Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: idleDiplomat on April 21, 2025, 05:30:57 PM

Title: Unbound DNS via WAN_VPN tunnel interface
Post by: idleDiplomat on April 21, 2025, 05:30:57 PM
Hi,

I've been working on making all outbound traffic from specific VLANs go through my VPN provider following this (https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support) guide by Michael Schnerring (https://forum.opnsense.org/index.php?action=profile;u=30824).

I got it all working except I cannot get the Unbound DNS traffic to flow through the WAN_VPN interface resulting in DNS leakage.

Problem is that since at least version 24.1.4 it is no longer possible to assign "an IP configuration type to a tunnel interface". Thus making it impossible to statically configure the interface which is a requirement for Unbound to select the WAN_VPN interface via the "Outgoing Network Interfaces" setting.

The author of the guide also commented on this issue in a post (https://forum.opnsense.org/index.php?PHPSESSID=kgcj7ae2ihgjdnseucpktq27jt&topic=36403.15) about a year ago, but it doesn't look like a solution has found.

I've tried experimenting with different NAT outbound, port forwarding and firewall rules without any luck. Any outbound DNS traffic generated by Unbound is just allowed through the firewall via the auto-generated "let out anything from firewall host itself" without triggering any rules.

Since it worked in the past is should be possible to get it to work again somehow, right?

Any help on this is much appreciated. Thanks!
Title: Re: Unbound DNS via WAN_VPN tunnel interface
Post by: bringbacklanparties on July 26, 2025, 07:11:34 PM
Hey there idleDiplomat,

The solution that worked for me is to configure the VPN gateways as outside your subnet, and then have Unbound pass outbound traffic from the firewall through those gateways. So, you make the VPN gateways Far Gateways in System > Gateways > Configuration > [edit each gateway], also make them upstream gateways, allow default gateway switching under Systems > Settings > General, and assign those gateways a priority that is higher (a lower number) than the WAN interface. Then you configure Unbound to let the operating system take over deciding what interface to pass traffic out, by deselecting all interfaces under Services > General > Unbound DNS > [select "advanced"] > Outgoing Interfaces.

See here (https://forum.opnsense.org/index.php?topic=46648.0) for more links, and here (https://forum.opnsense.org/index.php?topic=39061.0) for a guide that's better than my hastily-rendered walls of text.

Happy policy making!
Title: Re: Unbound DNS via WAN_VPN tunnel interface
Post by: bringbacklanparties on July 26, 2025, 07:17:28 PM
P.S. Michael Schnerring's guide is great. I can confirm that in 2025 you can still implement his approach to sending Unbound traffic through the VPN tunnels but for Mullvad, in addition to those steps I just posted you also have to set up your Mullvad device to disable DNS hijacking via a CLI call (https://schnerring.net/blog/use-custom-dns-servers-with-mullvad-and-any-wireguard-client/).
Text only | Text with Images