Hi all,
I am trying to setup 2 wireguard ProtonVPN tunnels, with unbound as the dns resolver. I have several vlans in interface groups. One group for outbound traffic with VPN and one without (wan group does not use unbound). The VPNs are in a gateway group, one main tunnel, the other backup
I put together by copying and pasting from the various guides I followed, the steps I took but it is incomplete, DNS firewall rule missing.
Issues
- Gateways: Whenever I restart opnsense, the gateways are offline. I have press edit on the second one, save without making any changes, and apply, then they show as online. No changes are made. Before this I get the errors in the attachments.
- DNS: I have no idea what rule I need to avoid DNS leaks. I've tried several rules from various guides but none seemed to work
For the wireguard instances, seems to work but unclear
- MTU: I'm using 1420 but I've also seen 1412 and other options. How do i know what i need?
- Tunnel Address: I'm using /32 but have also seen /30 and /28. I'm not clear how this works and what I should use
Note: I am also using a pi-hole. I have the DNS of the pi-hole set for the vlan DNS, and pi-hole has the opnsense unbound as DNS.
Thanks for any help!!
__________________________
Step 1 - Download ProtonVPN configurationsConfig 1 example
[Interface]
.......
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1
[Peer]
.....
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 11.11.11.11:51820Config 2 example
[Interface]
.......
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1
[Peer]
.....
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 22.22.22.22:51820Step 2 - Generate public keys from private keysProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI. The public key will be derived from the private key with the "wg pubkey" command.
Run the command for both configs using the
PrivateKey in the
Interface section
none wg pubkey < PrivateKeyStep 3 - Setup WireGuard Instances
- Go to VPN ‣ WireGuard ‣ Instances
- Click + to add a new Instance configuration
- Turn on "advanced mode"
- Configure the Instances from the downloaded ProtonVPN configurations as follows (if an option is not mentioned below, leave it as the default):
| Enabled | Checked |
| Name | Call it whatever you want, like the exit country (eg CH60) |
| Public Key | Insert the derived PublicKey from the previous step |
| Private Key | Insert the PrivateKey field from the [Interface] section |
| Listen Port | A unique port, 51820 or above
51820 for first instance
51821 for the second |
| MTU | Needs to be 80 bytes shorter than normal MTU. Default 1420 (1500 - 80 = 1420?)
1420
Some suggest 1412? |
| DNS Server | Leave blank |
| Tunnel Address | Insert the Address field from the [Interface] section in CIDR format,
10.2.0.2/32 for the first instance
10.3.0.2/32 for the second instance
Some suggest /30 or /28? |
| Peers | Leave blank for now |
| Disable Routes | Checked |
| Gateway | Tunnel address -1
10.2.0.1 for the first instance
10.3.0.1 for the second instance |
- Save the Instance configuration, and then click Apply
Step 4 - Setup Wireguard Peers
- Go to VPN ‣ WireGuard ‣ Peers
- Click + to add a new Peer
- Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
| Enabled | Checked |
| Name | Call it whatever you want, like the exit country (eg CA60) |
| Public Key | Insert the PublicKey field from the [Peer] section |
| Allowed IPs | 0.0.0.0/0 |
| Endpoint address | Insert the IP address from the Endpoint field in the [Peer] section |
| Endpoint port | Insert the port number from the Endpoint field in the [Peer] section
51820 for both |
| Instances | Select the instance configured in the previous step |
| Keepalive interval | 25 |
- Save the Peer configuration, and then click Apply
Step 5 - Turn on WireGuard Turn on WireGuard under VPN ‣ WireGuard ‣ Instances ‣ Enable WireGuard ‣ Checked
