OPNsense Forum

Hi All,

Newbie here, although I like to think of myself as technically competent  ;)

I have managed to configure a single WG interface and route selected clients over it, but I have become a bit unstuck WRT to DNS leaks. I have tried some of the suggestions https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks) and only option 5 has been successful (I could do 4, but if the VPN goes down, I still need non-VPN devices to be able to resolve addresses.

What do I need to configure in order to be able to route DNS for all hosts in my VPN Alias to the VPN provider's DNS?

Many thanks in advance.

This is driving me nuts! I've triple checked my config and I really cannot see anything wrong - I'd really appreciate some help if anyone has a solution.

I don't route to external VPNs but I imagine that if you show your rules, including (disabled)  the rule you created for option 4 if that's the one you want, then someone will be able to point out what might not be totally right.
You will also need to add what is your dns setup ie, are you using a local one in your network, Unbound on OPN, anything else.

Thanks for the reply :)

I've done a little more digging and I've found something (that I think is) interesting... When running a tracert from my machine (static lease, no DNS configured), I can see the second hop as the address of my VPN DNS (10.2.0.1). However, dnsleaktest and ipleak both report DNS leaks with this configuration.

If I update the static lease config to use the 10.2.0.1 address as DNS, then tracert still reports 10.2.0.1 as the second hop, but both sites mentioned above report no leaks.

I don't get it.

Consider that the DNS for Proton is on a private IP 10.2.0.1. While setting up my FW rules I noticed that on this page:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

one of the rule only routes traffic with destination outside the RFC1918_Networks and that excludes access to Proton DNS so you need to change it or create one specifically for the DNS.

Yes -  the rule in step 8, right?! I've also configured this rule from the ProtonVPN guide, but it makes no difference...

https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html#protonvpn-dns-leaks (https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html#protonvpn-dns-leaks)

Any pointers on what rule I need to create?

Below are the rule definitions of all the rules I have created as a part of following the official guides.

This is my NAT rule:

      <rule>
        <source>
          <network>UK_PVPN_34_HOSTS</network>
        </source>
        <destination>
          <any>1</any>
        </destination>
        <descr/>
        <category/>
        <interface>opt5</interface>
        <tag/>
        <tagged/>
        <poolopts/>
        <poolopts_sourcehashkey/>
        <ipprotocol>inet</ipprotocol>
        <created>
          <username>XXX</username>
          <time>1708187169.4968</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </created>
        <target/>
        <targetip_subnet>0</targetip_subnet>
        <sourceport/>
        <updated>
          <username>XXX</username>
          <time>1708191104.6149</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </updated>
      </rule>


Floating Rules:

   
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>


LAN Rules:

    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <address>10.2.0.1</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
        <port>53</port>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708596677.5377</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187872.924</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tag>NO_WAN_EGRESS</tag>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <address>UK_PVPN_34_HOSTS</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708368610.472</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708186855.4541</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
      <log>1</log>
    </rule>


with the first LAN rule, I have also tried with 10.2.0.2 and 192.168.1.1 with the same failures. I'm assuming it's the Destination settings that (not local networks) that causing this rule to fail, but don't know how to work around this. I've (blindly) tried quite a few different configurations, but these either don't work, or result in me having no internet access at all  ;D

Somebody must have solved this, surely?! Apart from the config above, is there anything else I can provide that will enable further help?

sorry not much to offer with this. Maybe if you post the screenshots of relevant rules and be a little clearer on the problem. You say you have one option that works, and then a question that can't have a single answer i.e. "What do I need to configure in order to be able to route DNS for all hosts in my VPN Alias to the VPN provider's DNS?"
but the answer to this question can't be right if the vpn tunnel goes down. Rules aren't able to apply in a variable way.

Thanks for the reply - really appreciate it, and I'm definitely not throwing shade at you (sorry if it comes across that way!)...

My requirements are as follows:

• Route all traffic for selected local clients (including DNS) over the WG gateway
• Traffic for all other hosts should route over the WAN gateway, including DNS for those hosts
• If point (2) is not possible, then I still need the hosts covered by (2) to be able to resolve DNS in the event the WG connection goes down

I have followed the 'official' guides for setting up WG to the letter and whilst selective routing works fine, no matter what I try, I cannot solve the DNS leak issue.

Quote from: opn_nwo on February 21, 2024, 03:31:20 AM
Consider that the DNS for Proton is on a private IP 10.2.0.1. While setting up my FW rules I noticed that on this page:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

one of the rule only routes traffic with destination outside the RFC1918_Networks and that excludes access to Proton DNS so you need to change it or create one specifically for the DNS.

How did you manage to solve this please?

Seems you got further than me

https://forum.opnsense.org/index.php?topic=39783.0

Please can you advise if you got to the bottom of this, It feels like opnsense Wireguard needs a self contained VPN configuration section which creates and applies any Nat or Firewall rules required for a standard set up, a bit like on Asus Merlin. Can you see how your connection set up varied from mine?

Not sure why Surfshark or a lot of more technical providers like Mulvad don't create a guide themselves, I asked Mullvad but they refered me back the opnsense documentation which does not actually work even when you follow it exactly.

Said they might look at it in the future, but definately feels opnsense is missing from vpn providers guides especually surfshark where they do a guide for pretty much everything inluding pfsense.

I'm new to OPNsense from Untangle and am struggling with this as well.

I can get DNS to route over the ProtonVPN WireGuard tunnel, however, it's for all devices on the network which I don't really want since it takes 200ms to reply over the tunnel rather than 15ms it takes otherwise.

