Messages

Thanks Maurice

It seems to work well, I just wanted to make sure I'm not doing something obviously wrong.

My config has 1 WAN and 3 WG tunnels (WG1, WG2, WG3) each with interfaces and gateways configured.

I have VLANS going out to each of these gateways

I'd really like unbound to send recursive queries out on WG1 rather than WAN, but it doesn't seem to honor anything that I set in "Outgoing network interfaces", everything always goes to WAN.

I asked about this earlier and it was suggested gateway priorities might fix this, but I thought that would confuse the WG tunnel routing which need to go out WAN. I am now using static routes to my WG endpoints over WAN, and then changing WG1 gateway to upstream with low priority, and this seems to work with all local router traffic (unbound, ntp, etc) all going out WG1.

Is there a better way to achieve this?

I had tried that and failed, but of course I needed a rule to allow it, and now it works. Thanks for pointing me in the right direction!

I do route everything from the VLAN_WG1 through WG1, but I haven't come up with the correct way to pass dns through using dhcp. My various addresses are:
wireguard and interface: 10.13.101.237/24
provider wireguard dns: 10.8.0.1 (private, but not in 10.13.101.237/24)
vlan 192.168.10.1/24
dhcp DNS for vlan: ?

1) sounds like a gateway monitoring issue. Do the gateways come back up when you restart dpinger? Did you lock the wg interfaces?
2) DNS servers configured in the WireGuard settings don't apply to devices in the VLANs. You have to announce these DNS servers via DHCP instead.

thanks, here are my answers:
1) if I restart each dpinger it shows green briefly and then goes offline again. The wireguard handshakes look good, but the status tab shows last handshake more than 5 minutes before. If I appy wg config everything is happy again, but the handshakes numbers change (persistent keepalive is 25 for all).  The interfaces are locked, yes
2) I have that working, and can use cloudflare etc through each tunnel, but there would be privacy benefits to resolving in the tunnel, since these dhcp specified queries aren't encrypted

My setup uses latest opnsense 23.1.11:
I have usual WAN, LAN, and 4 wireguard tunnels (WG1...WG4) all configured as gateways
I have VLANS that I connect to wireguard tunnels for different destinations (VLAN_WAN, VLAN_WG1, etc) using different wireless SSIDs.

This all works as desired, but I have 2 problems:

1) wg gateways don't reconnect on temp loss of WAN.  When the wan comes back, all the wireguard handshakes are restored, showing the wg connection exists, but all wg gateways are marked down forever

2) for some of the wg tunnels I'd like to do dns resolution in the tunnel, rather than using unbound. I've configured the DNS address in wireguard which didn't work. I can tell the VLAN DHCP 4 to use a specific public service and that does go through each tunnel properly, but I'd like to use the private resolution specified by the wireguard provider and I can't figure out how.

Any suggestions for either problem would be appreciated!

Just tried something and it seems to work, so I'll post it.

I have adguard configured to lookup on:
tls://1.0.0.1
tls://9.9.9.9

so I made static routes to these two address through the WG tunnel and it seems to work. No more 853 on WAN.

same behavior (outgoing unbound network interfaces over WG don't work) in 21.7.5

I haven't done a force gateway rule anywhere, and what you say may be true, but I can tell you for certain that the selection in Services->Unbound DNS->General for "Outgoing Network Interfaces" matters because if I remove WAN and select WG1 and WG2 it doesn't work, and it did before 21.7.4.

I will enter a github issue, thanks.

I'm running 21.7.4 on a Quotom box, its been running great for years. Besides WAN I have two WG tuinnels set up, and I always had unbound configured to use these WG tunnels instead of WAN for DoT lookups. That worked until this upgrade, if WAN isn't selected unbound doesn't work. I'd prefer my DNS lookups to go out over the WG rather than through my ISP, any suggestions?

If I could get AdGuard to query over WG I wouldn't need unbound, but this has been my solution until now, with adguard asking unound on 5353.

Thanks again "errored out"

I read through the material in the link you sent, and I wanted to make sure I understand what you're proposing.

In terms of the multi-wan settings, I already had most items configured as described:

1) Setup monitor IP's (was done for WAN, WG0 and WG1)
2) Gateway group (not done)
3) DNS addresses for each gateway (not done, none configured there)
4) Policy based routing (LANs to WGs was the previous setup)
5) DNS allow rule earlier in LAN lists (was done already)

This isn't really a failover situation, since even the WGs depend on WAN.

This could be a load balancing situation, but WAN statistics are always going to look better than WG since WG goes through WAN with extra processing. Could use an unequal weight to throw more traffic through WG (including adguard I assume), but I don't see other options. If I weighted 1 and 1000 I could make 1000 of every 1001 adguard lookups go through WG?

If I make a gateway group, how does WG know it can only reach the world through WAN?

I'm happy to try things, but am still a little fuzzy on the approach. Thanks for the idea, I'll wait to make sure I'm understanding before blindly trying.

Only WAN is marked upstream, and all the priorities are 255. If I mark WG0 as upstream all traffic stops

Thanks for responding.

When I said I could configure OpnSense or unbound to use a tunnel I meant that these both have the ability to specify what interface to use for queries, AdGuard doesn't.

I don't have a gateway group, I have WAN, WG0, WG1 separate, with NAT and rules for LAN0 to WG0 and LAN1 to WG1, as well as port forward rules to catch DNS and send it to the router.

The challenge is, unlike LAN0 or LAN1 where I can make rules for WG, adguard runs on the router and I don't know how to say queries should go down WG instead of WAN. Other things, like NTP, also go out WAN, which is fine, but I'd rather the adguard stuff went out WG.

I may be missing something, but I don't how to make this happen.

Thanks for the reminder. I changed the subject to say solved, don't see any other way to mark it.

Thanks to "errored out" and franco