Step 6 - Assign interfaces to WireGuard and enable them
- Go to Interfaces ‣ Assignments
- In the Device dropdown in the "Assign a new interface", select the WireGuard device (e.g. wg1 and wg2)
- Add a description (e.g. VPN0 for first and VPN1 for second)
- Press Add to add it, then click Save
- Then select your new interfaces under the Interfaces menu
- Configure it as follows (if an option is not mentioned below, leave it as the default):
| Enable | Checked |
| Lock | Checked |
| Description | Same as under Assignments, if this box is not already populated |
| IPv4 Configuration Type | None |
| IPv6 Configuration Type | None |
- Save the interface configuration and then click Apply changes
- Restart WireGuard
Step 7 - Create gateways
- Go to System ‣ Gateways ‣ Configuration
- Click Add
- Configure the gateway as follows (if an option is not mentioned below, leave it as the default):
| Name | Name them same as the interfaces
VPN0
VPN1 |
| Description | Add one if you wish to |
| Interface | Select the newly created interfaces in the dropdown |
| Address Family | Select IPv4 in the dropdown |
| IP address | Insert the gateway IP that you configured under the WireGuard Instance configuration
10.2.0.1 for the first instance
10.3.0.1 for the second instance |
| Far Gateway | Checked |
| Disable Gateway Monitoring | Unchecked |
| Disable Host Route | Checked |
| Monitor IP | Insert the Endpoint IP from the config file |
- Save the gateway configuration and then click Apply changes
Step 8 - Gateway Group
- Navigate to System ‣ Gateways ‣ Group and click Add
| Group Name | VPN_GROUP |
| VPN0 | Tier 1 |
| VPN1 | Tier 2 (failover) |
| Trigger Level | Packet Loss or High Latency |
It's also possible to configure load balancing by putting multiple interfaces into the same tier.
Step 9 - Create Interface Groupsrequires vlans being already set upWe use interface groups to apply policies to multiple interfaces at once and reduce the number of required firewall rules significantly.
- Navigate to Firewall ‣ Groups and add the following interface groups.#IG_OUT_WAN
|
|
| Name | IG_OUT_WAN |
| Description | Interfaces allowing outbound WAN traffic |
| Members | Select vlans that will not go through the VPN |
#IG_OUT_VPN
|
|
| Name | IG_OUT_VPN |
| Description | Interfaces allowing outbound VPN traffic |
| Members | Select vlans that will go through the VPN |
Step 10 - Firewall Rules1. RFC1918 Alias
- First go to Firewall ‣ Aliases
- Click + to add a new Alias
- Configure the Alias as follows (if an option is not mentioned below, leave it as the default):
| Enabled | Checked |
| Name | RFC1918 |
| Type | Select Network(s) in the dropdown |
| Content | Option 1: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
Option 2: select all opt networks and lan network |
| Description | All local networks |
- Save the Alias, and then click Apply
2. Traffic trough WireGuard rule
- Then go to Firewall ‣ Rules ‣ IG_OUT_VPN
- Click Add to add a new rule
- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
| Action | Pass |
| Quick | Checked |
| Interface | IG_OUT_VPN |
| Direction | in |
| TCP/IP Version | IPv4 |
| Protocol | any |
| Source / Invert | Unchecked |
| Source | IG_OUT_VPN net |
| Destination / Invert | Checked |
| Destination | Select the RFC1918 Alias you created above in the dropdown |
| Destination port range | any |
| Description | wireguard |
| Gateway | Select the gateway group you created above VPN_GROUP |
| Set local tag | NO_WAN_EGRESS The NO_WAN_EGRESS local tag will be used for the killswitch to prevent traffic leaking out if a tunnel is down |
- Save the rule, and then click Apply Changes
- Then make sure that the new rule is above any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the "Default allow LAN to any rule"
3. *.local addresses rulerequires mDNS Repeater. Install and activate plugin on interfaces using VPN
