>> -t txt _apps.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10220
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_apps.internal.                        IN      TXT

;; AUTHORITY SECTION:
.                       86342   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2021043000 1800 900 604800 86400

;; Query time: 9 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Fri Apr 30 15:23:47 AEST 2021
;; MSG SIZE  rcvd: 118

Checking if the tunnel is working withdigwith generated DNS IP fdaa:0:247c::3
I swapped out the actual answering app names…

dig -t txt _apps.internal @fdaa:0:247c::3

; <<>> DiG 9.10.6 <<>> -t txt _apps.internal @fdaa:0:247c::3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5528
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_apps.internal.                        IN      TXT

;; ANSWER SECTION:
_apps.internal.         300     IN      TXT     "example-postgres,example-myapp"

;; Query time: 23 msec
;; SERVER: fdaa:0:247c::3#53(fdaa:0:247c::3)
;; WHEN: Fri Apr 30 15:25:53 AEST 2021
;; MSG SIZE  rcvd: 88

Question

So at this point I tried look around to see if other people have had general issues with WireGuard’s DNS not resolving host names correctly for MacOS; there were a few posts around, generally to do with change the AllowedIPs to a broad range like `0.0.0.0/0, but that doesn’t seem to work.

Has anyone else run into this issue and resolved it? :sweat_smile:

:pray:

DNS with WireGuard on MacOS is some kind of magic I haven’t fully figure out yet. I have noticed that I need to start a new terminal window after I connect to get *.internal to resolve.

The dig tool might be doing something special. You should be able to ping or ping -6 an app, which might work if dig isn’t.

1 Like

It does seem a bit overcooked :sweat_smile:

I have noticed that I need to start a new terminal window after I connect to get *.internal to resolve.
… You should be able to ping or ping -6 an app, which might work if dig isn’t.

Oh, this worked!

I was able to ping6 example-postgres.internal, and connect to the postgres instance with psql.

Thanks so much! What an anti-climatic solution haha. I hope it helps other people in the future. :clap:

1 Like