OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of not_the_messiah »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - not_the_messiah

Pages: [1]
1
Virtual private networks / Re: Bug found on offline gateways for wireguard...i believe
« on: August 13, 2024, 11:50:23 pm »
Hi there!

I'm trying to setup multiple ProtonVPN WG connections to add to a Gateway Group, but I cannot get it working correctly - would you be able to share your setup?

Thanks!

2
Virtual private networks / Re: Unbound dns through wireguard VPN
« on: August 13, 2024, 11:45:48 pm »
I'm searching for exactly the same solution - it's really frustrating that nobody is able to offer a solution/alternative, or an explanation why this capability was removed a few years back!

3
24.7 Production Series / Re: Selective Routing with Wireguard and Unbound
« on: August 13, 2024, 11:10:09 pm »
There has to be a solution out there somewhere - I'm certain my requirements are not that exotic, are they?!

All I wish to do is:
  • Have multiple VLANs/Interfaces
  • Some Interfaces route via the WG VPN, other, WAN
  • Some Interfaces use Unbound (using WG Interface) for DNS, some use DNSMasq

Anyone?

4
24.7 Production Series / Selective Routing with Wireguard and Unbound
« on: August 11, 2024, 05:52:47 pm »
Hi Everybody,

Not sure if this is the right section to post in, so apologies in advance!

I've followed this guide in a bid to setup VLANs and selective routing over WG VPN: https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support

However, I am not able to get the routing through Unbound for the VLANs I wish this applied to. From what I've read, the issue lies with this step: https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#add-static-ipv4-configuration-to-the-wireguard-interfaces - when I attempt this, Opnsense returns the following error
Quote
Cannot assign an IP configuration type to a tunnel interface

I understand has been an issue for quite some time.

Is there a solution/alternative approach to this?

Everything else I have configured following this guide is working as expected.

Any help would be very much appreciated!

5
24.1 Legacy Series / Re: Upgrade to 24.1.3 (HA Backup Node) -> Unbound crash
« on: March 14, 2024, 03:10:53 pm »
I had exactly the same issue after upgrading to 24.1.3_1 yesterday and had to revert unbound.

6
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 25, 2024, 01:17:34 pm »
Quote from: opn_nwo on February 21, 2024, 03:31:20 am
Consider that the DNS for Proton is on a private IP 10.2.0.1. While setting up my FW rules I noticed that on this page:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

one of the rule only routes traffic with destination outside the RFC1918_Networks and that excludes access to Proton DNS so you need to change it or create one specifically for the DNS.

How did you manage to solve this please?

7
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 25, 2024, 11:54:52 am »
Thanks for the reply - really appreciate it, and I'm definitely not throwing shade at you (sorry if it comes across that way!)...

My requirements are as follows:
  • Route all traffic for selected local clients (including DNS) over the WG gateway
  • Traffic for all other hosts should route over the WAN gateway, including DNS for those hosts
  • If point (2) is not possible, then I still need the hosts covered by (2) to be able to resolve DNS in the event the WG connection goes down

I have followed the 'official' guides for setting up WG to the letter and whilst selective routing works fine, no matter what I try, I cannot solve the DNS leak issue.

8
23.7 Legacy Series / Re: speedtest cli not running from cron
« on: February 25, 2024, 10:38:01 am »
I've got the same issue - did you ever find a solution to this?

9
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 23, 2024, 08:07:27 pm »
Somebody must have solved this, surely?! Apart from the config above, is there anything else I can provide that will enable further help?

10
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 22, 2024, 11:34:58 am »
Below are the rule definitions of all the rules I have created as a part of following the official guides.

This is my NAT rule:
Code: [Select]
      <rule>
        <source>
          <network>UK_PVPN_34_HOSTS</network>
        </source>
        <destination>
          <any>1</any>
        </destination>
        <descr/>
        <category/>
        <interface>opt5</interface>
        <tag/>
        <tagged/>
        <poolopts/>
        <poolopts_sourcehashkey/>
        <ipprotocol>inet</ipprotocol>
        <created>
          <username>XXX</username>
          <time>1708187169.4968</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </created>
        <target/>
        <targetip_subnet>0</targetip_subnet>
        <sourceport/>
        <updated>
          <username>XXX</username>
          <time>1708191104.6149</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </updated>
      </rule>

Floating Rules:

Code: [Select]
   
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>

LAN Rules:
Code: [Select]
    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <address>10.2.0.1</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
        <port>53</port>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708596677.5377</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187872.924</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tag>NO_WAN_EGRESS</tag>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <address>UK_PVPN_34_HOSTS</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708368610.472</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708186855.4541</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
      <log>1</log>
    </rule>

with the first LAN rule, I have also tried with 10.2.0.2 and 192.168.1.1 with the same failures. I'm assuming it's the Destination settings that (not local networks) that causing this rule to fail, but don't know how to work around this. I've (blindly) tried quite a few different configurations, but these either don't work, or result in me having no internet access at all  ;D

11
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 22, 2024, 12:36:31 am »
Yes -  the rule in step 8, right?! I've also configured this rule from the ProtonVPN guide, but it makes no difference...

https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html#protonvpn-dns-leaks

Any pointers on what rule I need to create?

12
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 20, 2024, 11:05:52 pm »
Thanks for the reply :)

I've done a little more digging and I've found something (that I think is) interesting... When running a tracert from my machine (static lease, no DNS configured), I can see the second hop as the address of my VPN DNS (10.2.0.1). However, dnsleaktest and ipleak both report DNS leaks with this configuration.

If I update the static lease config to use the 10.2.0.1 address as DNS, then tracert still reports 10.2.0.1 as the second hop, but both sites mentioned above report no leaks.

I don't get it.

13
Virtual private networks / Re: Zenarmor does not work when using wireguard
« on: February 20, 2024, 10:40:20 pm »
I'm a newbie, but I read that os-wiregaurd-go is deprecated, so probs best not to use that.

14
Virtual private networks / Re: ProtonVPN Wireguard DNS
« on: February 20, 2024, 10:37:03 pm »
This is driving me nuts! I've triple checked my config and I really cannot see anything wrong - I'd really appreciate some help if anyone has a solution.

15
Virtual private networks / ProtonVPN Wireguard DNS
« on: February 19, 2024, 05:47:51 pm »
Hi All,

Newbie here, although I like to think of myself as technically competent  ;)

I have managed to configure a single WG interface and route selected clients over it, but I have become a bit unstuck WRT to DNS leaks. I have tried some of the suggestions https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks and only option 5 has been successful (I could do 4, but if the VPN goes down, I still need non-VPN devices to be able to resolve addresses.

What do I need to configure in order to be able to route DNS for all hosts in my VPN Alias to the VPN provider's DNS?

Many thanks in advance.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2