106
General Discussion / Re: DNS over TLS setup and test final
« on: September 25, 2023, 05:18:24 pm »
Don't ever trust free VPNs, how do you think they make money to provide the service? You are the 'product' !
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
107
General Discussion / Re: Trying to get stats for each client using AdGuard Home
« on: September 17, 2023, 11:08:12 pm »Install AGH on your OPNsense? Or instead of a port forward just give clients the address of the Pi as their DNS server via DHCP.I know, but I wanted to make things a bit more complicated and learn some networking
I think I have no choice that going with ADGH on OPNsense
108
General Discussion / Trying to get stats for each client using AdGuard Home
« on: September 17, 2023, 06:03:45 pm »
I've installed AdGuard Home on a Raspi4 connected to my LAN (192.168.0.1) and Raspi IP address is 192.168.0.14
AdGuard is listening on all interfaces (bind DNS on 0.0.0.0)
Unbound is disabled.
On LAN I have a port forward rule, the firewall rule as well as the outbound rule, and the setup seems to work but in AdGuard dashboard I see all the stats coming from a single IP, i.e. 192.168.0.1 - how would I fix that?
Tia.
AdGuard is listening on all interfaces (bind DNS on 0.0.0.0)
Unbound is disabled.
On LAN I have a port forward rule, the firewall rule as well as the outbound rule, and the setup seems to work but in AdGuard dashboard I see all the stats coming from a single IP, i.e. 192.168.0.1 - how would I fix that?
Tia.
109
23.7 Legacy Series / Re: How do I fix a DNS leak?
« on: September 16, 2023, 01:36:52 pm »
Thanks you both. For now I don't want to enable Unbound, the investigation continues.
110
23.7 Legacy Series / How do I fix a DNS leak?
« on: September 15, 2023, 07:36:21 pm »
Let's start with my OPNsense setup:
1. Unbound disabled
2. Raspi4 acting as DNS server (Quad9 servers) connected to another port of the appliance (LAN3)
3. Port forward for LAN interface
4. LAN rule for port 53 automatically created by the port forward
5. System -> Settings -> General -> DNS servers = 1.1.1.1 (I have to input a DNS server otherwise OPNsense cannot perform updates, even if I check the option "Allow DNS server list to be overridden by DHCP/PPP on WAN")
I've noticed that if System -> Settings -> General -> DNS servers list is empty then OPNsense cannot resolve any websites and ALL the LAN devices have no Internet access, hence I've added the Cloudflare server -> I've got a DNS leak as tested with this website from any device on my LAN i.e. I get two ISP as result, Quad9 and Cloudflare
During the DNS leak test I was watching the live firewall output and noticed that the LAN rule to redirect the DNS requests is rightly triggered alongside another one labelled "let out anything from the firewall host itself" on LAN3 interface (that's where the Raspi4 is connected to).
For both rules the destination address is the one of the Raspi4.
Why the port forward doesn't suffice and the client is using both DNS servers to perform the test (DNS leak) ?
How do I instruct OPNsense to use the ISP DNS servers while the clients only using the Raspi4 servers as per the port forward?
Tia.
1. Unbound disabled
2. Raspi4 acting as DNS server (Quad9 servers) connected to another port of the appliance (LAN3)
3. Port forward for LAN interface
4. LAN rule for port 53 automatically created by the port forward
5. System -> Settings -> General -> DNS servers = 1.1.1.1 (I have to input a DNS server otherwise OPNsense cannot perform updates, even if I check the option "Allow DNS server list to be overridden by DHCP/PPP on WAN")
I've noticed that if System -> Settings -> General -> DNS servers list is empty then OPNsense cannot resolve any websites and ALL the LAN devices have no Internet access, hence I've added the Cloudflare server -> I've got a DNS leak as tested with this website from any device on my LAN i.e. I get two ISP as result, Quad9 and Cloudflare
During the DNS leak test I was watching the live firewall output and noticed that the LAN rule to redirect the DNS requests is rightly triggered alongside another one labelled "let out anything from the firewall host itself" on LAN3 interface (that's where the Raspi4 is connected to).
For both rules the destination address is the one of the Raspi4.
Why the port forward doesn't suffice and the client is using both DNS servers to perform the test (DNS leak) ?
How do I instruct OPNsense to use the ISP DNS servers while the clients only using the Raspi4 servers as per the port forward?
Tia.
111
Virtual private networks / Unable to make the Mullvad Android app connecting
« on: September 12, 2023, 04:29:46 pm »
I'm testing the Mullvad app on my smartphone (it uses Wireguard) and it works just fine.
If I connect the smartphone to my home network, then OPNsense denies the connection (see attachment): where do I start to troubleshoot?
