OPNsense Forum
English Forums => Virtual private networks => Topic started by: schnerring on October 30, 2021, 12:59:03 am
-
I use Unbound as a resolver and want to force Unbound to use the WireGuard VPN tunnel I configured but just can't figure out what's wrong. At this point I suspect it has to do with NAT or (floating) firewall rules I don't understand.
For reproduction, I factory reset OPNsense and started over leaving everything at defaults.
Next, I followed the WireGuard Selective Routing to External VPN Provider guide from the docs (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html), and WireGuard is handshaking. The only thing missing is fixing the DNS leak, as mentioned in the guide (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks). I want to implement option 1):
Force the local DNS server to use the tunnel as well. [...] For OPNsense itself, configure the DNS server to use the tunnel gateway.
I think this is the setting under Services > Unbound DNS > General > Outgoing Network Interfaces? I selected the WAN_VPN interface I created. I also blocked all IPv6 traffic by unchecking Firewall > Advanced > Allow IPv6. I rebooted and checked the DNS leak, and it's still there.
I created a firewall live log filter to check DNS root server requests: dst=<any root dns server>. It turns out that DNS traffic leaves through the WAN gateway due to the let out anything from firewall host itself (force gw) rule. So to get rid of this rule, I check Disable force gateway under Firewall > Settings > Advanced. But the traffic still leaves through the WAN interface (let out anything from firewall host itself rule).
I also tried to uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN under System > Settings > General, but I this doesn't affect Unbound in resolver mode because it looks up root servers.
Switching from Hybrid outbound NAT rule generation to Manual is when everything stops working because the only NAT rule I have is the selective routing through the tunnel from one host.
To fix this, I just change the alias I created for selective routing from containing just a single host to the entire LAN network (192.168.1.1/24). I tested that all hosts are NATed through the VPN tunnel with traceroute, and indeed, everything hops through the tunnel. But DNS resolution is broken:
# works
tracepath -n 8.8.8.8
# doesn't work
tracepath 8.8.8.8
Looking at the generated rules when in hybrid mode, I can see that 127.0.0.0/8 and Loopback networks are NATed to WAN. What's the difference between those two networks anyway? Aren't 127.0.0.0/8 loopback networks? Anyway, adding 127.0.0.1/8 to the selective routing alias didn't work.
System > Routes > Status displays
Proto Destination Gateway Flags Use MTU Netif Netif (name)
ipv4 default <ISP WAN IP> UGS 11793 1500 igb1 wan
I don't know how to proceed or what to debug. Any help is greatly appreciated.
-
I saw this post also describing my problem: https://forum.opnsense.org/index.php?topic=24810.0
I changed the following settings:
- Enable forwarding mode for Unbound
- Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
- Add any system DNS servers, e.g., Cloudflare or Quad9
With this configuration Unbound forwards DNS queries to the specified system DNS through the tunnel.
It's not what I want (I want to use resolver mode) but an indicator that there's a problem with Unbound in resolver mode.
-
Trying to understand Unbound more, I found the following in the pfSense docs (https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html#resolver-mode):
In resolver mode (default) the DNS Resolver [...] contacts servers which cannot be known beforehand, it must utilize the default route on the firewall to make outbound connections.
This would explain the behavior of Unbound in resolver mode.
My desired behavior is that local DNS resolutions fails if my VPN tunnels are down. How do I implement this? How do I re-route DNS traffic using the default route?
-
What are you trying to achieve? The most private way of doing DNS is to just use your local resolver without any forwarding.
You could use BIND instead of unbound. Set a forwarder that is reachable via you wireguard tunnle, only. And then set "forward-only" - this means resolution will fail if the forwarder cannot be reached.
-
What are you trying to achieve? The most private way of doing DNS is to just use your local resolver without any forwarding.
I want to use Unbound in resolver mode and route DNS traffic from Unbound (running on OPNsense) through the VPN tunnel. Unbound seems to always use the default route of the routing table, which is not the "VPN WAN", but my ISP WAN.
How do I do this?
Changing the default gateway to VPN WAN breaks outbound connections. Can I do this policy-based or port forwarding?
-
You can add a static host route to your VNP endpoint and then change the default route to your VPN tunnel. But again: why? If it's privacy concerns, commercial VPN vendors are not a solution!
-
You can add a static host route to your VNP endpoint and then change the default route to your VPN tunnel.
Could you elaborate on how to do that? Do you mean a static route from the Local Endpoint interface IP to the ISP WAN? How would this work with multiple VPN gateways?
But again: why?
Well, I'm curious and want to make this work. And I already learned a lot about the OPNsense platform.
If it's privacy concerns, commercial VPN vendors are not a solution!
Do you mean no privacy when using a DNS resolver?
If you mean in general, I strongly disagree. If using a VPN is for privacy, it depends on your threat model:
- Is you adversary the NSA? Using a VPN more than won't do anything for you, or even hurt you.
- Is it your ISP selling data, hijacking DNS requests, or enforcing censorship? A VPN is will be useful in this case.
