Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
DNSCrypt and Wireguard - Internal resolver bypassed
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNSCrypt and Wireguard - Internal resolver bypassed (Read 1213 times)
domfel
Newbie
Posts: 2
Karma: 0
DNSCrypt and Wireguard - Internal resolver bypassed
«
on:
February 22, 2022, 06:44:15 pm »
Hello everybody,
New to OPNsense here coming from pfSense. DNSCrypt perfectly working without Wireguard, after that it gets 'bypassed' by the wg tunnel. I get the DNS of the ISP on the other side of the tunnel, and even if I disable DNSCrypt I still get the ISP DNS.
Tried with Unbound, same thing, even when listening on the WG interface. DNSCrypt was also configured to listen on the WG interface, I used the IP address set up on the interface (not the one of the gateway, they differ - using Mullvad here).
Firewall rules are set up that all ipv4 and ipv6 traffic, except few aliases, goes trough the WG tunnel. I tried to add rules for port 53 and 853, but no luck.
I set up WG without the floating rules on the OPNsense documentation, there are simply two NAT Outbound rules for the WG interface and the Rules for routing all traffic, that's it.
I tried to specify the localhost (127.0.0.1) and the LAN IP (192.xxx.xxx.xxx) as DNS on the WG Local configuration, but still the internal resolver gets completely bypassed.
What am I missing here? Thank you!
Logged
domfel
Newbie
Posts: 2
Karma: 0
Re: DNSCrypt and Wireguard - Internal resolver bypassed
«
Reply #1 on:
February 22, 2022, 10:07:53 pm »
I kept troubleshooting, and no luck so far.
I have tried to delete the DNSes under General, specify the internal LAN address as DNS for DHCP Server, using Unbound and checking that the ACL are set up properly, etc but the issue is still there.
The issue is also present with devices outside the tunnel!
It's like the Wireguard plugin, since there are no specified DNSes in the Local conf, it's pushing whatever DNS is getting from the tunnel (the destination ISP in this case) to the entire network.
I tried to specify Quad9 DNSes in the WG Local conf, and it works ONLY for devices outside the VPN and with some leaks: I get Quad9 DNSes but also the ISP DNSes. For devices INSIDE the VPN same thing, only the DNS from the ISP.
With this configuration I also loose the ability to use blacklist, the cache of the internal resolver, and the advantages of DoH/DoT.
Hoping for ideas here.
«
Last Edit: February 22, 2022, 10:10:30 pm by domfel
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
DNSCrypt and Wireguard - Internal resolver bypassed