Messages

Gotcha. Without understanding the presence of the keys, I thought the export was more important. I guess it isn't

Thanks for the information, guys

You should create the private/public key pair on the "client" and the private key should never leave the client. That's how WireGuard is intended to be set up. I don't understand why OPNsense provides a "peer generator" at all.

Ohhh. I see.
So the config file could use any Private Key Just the Public Keys in the conf file need match up. Is that right?

Looks like I need to do some reading.

It's only a few (6 max) remote users.

The Private key appears in the conf file on peer creation, Once you leave that screen, it's found nowhere else. So it's not just on the server (instance)

I don't understand why there isn't an export button for the conf files. If you don't copy/paste during peer creation, you're out of luck.
You can't even build the conf file from the information in the peer details. No access to the Private Key

A lot of good info here. Thanks, all.
I'm located in the US and Verizon is my ISP. I'm pretty sure they mine DNS and sell the data. No GDPR here. CloudFlare has a good reputation for privacy. But any unencrypted DNS will be snooped by Verizon.
I don't care about "intelligence". I'm a nobody home user. They're gonna get what they get. I'd rather just not be snooped on by my ISP and have it sold to advertisers.
So, if I let Unbound use the authoritative servers it has compiled in, it's sending those requests in the clear over port 53 that can be seen by anyone along the way. Using DOH/DOT, it's at least hidden until it gets to CloudFlare/OpenDNS. Then I'm relying on their privacy promises. I get that part.

Thanks for the whole explanation of how the stepped approach to DNS resolution works. I thought there were these centralized DNS repositories that just served up the whole thing. Not org, then opnsense.org, then forums.opnsense.org.
Maybe I'll so some reading on the details of DNS. No idea it was that segmented.

Does Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.

Huh. OK. So If I dont't define any forwarders in Unbound, it'll perform a look up as you describe?

CloudFlare might not be authoritative. But they certainly think they are.

What settings do I need to set for this to happen? I thought I HAD TO define forward DNS servers

Oh. Right. Once it hits the DNS provider it's decrypted. But, Cloudflare IS an authoritative DNS provider.
AdGuard forwards requests to whatever DNS server I set.
I've since set google DNS DOH as a fallback server. I like Google less than CloudFlare. Google is a data mining company.
I'm comfortable with Adguard sending my DNS requests to Cloudflare and falling back to Google as necessary.

You can configure AdGuard and Unbound to forward to any upstream resolvers you want.
Right now I have AdGuard to use DNS over HTTPS to Cloudflare and Google. I'd like to try using a non-google DOH resolver as a second service though.

h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query

My ISP isn't seeing ANY DNS requests and can't inspect the ones being sent to CloudFlare

I don't know what could be causing that DHCP non-renew issue. There are a lot of folks here way more experienced with this than I am.
Maybe start a new thread.

I have Adguard Home set up to receive DNS on 53 from all internal networks and DNSMasq listening on 53053.
For forwarders in Adguard Home I have
[/internal/]127.0.0.1:53053
[//]127.0.0.1:53053
h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query

So internal queries are forwarded the DNSMasq since it assigns DHCP and registers those hosts in its DNS.
And for Private reverse DNS in Adguard I have
127.0.0.1:53053

So config guides I see have Unbound DNS in the mix between Adguard Home and DNSMasq.
Is there any real need for Unbound since Adguard Home does DNS/DOH and can forward internal requests to DNSMasq?

Am I missing something?

I still saw the Verizon DNS in the logs. I did find the cause in AdGuard though.
"By default, AdGuard Home uses the following reverse DNS resolvers: "71.243.0.12:53", "71.250.0.12:53" "
So, this is for private IP stuff, so I just pointed it to DNSMasq on OPNSense which will resolve IPs for internal DHCP clients

In System/Settings/General
I added 1.1.1.1 into the DNS server list (Selected the WAN_DHCP gateway)
And, crucially I think, I UNCHECKED "Allow DNS server list to be overridden by DHCP/PPP on WAN"

I've only been using OPNSense for a little over a week now and am still coming to grips with everything.
Thanks.

I'm on Verizon FiOS and have my OPNSense FW connected to the ONT. My WAN interface is configured to get its address via DHCP. So I'm assuming that it's getting DNS servers assigned.
I'm seeing packets leaving the WAN interface to Verizon DNS servers. Only a few. No inbound traffic from a LAN trying to go to a Verizon DNS server. Just out of the WAN interface.
I have AdguardHome set up for all internal DNS needs over DOH.

Is there somewhere that OPNSense might be using Verizon's assigned DNS servers?

It was a shared folder network permission setting in QNap.
Under Shared folder permissions. It defaults to user & group permissions, but there's also microsoft networking host access in a drop down list.
Once there, only my 10.10.20.* network was entered. So I added the 10.10.40.* network and my WireGuard 10.10.70.* network.

It works like a charm now