-
Those are the default routes installed by WG when Disable Routes is unchecked on the local peer:
ipv4 0.0.0.0/1 wg0 US 35 1420 wg0 WAN_VPN
ipv4 128.0.0.0/1 wg0 US 250 1420 wg0 WAN_VPN
But this is not what you mean, do you?
-
I haven’t tried this myself, but maybe an outbound NAT rule that sends all traffic from the unbound IP to destination port 53 over the VPN WAN interface?
A static route may also be needed as earlier suggested
-
Could you elaborate on how to do that? Do you mean a static route from the Local Endpoint interface IP to the ISP WAN? How would this work with multiple VPN gateways?
A static route for your single VPN gateway - or multiple static routes to all of your VPN gateways - /32 or /128 prefix length, so pointing to only a single host, with router <your ISP gateway>.
That's necessary to keep your tunnel(s) alive. Then you can route 0.0.0.0/0 or ::/0 through the tunnel.
Do you mean no privacy when using a DNS resolver?
Whenever you use an upstream resolver, be it through a VPN or not, that upstream resolver sees all your queries. I consider that a serious privacy problem.
When you run a local resolver without upstream and just let it do its magic, nobody sees those. At least nobody in particular in a single place.
I wrote about how a DNS lookup works here:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462
HTH,
Patrick
-
Thank you for your answers, but I still can't make it work.
I haven’t tried this myself, but maybe an outbound NAT rule that sends all traffic from the unbound IP to destination port 53 over the VPN WAN interface?
A static route may also be needed as earlier suggested
I tried adding the following outbound NAT rule which didn't work:
- Interface: WAN
- Source: Loopback net
- Destination Port: 53
- NAT Address: WAN_VPN
Did you mean a outbound NAT rule or a port forward? Can you please give me some more details? A static route from where to where?
As for the approach @pmhausen suggested; here are the routes before making changes:
Proto Destination Gateway Flags Use MTU Netif Netif (name)
ipv4 default X.X.X.1 UGS 434 1500 igb1 wan
ipv4 10.10.10.54 wg0 UHS 0 1420 wg0 WAN_VPN
ipv4 10.10.10.55 link#9 UHS 0 16384 lo0 Loopback
ipv4 10.10.10.55/32 link#9 U 0 1420 wg0 WAN_VPN
ipv4 X.X.X.0/24 link#2 U 0 1500 igb1 wan
ipv4 X.X.X.X link#2 UHS 0 16384 lo0 Loopback
ipv4 127.0.0.1 link#6 UH 12 16384 lo0 Loopback
ipv4 192.168.1.0/24 link#1 U 1470 1500 igb0 lan
ipv4 192.168.1.1 link#1 UHS 0 16384 lo0 Loopback
ipv4 M.M.M.M 10.10.10.54 UGHS 2 1420 wg0 WAN_VPN
The IP of my local peer is 10.10.10.55 and the Gateway IP is 10.10.10.54. X.X.X.X is my ISP IP. M.M.M.M is the monitoring IP of my VPN gateway.
A static route for your single VPN gateway [...] pointing to only a single host, with router <your ISP gateway>. [...] Then you can route 0.0.0.0/0.
I added a static route from 10.10.10.54/32 to the WAN gateway ("WAN_DHCP") under System > Routes > Configuration. Then I made my VPN gateway the default gateway by lowering its priority to 250. When I do that, I lose connectivity. Here is the routing table after that change:
Proto Destination Gateway Flags Use MTU Netif Netif (name)
ipv4 default 10.10.10.54 UGS 285 1420 wg0 WAN_VPN
ipv4 10.10.10.54 wg0 UHS 0 1420 wg0 WAN_VPN
ipv4 10.10.10.54/32 X.X.X.1 UGS 0 1500 igb1 wan
ipv4 10.10.10.55 link#9 UHS 0 16384 lo0 Loopback
ipv4 10.10.10.55/32 link#9 U 0 1420 wg0 WAN_VPN
ipv4 X.X.X.X.0/24 link#2 U 0 1500 igb1 wan
ipv4 X.X.X.X link#2 UHS 0 16384 lo0 Loopback
ipv4 127.0.0.1 link#6 UH 374 16384 lo0 Loopback
ipv4 192.168.1.0/24 link#1 U 1962 1500 igb0 lan
ipv4 192.168.1.1 link#1 UHS 0 16384 lo0 Loopback
ipv4 M.M.M.M 10.10.10.54 UGHS 325 1420 wg0 WAN_VPN
Is the 10.10.10.54 -> wg0 static route the issue here?
Do you mean no privacy when using a DNS resolver?
Whenever you use an upstream resolver, be it through a VPN or not, that upstream resolver sees all your queries. I consider that a serious privacy problem.
I didn't mean to ask whether or not a resolver improves privacy, I understand that it does. I meant to ask whether you think that sending DNS queries from the resolver through the a VPN tunnel has no privacy benefits. I don't know why I wanted to ask this, because I think we both agree that it doesn't make a difference regarding privacy.
[...] nobody sees those. At least nobody in particular in a single place.
Either the ISP or VPN provider will see the queries of the resolver. If we put on our tinfoil hats for a second, with that data someone could reconstruct part of my browsing behavior from these iterative DNS server queries. So it becomes a question of who I rather entrust with that data: the VPN provider accepting my cash payments via mail and knowing nothing else about me. Or my ISP who knows exactly who I am. If we're realistic here, it's more than likely a wasted effort.
