1
Virtual private networks / [SOLVED] Can't get wireguard road warrior to block ads using unbound
« on: August 07, 2023, 11:05:43 pm »
I've reasoned about this a bit and can't get it.
I used the road warrior setup for wireguard. The idea being that I could use mainly mobile phones to connect back home and get all the benefits of ad blocking, LAN access, etc.
While at home, I can confirm that adblocking and such works just fine though I will note that I run only IPv4 on my main wifi VLAN. That DHCP server offers up my main LAN IP as the sole DNS provider.
For wireguard, I followed the guide all the way through 5 (so I have a WG interface.) I can see the rule automatically added in NAT outbound.
That loopback is a new interface that I created and unbound listens on.
Now...in my wireguard configs I set my main LAN_ADDRESS as the sole dns server. DNS is NOT set on wireguard local (server) portion and disable routes is unchecked.
I can use termux and do nslookup on known domains that are redirected to 0.0.0.0.
nslookup 2no.co 8.8.8.8
Returns 0.0.0.0 and I can see in the unbound logs that it answers that itself. I can't seem to understand just how ads are getting in then.
If I open a game I can see via PCAPdroid that it's looking for certain domains and some are blocked, some aren't. It can be the same domain and one attempt is "error" and one is succeeded. Usually takes 15 seconds for the first ad to get through but then it's constant.
I feel like I'm missing something but can't see what. Anyone else have this going without issue?
Edit- apologies if it's a little scattered. I can provide any more info on request. Just not sure where to look at this moment.
I used the road warrior setup for wireguard. The idea being that I could use mainly mobile phones to connect back home and get all the benefits of ad blocking, LAN access, etc.
While at home, I can confirm that adblocking and such works just fine though I will note that I run only IPv4 on my main wifi VLAN. That DHCP server offers up my main LAN IP as the sole DNS provider.
For wireguard, I followed the guide all the way through 5 (so I have a WG interface.) I can see the rule automatically added in NAT outbound.
- Firewall rules for the WG interface
block ipv6
(linked NAT port forward ---> IPv4 tcp/udp * * dst ! LAN_ADDRESS on 53 )
IPv4 tcp/udp * * 127.0.0.3 53
That loopback is a new interface that I created and unbound listens on.
Now...in my wireguard configs I set my main LAN_ADDRESS as the sole dns server. DNS is NOT set on wireguard local (server) portion and disable routes is unchecked.
I can use termux and do nslookup on known domains that are redirected to 0.0.0.0.
nslookup 2no.co 8.8.8.8
Returns 0.0.0.0 and I can see in the unbound logs that it answers that itself. I can't seem to understand just how ads are getting in then.
If I open a game I can see via PCAPdroid that it's looking for certain domains and some are blocked, some aren't. It can be the same domain and one attempt is "error" and one is succeeded. Usually takes 15 seconds for the first ad to get through but then it's constant.
I feel like I'm missing something but can't see what. Anyone else have this going without issue?
Edit- apologies if it's a little scattered. I can provide any more info on request. Just not sure where to look at this moment.