OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: geofflowemn on December 20, 2016, 12:18:34 am
-
Greetings.
1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.
2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules.
3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though. Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries. However...
4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice.
I hope that is clear...
The idea is that I don't want client traffic that the firewall rules direct to exit through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example. But at the same time I want to protect the DNS queries from disclosure to my ISP.
So while I'm technically "leaking" the DNS queries for the client traffic that the firewall rules direct to exit through the VPN, those queries are protected with encryption. And at the same time, I am also protecting the DNS queries for the client traffic that the firewall rules direct to exit through the WAN as well.
My question is this: is this a reasonably secure design? If not, why not?
Thanks and Merry Christmas!
-
only encrypting your dns traffic doesnt make any difference since your isp -if they would choose so- could still find out where you're going on the internet...
so in my opinion, it's a useless act.
if all you want to do is prevent your isp from seeing your dns query, use another resolver with or without encryption, but don't assume your traffic is "safe" from your provider.
everything depends on what you are calling secure, and what your goal is, but if it is to keep your traffic hidden from your isp,
then i'd suggest routing everything through either tor or i2p (and take the performance hit for the increased security)
if just hiding it from your isp, but not caring about digitalocean knowing what you do, you could route all traffic over the vpn.
(which i dont get you're not doing in the first place if you're concerned about your isp snooping on you)
and lastly, if all traffic by default goes out the wan... make sure there's never a rogue application that sends information out over the wan without you knowing (chinese ip cams have a nice habbit of doing this, for example)