On the same smartphone, I have also ProtonVPN app and it connects straightaway
Tia.
If I connect the smartphone to my home network, then OPNsense denies the connection (see attachment): where do I start to troubleshoot?
On the same smartphone, I have also ProtonVPN app and it connects straightaway
Tia.
112
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 11, 2023, 12:15:44 am »
The /28 comes from here: https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8
I read a few online articles and tried to understand something, please don't be mad at me...
And thank you both for the support, I've learnt a lot!
I read a few online articles and tried to understand something, please don't be mad at me...
And thank you both for the support, I've learnt a lot!
113
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 10, 2023, 11:52:57 pm »
Yes, I did try with those two different IP addresses for the tunnels, but then I reverted back to 10.2.0.2/32 for the single tunnel configuration and that's when the connection became stable and no packet loss.
Looking at the Proton portal, all the config files for different servers I've inspected had one thing in common, i.e. the address 10.2.0.2/32 and DNS
So, indeed, I did use those two addresses arbitrarily
Looking at the Proton portal, all the config files for different servers I've inspected had one thing in common, i.e. the address 10.2.0.2/32 and DNS
Code: [Select]
[Interface]
# Bouncing = 10
# NetShield = 2
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = ******
Address = 10.2.0.3/32
DNS = 10.2.0.1
[Peer]
# UK#53
PublicKey = ******
AllowedIPs = 0.0.0.0/0
Endpoint = 146.70.83.66:51820So, indeed, I did use those two addresses arbitrarily
114
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 10, 2023, 06:20:46 pm »Have you tried all of this?Yep, and with 1 tunnel it works flawlessly, most likely ProtonVPN 'mess up' things with more than 1 connection.
I will try Mullvad with two tunnels and see how it goes.
115
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 09, 2023, 09:41:18 pm »Who is your VPN Provider? If both tunnels use the same ip config, which I see often with WG, you can not have more than one tunnel to that provider.ProtonVPN
116
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 09, 2023, 07:02:49 pm »The monitor IP must be routed through the tunnel, the endpoint IP mustn't. The tunnel can't be routed through itself.According to the OPNsense guide, as for the IP monitor -> "Insert the endpoint VPN tunnel IP (NOT the public IP) of your VPN provider - see note below" BUT for me it doesn't work, the tunnel shows offline, even if leave it blank, why ??
And if I use 10.2.01 (DNS address) immediately gateway shows online !
And, do I have to set the DNS for each gateway as per this guide: https://docs.opnsense.org/manual/how-tos/multiwan.html
117
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 09, 2023, 06:46:09 pm »
I see... it's a shame I can't make two tunnels working: with one, it's all good, with two, I see packet loss often and devices disconnect every now and then...
118
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 09, 2023, 05:13:08 pm »
Ah okay, I can use Cloudflare or Quad 9 then, but exactly what won't work? Thanks
And I noticed that with one tunnel the connection is pretty stable but with two tunnels the devices lose Internet time by time
And I noticed that with one tunnel the connection is pretty stable but with two tunnels the devices lose Internet time by time
119
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 09, 2023, 01:26:23 pm »
For the monitor IPs, I'm using Proton servers IP addresses (I believe it makes no difference from the Cloudflare or Google ones).
Another thing I noticed in the log is that pings from those servers towards the two locals are blocked, can this be an issue?
Another thing I noticed in the log is that pings from those servers towards the two locals are blocked, can this be an issue?
120
Virtual private networks / Re: How to get a second wireguard tunnel working?
« on: September 09, 2023, 01:00:50 pm »
Great, thanks, it seems the gateway group is working.
I was watching the gateway stats for a few minutes for both tunnels, and noticed they fluctuate a lot, i.e. from online they go to packet loss then back to online: should I be concerned or it's normal? I've set the tunnel MTU for both at 1412, does it matter at all?
Also, do I have to use any rules at all in Firewall -> WireGuard (Group)?
In Firewall -> NAT -> Outbound, I've created just one rule for the interface WireGuard (Group), but I don't know if that's the correct setting or I have to create two separate Outbound rules, one for wg1 and one for wg2 ?
I was watching the gateway stats for a few minutes for both tunnels, and noticed they fluctuate a lot, i.e. from online they go to packet loss then back to online: should I be concerned or it's normal? I've set the tunnel MTU for both at 1412, does it matter at all?
Also, do I have to use any rules at all in Firewall -> WireGuard (Group)?
In Firewall -> NAT -> Outbound, I've created just one rule for the interface WireGuard (Group), but I don't know if that's the correct setting or I have to create two separate Outbound rules, one for wg1 and one for wg2 ?