A more valid reason would be an ISP hijacking DNS queries because that would trip up a resolver.
In my case it's mostly wasted effort - wouldn't it be for the learning experience and fun I have tinkering with OPNsense ;D
-
I tried the following:
- Interface: WAN
- Source: Loopback net
- Destination Port: 53
- NAT Address: WAN_VPN
Did you mean a outbound NAT rule or a port forward? Can you please give me some more details? A static route from where to where?
I had something different in mind for the outbound NAT rule, such as:
Interface: VPN_WAN
Source: This Firewall
Destination Port: 53
Translation / target: Interface address
But I have also just noticed that under Services/Unbound DNS/General/Advanced, you can set the Outgoing Network Interfaces. Setting this to WAN_VPN may solve your issue, even without a manual outbound NAT rule (setting the unbound advanced option might deal with that for you).
Sorry, this is a bit of (somewhat educated) guesswork. I don't use unbound on OPNsense (I have a separate box that does DNS for my network). :)
-
Interface: VPN_WAN
Source: This Firewall
Destination Port: 53
Translation / target: Interface address
I tried the NAT rule without success. I think this rule doesn't get applied because Unbound uses the default route, not VPN_WAN...
Sorry, this is a bit of (somewhat educated) guesswork. I don't use unbound on OPNsense (I have a separate box that does DNS for my network). :)
No worries, any help I can get is very much appreciated.
But I have also just noticed that under Services/Unbound DNS/General/Advanced, you can set the Outgoing Network Interfaces.
I already have this set (I mentioned this in the initial post) but traffic still leaves through WAN. It seems the setting is just ignored...... What could be the reason that this happens? Wrong NAT rules? Missing rules?
-
I already have this set (I mentioned this in the initial post) but traffic still leaves through WAN. It seems the setting is just ignored...... What could be the reason that this happens? Wrong NAT rules? Missing rules?
Did you restart unbound after changing the outbound interface?
-
Yes, more often than not I restart the whole system just to make sure everything is applied properly. As I said, I factory reset the whole system and use as little configuration as possible to understand.
-
I saw a reddit post earlier today on another unbound/wireguard topic that suggested just rebooting was not enough, unbound had to be restarted: https://www.reddit.com/r/OPNsenseFirewall/comments/qistyl/wireguard_handshake_success_cannot_get_web_pages/himiflq/?utm_source=share&utm_medium=ios_app&utm_name=iossmf&context=3
-
BTW, what VPN provider are you using? If Mullvad, maybe this (https://forum.netgate.com/topic/166804/unbound-dns-resolver-through-wireguard-tunnel-mullvad-vpn) is your issue?
-
Restarted Unbound, nothing changed. Have a look at those minimal NAT rules... it's late... am I missing the obvious here?
[how do I embed an attachment?]
Yes, I use Mullvad, but the info is kinda outdated. You simply have to generate the WG keys with the API that the Mullvad app uses (https://schnerring.net/posts/use-custom-dns-servers-with-mullvad-and-any-wireguard-client/). It's undocumented but easy enough to find in the app code on GitHub. I have verified this by using my generated keys with a custom DNS with another client. The custom DNS servers I configured in the client successfully leaked through the tunnel.
-
I added a static route from 10.10.10.54/32 to the WAN gateway ("WAN_DHCP") under System > Routes > Configuration. Then I made my VPN gateway the default gateway by lowering its priority to 250. When I do that, I lose connectivity.
What is the IP address of your Wireguard peer? What I meant was a router for
<your wireguard peer>/32 --> <your ISP upstream gateway>
This is necessary so the tunnel encapsulated packets find their way to the peer. Then you can route everything else (0.0.0.0/0) into the tunnel.
-
Thanks you so much guys, I finally figured it out and successfully configured the static route. I already thought that I was going to lose my mind, but turns out I'm just a networking newbie and didn't understand what I had to route where ;D
<your wireguard peer>/32 --> <your ISP upstream gateway>
In hindsight, it's obvious that you mean the remote wireguard peer's IP address and not the IP of the local peer. I only understood this after looking at the routes that WG installs automatically when Disable Routes on the local peer is disabled.
I tested around some more with the Outgoing Network Interfaces option, but it has no effect. The info of the settings states:
Note that setting explicit outgoing interfaces only works when they are statically configured.
Since the WG interface has no IP configuration, might this be the reason this setting is ignored?
My tests show that Unbound only cares about the routing table. Next, I'm gonna try to configure multiple VPN gateways.
If new questions regarding multi-WAN come up, I'm gonna start a new topic.
Again, thanks so much guys, I couldn't have done it without you. I learned a lot :-*
-
The Outgoing Network Interfaces Unbound option is what I was looking for. I got confused due to a bug that was unknown at the time (https://github.com/opnsense/core/issues/5329).
-
I am trying to do the same, did you find a solution to this? I configured Wireguard VPN interface as outboud intf, but it's being ignored and traffic is going out WAN interface, unencrypted.