Messages

1

19.7 Legacy Series / Encrypting Local WiFi Network Traffic With Wireguard

« on: October 27, 2019, 04:18:37 am »

Hi all,

Have been searching for a solid guide to follow but am yet to come across anything that resembles my use case requirement. Not sure if it can even be done but here goes.

What I am wanting to do is use Wireguard to encrypt my local WiFi network traffic.  I do not need it to go externally as all my traffic is currently routed through an OpenVPN client connection.

My setup is as follows:

Firewall Appliance -> Netgear Router AP Mode -> Wireless Clients

OS-Wireguard is installed on my firewall.

Any and all help is greatly appreciated.

2

Tutorials and FAQs / Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS

« on: July 10, 2019, 02:09:44 am »

Hey franco,

Many thanks for your help.

I managed to get all the way through the installation phase. It's a shame the mods to this section didn't provide an update to compliment the excellent guide(s) written by @directnupe.

Now I am just trying to figure out how to select localhost on the interfaces section when the option to select it is no longer there! Another change perhaps??

Many thanks,
Amanaki

3

Tutorials and FAQs / Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS

« on: July 09, 2019, 12:46:01 am »

Hi all,

Using this guide, I am trying to get Stubby / GetDNS running on my machine but I have come across an issue in step # 3 which is preventing me from going further.

My fresh install:

OPNsense 19.1.10-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
Unbound 1.9.2

This is the step I am having problems with:

Code: [Select]

Step 3: - Proceed and complete Opnsense Ports install with the following commands: ( Note that is designed for Opnsense 18.7 Variants; however, I believe that it will work with all Opnsense versions - but I have not tested that proposition. )

# cd /etc
# fetch https://raw.githubusercontent.com/opnsense/tools/master/config/18.7/make.conf
Returns the following errors:

Code: [Select]

root@OPNsense:~ # cd /etc
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record
As can be seen, I tried modifying the path provided in the guide but it won't work in the command line. I am not sure what is wrong. Perhaps I have missed something with all the changes.

Help please!

4

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 16, 2019, 02:39:38 pm »

Ok. I will add this on downtime and see if it makes any difference to my DNS results.

Thanks.

5

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 15, 2019, 11:24:57 pm »

No such file or directory!

Code: [Select]

root@OPNsense:~ # cat /etc/rc.conf.d/dnscrypt_proxy
cat: /etc/rc.conf.d/dnscrypt_proxy: No such file or directory

6

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 10:33:39 pm »

Services -> Unbound DNS -> General -> Enable Forwarding Mode = UNCHECKED

Ok, so my interpretation your instruction is to use a windows client on my network, flush its dns cache, then visit a website, is that correct?

I did as above using dnsprivacy.org then checked my dnscrypt-proxy logs and found the following entries:

Code: [Select]

[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 org DNSKEY PASS
[2019-01-14 08:18:57] 127.0.0.1 org DNSKEY PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org DS PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY FORWARD
On another note, I think I have stumbled across an issue where a file is missing inside my configuration.

In the install notes, there is a reference to a config file in the following path:

'etc/rc.conf'

Using winscp, I cannot find it at all...

The dnscrypt-proxy files I have are:

'usr/local/etc/rc.d'
'usr/local/etc/dnscrypt-proxy/dnscryptproxy.toml'

I initially installed 18.7.6 and not sure if this was caused by upgrading to the current version being 18.7.10.

7

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 10:37:32 am »

I am not familiar with any CLI commands for unbound, but I assume this is what you were after.

Code: [Select]

unbound: [21146:1] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:2] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:0] info: start of service (unbound 1.8.3).
unbound: [21146:0] notice: init module 1: iterator
unbound: [21146:0] notice: init module 0: validator
unbound: [86555:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: service stopped (unbound 1.8.3).
unbound: [86555:0] info: start of service (unbound 1.8.3).
unbound: [86555:0] notice: init module 1: iterator
unbound: [86555:0] notice: init module 0: validator
unbound: [86555:0] notice: Restart of unbound 1.8.3.
Below are settings I have for dnscrypt-proxy and unbound. I can post my entire .toml file if you need as well. Note I use Plex and do not use any IPv6 at all.

Dnscrypt-proxy .toml  file includes the following for forwarding rules:

Code: [Select]

lan 127.0.0.1
10.in-addr.arpa 127.0.0.1
192.in-addr.arpa 127.0.0.1
254.169.in-addr.arpa 127.0.0.1
Unbound additional config includes:

Code: [Select]

server:
   do-not-query-localhost: no
   private-domain: "plex.direct"

forward-zone:
        name: "."       
        forward-addr:127.0.0.1@5353
The thing that really strikes me about this is when I was an OpenWRT user, I always got dnsleak tests back with the country I was connected to. For example, if my server selection in .toml file was set to cloudflare, then if I connected my vpn client to NL for instance, the dnsleak test would show the cloudflare server as being in NL as opposed to my home country.

Thanks again for taking the time to help out. I am keen to get to the bottom of this issue.

Amanaki

8

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 08:21:32 am »

Ok, below I have enclosed dnscrypt-proxy daemon logs and test outputs with CLI.

