1
23.7 Legacy Series / How to use a separate computer as gateway
« on: September 24, 2023, 08:16:56 am »
I have an interesting problem and would appreciate everyone's ideas.
I would like to use a separate computer (VM) on the network as a gateway and I have it mostly working, except two issues. Specifically, I have a Ubuntu VM (192.168.1.10) on the LAN network (192.168.1.1/24) with Mullvad's app installed. I have configured the VM to act as a gateway where all incoming traffic gets redirected out via Mullvad's Wireguard interface. I prefer this over the built-in Wireguard plugin in OPNsense because the Mullvad app has additional features such as periodic rotation of the private key, rotation of the VPN server, quantum resistant encryption, etc.
In OPNsense, I manually add this VM (192.168.1.10) as a gateway. Using firewall rules, I selectively direct some LAN traffic to use this VM as the gateway and can confirm that it works correctly. For example, when using this gateway, the public IP address of LAN devices is the VPN server.
So the LAN traffic goes like this: LAN device (192.168.1.x) --> Ubuntu VM (192.168.1.10) --> out via Mullvad interface on the VM --> OPNsense gateway (192.168.1.1) --> internet.
So this is all great, except there are at least two problems.
1) I cannot figure out how to get Unbound to use this manually added gateway to send out DNS queries. If I use the built-in OPNsense VPN functionality, then I can assign the VPN as an interface, which would allow me to configure Unbound to use the VPN as the outgoing interface. However, my manually added VM (192.168.1.10) cannot be assigned an interface, so I'm not sure if there is some way around this problem. Ideally, I would like to have DNS queries go through the VPN gateway so there is no DNS leak.
2) I am not sure how to get devices on other subnets to use the VM as gateway. For example, let's say I have a guest subnet (192.168.2.1/24). If I use firewall rules to direct traffic on Guest Net to use 192.168.1.10 as the gateway, it does not work. I think this might be because the default gateway on Guest Net is 192.168.2.1 and I don't think Guest Net devices can access 192.168.1.10. I have tried adding a firewall rule to allow Guest Net devices pass traffic to 192.168.1.10, but that does not seem to solve the problem.
Any ideas would be greatly appreciated!
I would like to use a separate computer (VM) on the network as a gateway and I have it mostly working, except two issues. Specifically, I have a Ubuntu VM (192.168.1.10) on the LAN network (192.168.1.1/24) with Mullvad's app installed. I have configured the VM to act as a gateway where all incoming traffic gets redirected out via Mullvad's Wireguard interface. I prefer this over the built-in Wireguard plugin in OPNsense because the Mullvad app has additional features such as periodic rotation of the private key, rotation of the VPN server, quantum resistant encryption, etc.
In OPNsense, I manually add this VM (192.168.1.10) as a gateway. Using firewall rules, I selectively direct some LAN traffic to use this VM as the gateway and can confirm that it works correctly. For example, when using this gateway, the public IP address of LAN devices is the VPN server.
So the LAN traffic goes like this: LAN device (192.168.1.x) --> Ubuntu VM (192.168.1.10) --> out via Mullvad interface on the VM --> OPNsense gateway (192.168.1.1) --> internet.
So this is all great, except there are at least two problems.
1) I cannot figure out how to get Unbound to use this manually added gateway to send out DNS queries. If I use the built-in OPNsense VPN functionality, then I can assign the VPN as an interface, which would allow me to configure Unbound to use the VPN as the outgoing interface. However, my manually added VM (192.168.1.10) cannot be assigned an interface, so I'm not sure if there is some way around this problem. Ideally, I would like to have DNS queries go through the VPN gateway so there is no DNS leak.
2) I am not sure how to get devices on other subnets to use the VM as gateway. For example, let's say I have a guest subnet (192.168.2.1/24). If I use firewall rules to direct traffic on Guest Net to use 192.168.1.10 as the gateway, it does not work. I think this might be because the default gateway on Guest Net is 192.168.2.1 and I don't think Guest Net devices can access 192.168.1.10. I have tried adding a firewall rule to allow Guest Net devices pass traffic to 192.168.1.10, but that does not seem to solve the problem.
Any ideas would be greatly appreciated!