Save yourself the hassle

Got my self a gl.inet Flint 2 running open wrt. Took me all of about 5 min to get wireguard tunnel for whole network set up even with the odd static ip exclusion.

In opnsense and pfsense doing this is way overly complicated

Flint 2 can do just under 1gbs wireguard amd my local LAN speeds were good so I think the Nat acceleration issue with asus routers slowing local LAN when wireguard is enabled must be an Asus issue.

Had two of these Flint 2 routers running for a couple of days at two locations and so far so good. Brilliant wireguard throughput

Hope this helps all be it not the answer you might be wanting

I got it working!!!!

It involves setting up the WG tunnels correctly and a Port Forward rule, however, it's working beautifully on my devices.

WireGuard Instance Config:
(https://embed.fstech.ltd/-App7mhh3yy)

Gateway Config Overview:
(https://embed.fstech.ltd/-cxwC5aGmvZ)

Gateway Config Detail:
(https://embed.fstech.ltd/-okamTxdaPW)

Aliases:
(https://embed.fstech.ltd/-iZLTAiUWDg)

Port Forward Rule:
(https://embed.fstech.ltd/-LVt9V7oQFe)

Quote from: jlficken on April 05, 2024, 02:17:46 AM
I got it working!!!!

It involves setting up the WG tunnels correctly and a Port Forward rule, however, it's working beautify and only my devices.

WireGuard Instance Config:
(https://nextcloud.fstech.ltd/s/c3Lq37kT3BcepiZ/preview)

Gateway Config Overview:
(https://nextcloud.fstech.ltd/s/qADjAerszBcCp6S/preview)

Gateway Config Detail:
(https://nextcloud.fstech.ltd/s/wtYw7pFoARKQPx8/preview)

Aliases:
(https://nextcloud.fstech.ltd/s/XB3DdQSY7KdtcJZ/preview)

Port Forward Rule:
(https://nextcloud.fstech.ltd/s/NMRcML4dcyic4Jz/preview)

Cannot see your attached images...

Would you mind reposting and writing up a small tutorial?

It has been an absolute struggle to get a WG connection to an external VPN.

Most of the guides on internet are outdated and refer to the WG-go version.

Thanks...

Try the images in my original post now as I moved to a new image hosting option.

Quote from: jlficken on April 15, 2024, 10:25:46 PM
Try the images in my original post now as I moved to a new image hosting option.

Thanks, the images are showing now...

@jlficken noticed you've strayed away from using the tunnel IP that protonvpn documents (10.2.0.2/32)
considering the explanations here: https://protonvpn.com/support/wireguard-privacy/

do you know why your configuration is working with differing tunnel IPs?

@umbramalison

I have 3 tunnels running for a Gateway Group and you can't have 3 WireGuard instances running with the same Tunnel Address so that's why I had to change them.

@jlficken,  I'm also trying to get multiple tunnels working, and I also thought I had it working by simply using a different tunnel IP like you describe.

But I don't understand how that would work, as I believe the tunnel IP needs to be configured the same from both sides, and proton VPN seem almost consistent in that the tunnel IP has to be 10.2.0.2/32 and they cite that this is to better protect users. 
Almost consistent, because they did at least once post on reddit suggesting 10.2.0.2/28...

There are guides, online for solving this another way and that is to NAT each tunnel, allowing then for each tunnel IP to be identical on the external side, but internally the IP and GW are mapped to unique IPs. An extra NAT is yet more port forward configuration tho.
such as this guide https://old.reddit.com/r/ProtonVPN/comments/127zpbe/protonvpn_wireguard_multiconnection_on_pfsense/

coming back to your solution, and it seemed like it worked for me too, i'm left thinking why? what am i missing, maybe it's not working the way I think and it's actually very broken like this.

If you know why changing the tunnel IP works, or where this is documented, that would be super.

Yeah I have no idea why it works. I just know that it does.

@umbramalison

In looking at this I kind of wonder if the IP used on the WireGuard Instance doesn't matter at all since Proton reassigns it when you connect?

https://web.archive.org/web/20240222160434/https://protonvpn.com/support/wireguard-privacy/

@jlficken i spoke to proton vpn chat today about this,

here is what I was told:

QuoteYou can indeed change the tunnel IP to 10.3.0.2 to get another connection.
You should be able to put any number at 10._.0..., but keep in mind that you will have to generate a unique certificate for each connection.

I was told it's not mentioned on the web pages because it's a complicated setup. Well no where near as complicated as those guides that I was looking at which add NAT and virtual IP's etc etc...!

I suspect the bit about the certificate would be specific to OpenVPN.

@umbramalison, I agree this sounds simpler. In case you wanted to give a try to a setup with NAT rules and virtual ips, you can check my working configuration here: https://forum.opnsense.org/index.php?topic=41534.msg203864#msg203864.

More complicated, but highly educational IMO :)

As a side note you may want to check the Status page under VPN --> WireGuard to make sure the tunnels are actually working as even though the Gateway was showing as being "Up" the tunnel wasn't actually working as there wasn't a value for the Handshake, Send, or Received columns I figured out.

I was wondering why pages going out over the tunnels would sometimes load and sometimes wouldn't and that's why.

After changing to different servers they're all up and passing traffic now.

I'm here for the same reason..  This is an absolute nightmare.  The documentation is one of the worst things of all, the guide just totally is ignorant to the needs of the user at the bottom of it

The tunnels are established, and I can assign a client to the alias which will then browse through the tunnel with no problems.  A 'curl ip.me' check shows the VPN IP..  But I can't solve the leaking DNS problem