Messages

Hi there!

I'm trying to setup multiple ProtonVPN WG connections to add to a Gateway Group, but I cannot get it working correctly - would you be able to share your setup?

Thanks!

I'm searching for exactly the same solution - it's really frustrating that nobody is able to offer a solution/alternative, or an explanation why this capability was removed a few years back!

There has to be a solution out there somewhere - I'm certain my requirements are not that exotic, are they?!

All I wish to do is:

• Have multiple VLANs/Interfaces
• Some Interfaces route via the WG VPN, other, WAN
• Some Interfaces use Unbound (using WG Interface) for DNS, some use DNSMasq

Anyone?

Hi Everybody,

Not sure if this is the right section to post in, so apologies in advance!

I've followed this guide in a bid to setup VLANs and selective routing over WG VPN: https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support

However, I am not able to get the routing through Unbound for the VLANs I wish this applied to. From what I've read, the issue lies with this step: https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#add-static-ipv4-configuration-to-the-wireguard-interfaces - when I attempt this, Opnsense returns the following error

Cannot assign an IP configuration type to a tunnel interface

I understand has been an issue for quite some time.

Is there a solution/alternative approach to this?

Everything else I have configured following this guide is working as expected.

Any help would be very much appreciated!

Consider that the DNS for Proton is on a private IP 10.2.0.1. While setting up my FW rules I noticed that on this page:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

one of the rule only routes traffic with destination outside the RFC1918_Networks and that excludes access to Proton DNS so you need to change it or create one specifically for the DNS.

How did you manage to solve this please?

Thanks for the reply - really appreciate it, and I'm definitely not throwing shade at you (sorry if it comes across that way!)...

My requirements are as follows:

• Route all traffic for selected local clients (including DNS) over the WG gateway
• Traffic for all other hosts should route over the WAN gateway, including DNS for those hosts
• If point (2) is not possible, then I still need the hosts covered by (2) to be able to resolve DNS in the event the WG connection goes down

I have followed the 'official' guides for setting up WG to the letter and whilst selective routing works fine, no matter what I try, I cannot solve the DNS leak issue.

I've got the same issue - did you ever find a solution to this?

Somebody must have solved this, surely?! Apart from the config above, is there anything else I can provide that will enable further help?

Below are the rule definitions of all the rules I have created as a part of following the official guides.

This is my NAT rule:

Code Select Expand


      <rule>
        <source>
          <network>UK_PVPN_34_HOSTS</network>
        </source>
        <destination>
          <any>1</any>
        </destination>
        <descr/>
        <category/>
        <interface>opt5</interface>
        <tag/>
        <tagged/>
        <poolopts/>
        <poolopts_sourcehashkey/>
        <ipprotocol>inet</ipprotocol>
        <created>
          <username>XXX</username>
          <time>1708187169.4968</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </created>
        <target/>
        <targetip_subnet>0</targetip_subnet>
        <sourceport/>
        <updated>
          <username>XXX</username>
          <time>1708191104.6149</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </updated>
      </rule>


Floating Rules:

Code Select Expand

   
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>


LAN Rules:

Code Select Expand


    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <address>10.2.0.1</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
        <port>53</port>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708596677.5377</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187872.924</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tag>NO_WAN_EGRESS</tag>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <address>UK_PVPN_34_HOSTS</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708368610.472</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708186855.4541</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
      <log>1</log>
    </rule>


with the first LAN rule, I have also tried with 10.2.0.2 and 192.168.1.1 with the same failures. I'm assuming it's the Destination settings that (not local networks) that causing this rule to fail, but don't know how to work around this. I've (blindly) tried quite a few different configurations, but these either don't work, or result in me having no internet access at all  ;D

Yes -  the rule in step 8, right?! I've also configured this rule from the ProtonVPN guide, but it makes no difference...

https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html#protonvpn-dns-leaks

Any pointers on what rule I need to create?

Thanks for the reply :)

I've done a little more digging and I've found something (that I think is) interesting... When running a tracert from my machine (static lease, no DNS configured), I can see the second hop as the address of my VPN DNS (10.2.0.1). However, dnsleaktest and ipleak both report DNS leaks with this configuration.

If I update the static lease config to use the 10.2.0.1 address as DNS, then tracert still reports 10.2.0.1 as the second hop, but both sites mentioned above report no leaks.

I don't get it.

I'm a newbie, but I read that os-wiregaurd-go is deprecated, so probs best not to use that.

This is driving me nuts! I've triple checked my config and I really cannot see anything wrong - I'd really appreciate some help if anyone has a solution.

Hi All,

Newbie here, although I like to think of myself as technically competent  ;)

I have managed to configure a single WG interface and route selected clients over it, but I have become a bit unstuck WRT to DNS leaks. I have tried some of the suggestions https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks and only option 5 has been successful (I could do 4, but if the VPN goes down, I still need non-VPN devices to be able to resolve addresses.

What do I need to configure in order to be able to route DNS for all hosts in my VPN Alias to the VPN provider's DNS?

Many thanks in advance.