Code: [Select]

[2019-01-14 14:08:44] [NOTICE] dnscrypt-proxy 2.0.19
[2019-01-14 14:08:44] [NOTICE] Loading the set of blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-blacklist]
[2019-01-14 14:08:45] [NOTICE] Loading the set of forwarding rules from [/usr/local/etc/dnscrypt-proxy/forwarding-rules]
[2019-01-14 14:08:45] [NOTICE] Loading the set of IP blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-ip-blacklist]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2019-01-14 14:08:46] [NOTICE] [cloudflare] OK (DoH) - rtt: 31ms

Code: [Select]

[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.c10r.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.c10r.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 cdn.fbsbx.com A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 fbsbx.com DS PASS

Code: [Select]

root@OPNsense:~ # ps ax | grep dnscrypt
50066  -  Is     0:00.00 daemon: /usr/local/sbin/dnscrypt-proxy[50151] (daemon)
50151  -  I      1:32.52 /usr/local/sbin/dnscrypt-proxy -config /usr/local/etc/
71046  0  S+     0:00.01 grep dnscrypt

Code: [Select]

root@OPNsense:~ # drill -p 53 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 926
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   508     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 241 msec
;; SERVER: 127.0.0.1
;; WHEN: Redacted
;; MSG SIZE  rcvd: 46

Code: [Select]

root@OPNsense:~ # drill -p 5353 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8169
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   599     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 18 msec
;; EDNS: version 0; flags: ; udp: 1452
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 17:59:46 2019
;; MSG SIZE  rcvd: 69

Code: [Select]

root@OPNsense:~ # dnscrypt-proxy -resolve dnscrypt.me
Resolving [dnscrypt.me]

Domain exists:  yes, 2 name servers found
Canonical name: dnscrypt.me.
IP addresses:   104.31.74.114, 104.31.75.114
TXT records:    v=spf1 include:spf.messagingengine.com ?all
Resolver IP:    194.132.32.23 (dns2.ipredator.se.)

Code: [Select]

root@OPNsense:~ # drill -p 53 google.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31403
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     599     IN      A       216.58.199.78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 53 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 18:06:34 2019
;; MSG SIZE  rcvd: 44
root@OPNsense:~ #

Can you spot anything out of the ordinary?

9

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 05:13:32 am »

Hey thanks. I looked at the previous thread and I noticed a lot of people had issues with it. Also, it does not make any mention of unbound and dnscrypt-proxy either so I wonder if it is a viable option to pursue for my use case.

Regarding your suggestion of floating rules, I do not have not experience with using floating rules at this point, do you have a sample I could refer to or something at least to help get me started in the right direction?

10

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 04:40:21 am »

Yes, that is right.

I have two networks (VLAN40 + VLAN10) for my teenage boys whom game a lot. It has UPnP for gaming and all so I just isolate them and allow all traffic to WAN directly through ISP.

11

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 04:17:39 am »

Hi abalsam,

1.  Are you looking to restrict a single host to VPN only or the entire network? - the answer to this question would determine what rules to use.

My setup includes LAN and a number of VLANS. I have three VPN clients running. Only two networks require clearnet WAN access. All others are VPN connected and I want none of them to pass traffic to the clearnet if any of the connections drop.

Do you establish VPN connectivity via an IP address or a hostname (which must be resolved via DNS)?  - the answer to this question would determine if DNS should be included or excluded from the kill switch (if I need DNS working to resolve my VPN hostname I can't include it within the kill switch).

I use ExpressVPN and use hostnames for connections which as you pointed out, require DNS resolution.

On the note of DNS, I am using DNScrypt-proxy with unbound.

Also, my NAT, I have changed it to manual and have tried to jimmy a killswitch using NAT but I am not sure if it does anything. I enclosed a screenshot for you.

Thanks for helping :-)

12

18.7 Legacy Series / OpenVPN Client Killswitch

« on: January 14, 2019, 03:11:49 am »

Hi all,

May seem like a simple question but I would really appreciate some help with this post I created many weeks ago.

https://forum.opnsense.org/index.php?topic=10533.msg48173#msg48173

In simple terms, I need to stop any traffic from being routed to the clearnet if my VPN client connection fails or drops out for some reason.

Any help would be greatly appreciated please.

Thanks,
Amanaki

13

18.7 Legacy Series / Re: 18.7 unbound with dnscrypt

« on: January 14, 2019, 03:06:56 am »

Hi Guys,

I have an open question regarding manual installation and configuration of dnscrypt-proxy v2 but not getting the help I need to resolve my issues.

My post is here:

https://forum.opnsense.org/index.php?topic=11013.0

To install, I used the guide provided earlier in this post by @emwe.

I am having some issues with my configuration and not sure how to resolve it. Particularly, my unbound config and dnsleak tests are returning Cloudflare dns servers when I am actually connected to another country via OpenVPN client.

I am happy to share anything related to my config to help anyone willing to chime in.

Can some PLEASE help me out?

Thanks,
Amanaki

14

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 02:57:11 am »

Help with my question anyone?

15

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 13, 2019, 03:32:36 pm »

Please excuse me mimugmail..

"The question is which DNS server do the clients in other networks query?"

I'm not following you. What do you mean by this question?

I do not have any DNS servers configured inside System -> Settings -> General.

In unbound, I have the my interfaces selected as per the attached screenshot and for outgoing network interfaces I have selected localhost.

I have the following settings in unbound -> additional config:

server:
   do-not-query-localhost: no
   private-domain: "plex.direct"

forward-zone:
        name: "."       
        forward-addr:127.0.0.1@5353