# WireGuard DNS Fix - Implementation Status

**Status**: ✅ Phase 1 COMPLETED - DNS Configuration Added
**Datum**: 2025-01-29
**Implementiert**: DNS-Konfiguration in Ansible Variables

## Was wurde geändert?

### 1. Ansible Group Variables Update

**Datei**: `deployment/ansible/group_vars/production.yml`

**Änderung**:
```yaml
# WireGuard DNS Configuration
# DNS server for VPN clients (points to VPN server IP)
# This ensures internal services are resolved to VPN IPs
wireguard_dns_servers:
  - "{{ wireguard_server_ip_default }}"
```

**Effekt**:
- Template `wireguard-client.conf.j2` wird jetzt `DNS = 10.8.0.1` in Client-Configs generieren
- Die `{% if wireguard_dns_servers | length > 0 %}` Bedingung im Template wird jetzt TRUE
- Alle neu generierten Client-Configs enthalten DNS-Konfiguration

## Wie funktioniert es?

### Template Logic (bereits vorhanden)
```jinja2
{% if wireguard_dns_servers | length > 0 %}
# DNS servers provided via Ansible (optional)
DNS = {{ wireguard_dns_servers | join(', ') }}
{% endif %}
```

### Generated Client Config (nach Regenerierung)
```ini
[Interface]
PrivateKey = <client_private_key>
Address = 10.8.0.7/24
DNS = 10.8.0.1    # ← JETZT ENTHALTEN!

[Peer]
PublicKey = <server_public_key>
Endpoint = michaelschiemer.de:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25
```

## Erwartetes Verhalten

### DNS Resolution (Windows Client)
```powershell
# Nach Import der neuen Config:
Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}

# Expected Output:
InterfaceAlias       : WireGuard Tunnel wg0
ServerAddresses      : {10.8.0.1}    # ← VPN DNS Server
```

### Service Resolution
```powershell
Resolve-DnsName grafana.michaelschiemer.de

# Expected Output:
Name                  Type  TTL   Section    IPAddress
----                  ----  ---   -------    ---------
grafana.michaelschiemer.de  A  300  Answer     10.8.0.1    # ← VPN IP statt Public IP!
```

### HTTP Traffic Routing
```bash
# Traefik Access Log (Server-Side):
# VORHER (ohne DNS):
89.246.96.244 - - [Date] "GET /grafana HTTP/2.0" 404
      ↑ Public IP (FALSCH)

# NACHHER (mit DNS):
10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
    ↑ VPN IP (KORREKT)
```

## Nächste Schritte (PENDING)

### Phase 2: Client Config Regenerierung

**Für Windows Client "mikepc"**:
```bash
cd ~/dev/michaelschiemer/deployment/ansible

ansible-playbook -i inventory/production.yml \
  playbooks/regenerate-wireguard-client.yml \
  -e "client_name=mikepc" \
  -e "client_ip=10.8.0.5"
```

**Output**:
- Backup: `mikepc.conf.backup-<timestamp>`
- Neue Config: `deployment/ansible/wireguard-clients/mikepc.conf`
- QR Code: `deployment/ansible/wireguard-clients/mikepc.png`

### Phase 3: Docker Container Test (OPTIONAL)

Teste VPN-Funktionalität in isolierter Umgebung:
```bash
ansible-playbook -i inventory/production.yml \
  playbooks/test-wireguard-docker-container.yml \
  -e "client_name=mikepc"
```

**Verifizierung**:
```bash
# Ping Test
docker exec wireguard-test-mikepc ping -c 4 10.8.0.1

# DNS Test
docker exec wireguard-test-mikepc nslookup grafana.michaelschiemer.de 10.8.0.1

# HTTP Test
docker exec wireguard-test-mikepc curl -v https://grafana.michaelschiemer.de
```

### Phase 4: Windows Client Import

1. **WireGuard Application öffnen**
2. **Tunnel "wg0" deaktivieren** (falls aktiv)
3. **Tunnel "wg0" löschen** (alte Config entfernen)
4. **Neue Config importieren**:
   - "Add Tunnel" → "Import from file"
   - Datei: `deployment/ansible/wireguard-clients/mikepc.conf`
5. **Tunnel "wg0" aktivieren**

### Phase 5: Verification (Windows)

**DNS Check**:
```powershell
Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}
# Expected: ServerAddresses = {10.8.0.1}

Resolve-DnsName grafana.michaelschiemer.de
# Expected: IPAddress = 10.8.0.1
```

