Messages

[DNS servers]

Someone could kindly explain to me what steps should I implement to do this:

Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts

Configure public DNS servers for your whole local network, rather than local DNS servers

taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)

thanks

Just go to Services -> ISC DHCPv4 -> LAN and either select a single host or the entire LAN and type your preferred DNS servers IP addresses in the option DNS servers

If you want to use it, I think you have to add the DNS ip provided by the dns provider to the wireguard/instances mask.

For me, with or without the Proton DNS server IP address 10.2.0.1 nothing really changes: as long as I keep the port forward rule (see screenshot), then DNS seems to work properly, and still I don't understand the purpose of the DNS servers setting in the WG instance configuration...

[netstat -Q]

Great, thanks, and my netstat -Q output is exactly like yours, so I believe all sorted now.

I think you should define if you are using the dns provided by the vpn provider or an external one, through local dns or unbound dns or other

I want to use dns provided by the vpn provider

@hushcoden I found that my problem was related to the wrong choice of the monitoring IPs.
Chaging them to public IPs that I do not use otherise, everything is fine after almost a week. Hope this helps

Are you using IP addresses of public DNS servers or what?

[net.inet.rss.bits]

While reading the document https://docs.opnsense.org/troubleshooting/performance.html I decided to enable RSS (my appliance has got 4x i225 ports and a Celeron J4125, 4 cores) and after reboot I've noticed that the value of net.inet.rss.bits is set to 3: just courious to understand why consdering that before enabling RSS the value was correctly set to 2...  ::)

Also, I read in the guide that if RSS is enabled with the 'enabled' sysctl, the packet dispatching policy will move from 'direct' to 'hybrid'. But not for me as even after rebooting, the dispatching policy is still 'direct', and should I set a tuneable to change that to 'hybrid'? Or would it be better to change that to 'deferred' considering my connection is PPPoE?

Tia.

@FredFresh many thanks - in my case, it seems okay using the IP addresses of Mullvad internal DNS servers as monitor IPs, but for some reason if I set the gateway group as load balancing (i.e. tier 1 both gateways), one of the two Mullvad gateways goes offline, but if I change to failover (one tier 1 and one tier 2) then I have both gateways online...  ???

[Dynamic gateway policy]

While configuring a WG interface, I'd like to understand whther or not we should enable the feature Dynamic gateway policy.

Tia.

[net.inet.rss.bits]

While reading the document https://docs.opnsense.org/troubleshooting/performance.html I decided to enable RSS (my appliance has got 4x i225 ports and a Celeron J4125, 4 cores) and after reboot I've noticed that the value of net.inet.rss.bits is set to 3: just courious to understand why consdering that before enabling RSS the value was correctly set to 2...  ::)

Also, I read in the guide that if RSS is enabled with the 'enabled' sysctl, the packet dispatching policy will move from 'direct' to 'hybrid'. But not for me as even after rebooting, the dispatching policy is still 'direct', and should I set a tuneable to change that to 'hybrid'? Or would it be better to change that to 'deferred' considering my connection is PPPoE?

Tia.

[WireGuard Selective Routing to External VPN Endpoint]

Still a lot to learn, so please educate me: by reading the official document WireGuard Selective Routing to External VPN Endpoint it seems there is no need to create a firewall rule for the DNS, and the only mention is at the very end of the document but just relating to DNS leaks (so I read it as optional):

1) why is there no need for firewall DNS rule?

2) as for the very last paragraph/note, I was expecting also the need to specify the destination port range i.e. DNS/DNS, but why is it not the case?

On a separate note, in the instance WG configuration there is a DNS servers setting, but it's not mentioned on any documentation, so what is that for?

Hi there, I'm not able to solve your probelm, but I just wanted to make a few observations:

1) MTU standard value is 1420, but if your connection is PPPoE then use 1412.

2) Step 3 (instances) - don't use 51820 as it's default port of each peer.

3) Step 4 (DNS) - I don't use Unbound but the ProtoVPN DNS server, that is 10.2.0.1, with a port forward.

4) Step 5 (killswitch) - the documentation states to set it up as a floating rule, so no idea while you're using the IG_OUT_VPN interafce instead...

I am running Opnsense with Adguard Home (plugin) and Bind (plugin). So that every DNS/port 53 goes to Adguard home. Adguard Home has 127.0.0.1:5354 as upstream (Bind), bind has no DNS Forwarders. This way every lookup will go to the dns root servers, if not yet unknown/cache. As I have learned in the past from this forum, this gives more privacy while no root dns "has it all" and better than trusting the 1.1.1.1 server or your ISP encrypted dns server who "has it all". This is working great.

Hi, I'm still learning about DNS & privacy, and I believe that config - i.e. device on LAN -> ADG Home -> Bind -> root servers -  leaves the lookups to the root DNS servers in plain tex for your ISP to inspect (if they want to): if so, this dosn't give you full privacy, correct?

If I understood properly, there is no need of rules within the actual Wireguard/VPN interface, but only in the interface where the hosts live, is that correct?

Tia.

I'm running v24.1.10_8 and Mullvad, and I'm experiencing a similar issue, I wish I knew how to solve it...

+1
It would be helpful if some 'expert' would shed light on that, thanks.