- Click Add to add a new rule
- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
| Action | Pass |
| Quick | Checked |
| Interface | IG_OUT_VPN |
| Direction | in |
| TCP/IP Version | IPv4 |
| Protocol | UDP |
| Source / Invert | Unchecked |
| Source | IG_OUT_VPN net |
| Destination / Invert | Unchecked |
| Destination | 224.0.0.251/24 |
| Destination port range | for both from and to select (other) 5353 |
| Description | Allow multicast mDNS traffic |
- Save the rule, and then click Apply Changes
4. DNS rule???
5. Killswitch rule
- Go to Firewall ‣ Rules ‣ IG_OUT_VPN
- Click Add to add a new rule
- Configure the rule as follows (if an option is not mentioned below, leave it as the default). You need to click the Show/Hide button next to "Advanced Options" to reveal the last setting:
| Action | Block |
| Quick | Checked |
| Interface | IG_OUT_VPN |
| Direction | out |
| TCP/IP Version | IPv4 |
| Protocol | any |
| Source / Invert | Unchecked |
| Source | any |
| Destination / Invert | Unchecked |
| Destination | any |
| Destination port range | any |
| Description | Killswitch |
| Match local tag | NO_WAN_EGRESS |
- Save the rule, and then click Apply Changes
Step 11 - Create outbound NAT rules
- Go to Firewall ‣ NAT ‣ Outbound
- Select "Hybrid outbound NAT rule generation" if it is not already selected, and click Save and then Apply changes
- Click Add to add a new rule
- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
| Interface | Select the interface for your WireGuard VPN
VPN0
VPN1 |
| TCP/IP Version | IPv4 |
| Protocol | any |
| Source invert | Unchecked |
| Source address | IG_OUT_VPN net |
| Source port | any |
| Destination invert | Unchecked |
| Destination address | any |
| Destination port | any |
| Translation / target | Interface address |
- Save the rule, and then click Apply changes
- https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html (https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html)
- https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)
- https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/ (https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/)
- https://forum.opnsense.org/index.php?topic=39061.0 (https://forum.opnsense.org/index.php?topic=39061.0)
- https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8 (https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8)
Hi there, I'm not able to solve your probelm, but I just wanted to make a few observations:
1) MTU standard value is 1420, but if your connection is PPPoE then use 1412.
2) Step 3 (instances) - don't use 51820 as it's default port of each peer.
3) Step 4 (DNS) - I don't use Unbound but the ProtoVPN DNS server, that is 10.2.0.1, with a port forward.
4) Step 5 (killswitch) - the documentation states to set it up as a floating rule, so no idea while you're using the IG_OUT_VPN interafce instead...
Thanks!
1) With PPoE, do you mean if I have devices connected to the vlans in this group that use ppoe, I should change the MTU, or if my opensense device is ppoe? For example my pi-hole is powered by ppoe
2) Yes I am using 51820 and 51821
3) For the moment I have enabled Query Forwarding to the System Nameservers (quad9) in unbound and it seems I no longer have leaks, but I don't think this is good. May change it to simply use the protonvpn dns without unbound like you if I cant get it to work
4) As a floating rule, it seemed to affect the vlans that are not on vpn too, blocking them. Not sure it is correct but since the killswitch is just for the vlans in that group, i put it there
I have also added the top 2 rules since putting together the steps (see attachment). Given not vlans in the group can reach other vlans, needed to give access to pi-hole and unbound
Hi, I have your configuration almost working (just one issue that i am trying to solve).
Let me ask some question: which priority did you set in the gateways? The wan shall be the same or higher than the others (lower number).
Also, the IPs to be used inside the gateway configuration is not the endpoint provided inside the config file! That is a public ip, instead you need the ip inside the vpn network (for details have a look again to the guide).
Hi,
You mean in the gateway group? I have it set to never for wan, see attachment.
Regarding the gateway IP, I'm a bit confused, how do I determine the one for ProtonVPN? It says to use traceroute but I'm not clear on what to look for
Hi, actually I was referring to the more general gateway page System/gateway/configuration.
In this page, which priority you gave to each one?
Still in this page, if you go in the detailed configuration of one of the proton gateways, there is a "MONITOR IP" box, which value you used here? try to use something like 9.9.9.9 (quad9 dns server)
Ah sorry, misunderstood. They are both set to 255.
I also tried putting the quad9 ips in the monitor ips (9.9.9.9 and 149.112.112.112) but the gateways were still offline until I pressed apply again
Try to set the wan to higher priority. Thw wan is gateway is online correct?
Hi, just wanted to know if someone could tell me what I need to if wanted to route all internal DNS-requests (xyz.localhub) to unbound (overrides) and the rest to Proton's DNS server (10.2.0.1)? Thank you!