**Browser Test**:
```
https://grafana.michaelschiemer.de
Expected: Grafana Dashboard OHNE 404 Error
```

**Server-Side Verification**:
```bash
# Traefik Access Log
ssh deploy@michaelschiemer.de
docker logs traefik --tail 50 | grep grafana

# Expected:
# 10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
#     ↑ VPN IP statt Public IP!
```

## Troubleshooting

### Problem: DNS Still Not Working

**Check 1: Verify Config Contains DNS Line**
```powershell
Get-Content "C:\Path\To\mikepc.conf" | Select-String -Pattern "DNS"

# Expected:
DNS = 10.8.0.1
```

**Check 2: Verify Windows Uses VPN DNS**
```powershell
Get-DnsClientServerAddress | Format-Table InterfaceAlias, ServerAddresses

# WireGuard Interface should show 10.8.0.1
```

**Check 3: Flush DNS Cache**
```powershell
ipconfig /flushdns
Clear-DnsClientCache
```

### Problem: VPN Connects But Still Uses Public IP

**Check 1: Verify Routes**
```powershell
Get-NetRoute | Where-Object {$_.DestinationPrefix -eq "10.8.0.0/24"}

# Should exist with WireGuard interface
```

**Check 2: Test DNS Resolution**
```powershell
Resolve-DnsName grafana.michaelschiemer.de -Server 10.8.0.1

# Direct query to VPN DNS should work
```

### Problem: Cannot Reach grafana.michaelschiemer.de

**Check 1: CoreDNS on Server**
```bash
ssh deploy@michaelschiemer.de
docker ps | grep coredns
docker logs coredns
```

**Check 2: Traefik Configuration**
```bash
docker logs traefik | grep grafana
# Check for middleware configuration
```

## Rollback Plan

Falls Probleme auftreten:

### Rollback Client Config
```bash
# Restore backup on server
ssh deploy@michaelschiemer.de
cd /etc/wireguard/clients
cp mikepc.conf.backup-<timestamp> mikepc.conf

# Re-import on Windows
```

### Rollback Ansible Variables
```bash
git diff deployment/ansible/group_vars/production.yml
git checkout deployment/ansible/group_vars/production.yml
```

## Success Criteria

✅ **DNS Configuration Added**: Ansible variables updated
⏳ **Client Config Regenerated**: PENDING
⏳ **Windows Client Import**: PENDING
⏳ **DNS Resolution Working**: PENDING
⏳ **HTTP/HTTPS via VPN**: PENDING
⏳ **Traefik Shows VPN IP**: PENDING

## Alternative Options (If DNS Fix Fails)

### Option B: Full Tunnel VPN
```yaml
# AllowedIPs = 0.0.0.0/0 statt 10.8.0.0/24
# Routes ALL traffic through VPN
```

### Option C: Alternative VPN Software
- OpenVPN (bewährt, stabil)
- Tailscale (managed, einfach)
- ZeroTier (mesh network)

## Referenzen

- **Implementation Plan**: `WIREGUARD-IMPLEMENTATION-PLAN.md`
- **Original Analysis**: `WIREGUARD-WINDOWS-ROUTING-FINAL-ANALYSIS.md`
- **DNS Solution**: `WIREGUARD-WINDOWS-DNS-FIX.md`
- **Template**: `deployment/ansible/templates/wireguard-client.conf.j2`
- **Variables**: `deployment/ansible/group_vars/production.yml`

## Notes

**Warum DNS-Konfiguration fehlt**:
- Template hatte bereits Unterstützung via `{% if wireguard_dns_servers | length > 0 %}`
- Variable `wireguard_dns_servers` fehlte in group_vars
- Jetzt gesetzt auf `["{{ wireguard_server_ip_default }}"]` → `["10.8.0.1"]`

**Erwarteter Effekt**:
- Alle neuen Client-Configs enthalten `DNS = 10.8.0.1`
- Windows nutzt VPN-DNS für Namensauflösung
- Interne Services (grafana.michaelschiemer.de) werden zu VPN-IP (10.8.0.1) aufgelöst
- HTTP/HTTPS Traffic geht über VPN statt Public Interface

**Nächster kritischer Schritt**:
Client Config für "mikepc" regenerieren und auf Windows importieren