1
16.7 Legacy Series / Network/VPN design question
« on: December 20, 2016, 12:18:34 am »
Greetings.
1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.
2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules.
3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though. Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries. However...
4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice.
I hope that is clear...
The idea is that I don't want client traffic that the firewall rules direct to exit through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example. But at the same time I want to protect the DNS queries from disclosure to my ISP.
So while I'm technically "leaking" the DNS queries for the client traffic that the firewall rules direct to exit through the VPN, those queries are protected with encryption. And at the same time, I am also protecting the DNS queries for the client traffic that the firewall rules direct to exit through the WAN as well.
My question is this: is this a reasonably secure design? If not, why not?
Thanks and Merry Christmas!
1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.
2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules.
3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though. Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries. However...
4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice.
I hope that is clear...
The idea is that I don't want client traffic that the firewall rules direct to exit through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example. But at the same time I want to protect the DNS queries from disclosure to my ISP.
So while I'm technically "leaking" the DNS queries for the client traffic that the firewall rules direct to exit through the VPN, those queries are protected with encryption. And at the same time, I am also protecting the DNS queries for the client traffic that the firewall rules direct to exit through the WAN as well.
My question is this: is this a reasonably secure design? If not, why not?
Thanks and Merry Christmas!