Hello, I have OPNSense 25.7.7. I would like to route all my client devices' DNS requests to go to Adguard Home, which is installed on OPNSense, for filtering, and then to Unbound DNS, also on OPNSense, for recursion, and then from there, route all traffic out through Mullvad VPN/DNS servers. Preferably over TLS.
OPNSense DNS server set to 192.168.100.1 (my OPNSense LAN IP) under System->General Settings. Allow DNS Override is unchecked, Do not Use the Local DNS service is unchecked.
Adguard Home is configured on 53/"Primary DNS" checked in OPNSense. Adguard Home Upstream DNS servers to 127.0.0.1:5353.
Unbound listen port is set to 5353, Network Interfaces is set to All, DNSSEC support enabled. Adguard and Unbound seem to be working together correctly. No Unbound DNS over TLS or forwarding settings (yet?)
I have set Mullvad up:
Wireguard->Peers-
Enabled, Public Key from Mullvad config, allowed IPs 0.0.0.0/0, ::0/0, endpoint address set to the "Peer Endpoint" address from Mullvad config. Endpoint port set to 51820 per Mullvad config. Keepalive at 25.
Wireguard->Instances-
Enabled, Public and Private key from Mullvad config, Listen port 51820, Tunnel address 10.x.x.x/32 from Mullvad config "Interface address", also entered IPv6 address. Peers set to the Peer I just created^^^. Disable Routes checked. Wireguard enabled. Checking Status page shows Handshake Age and Sent/Received data.
Interface has been assigned to Wireguard Interface.
Gateway Settings-
I have one for IPv4, and one for IPv6. Interface set to the Wireguard Interface I just set up^^, Address family set to IPv4 (and IPv6) IP address is set to 10.64.0.1 (fc00:bbbb:bbbb:bb01::1) [Could this be the problem, since this is specifically pointing to Mullvad DNS servers?]. Far Gateway is checked. Disable Gateway monitoring is checked.
Firewall->NAT->Outbound
Separate rules set for both IPv4 and IPv6. Interface set to Wireguard Interface from above, Protocol set to any, Source address set to LAN net, Destination set to any, Translation Target set to Wireguard Interface address (not "Interface address".
Firewall->LAN Rules
Two separate rules for IPv4 and IPv6. Pass, Quick apply, Interface set to LAN, Direction IN, TCP/IP Version set to IPv4 (or IPv6), Protocol any, Source is LAN net, Destination is any, Gateway set to the previously configured Gateway for IPv4- 10.64.0.1 (or IPv6). These rules are placed above the Default allow LAN to any rule.
The result/problem:
Mullvad check and Whatsmyip are showing I am using the VPN, no DNS leaks, using Mullvad servers. But not only is Adguard Home not filtering anymore, the UI won't even load. If I turn those firewall rules off, Adguard and Unbound work fine. So I am assuming that I am bypassing Adguard and probably Unbound entirely (and somehow breaking Adguard?). How can I fix this?
Again, I am trying to route my internal clients to Adguard for filtering and monitoring to Unbound for recursion, and then out through Mullvad tunnels, using their DNS servers, preferably over TLS. I am new to all of this, and I'm not finding a clear solution that works.
Thank you! I appreciate your help! :)
Edit: I removed IPv6 from the machine altogether and blocked on the firewall, just to make things a little easier to deal with. So ignore all that. I tested again, no change, not that I really thought there would be.