Selective IPs over PIA WG working but DNS Leaks

[chiefg]

recently moved to OPNsense, and having issues with dns leaks for traffic routed thru PIA WG tunnel.

I have PIA Wireguard working using the script that's floating around, it's working and I'm able to route specific IPs thru the tunnel, so far all is good.

note: I did create and additional rule with PIA DNS servers as suggested at the very end of the OPNsense wiki "WireGuard Selective Routing to External VPN Endpoint"


In addition I have AdGuard Home setup using this guide (working and blocking good)

3 -Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

Instead of the PIA DNS, I get Cloduflare DNS when checking for dns leaks

My question, How can I stop the DNSleaks for those IPs routed thru the PIA WG Tunnel?

[Greelan]

What option in the wiki (ie from options 1 to 5) are you using to try to overcome the DNS leak?

[chiefg]

actually none, I created a new rule based on this fromthe wiki



Note

If the DNS servers supplied by your VPN provider are local IPs (ie, within the scope of the RFC1918_Networks Alias created in Step 8), then, as discussed in Step 8, you will need to create an additional firewall rule in OPNsense to ensure that requests to those servers use the tunnel gateway rather than the normal WAN gateway. This rule would be similar to that created in Step 8, except that the destination would be your VPN provider's DNS server IPs and the destination invert box would be unchecked. This rule would also need to be placed above the rule created in Step 8


but I'm not using any of the 5 options listed, I thought that by creating that extra rule it would work

any suggestions as to which one would work best, I do have Haproxy setup to access my synology NAS and Nextcloud via my domain

[Greelan]

That note is associated with various of the options listed (the ones that say "see note below"). You need to implement one of the options, or something else that achieves the purpose.

The easiest may be option 3. But it all depends on your setup and endgame.

[chiefg]

I used option 3 and got it to work, thanks for your help!!

[frozen]

I am also left confused by the notes at the bottom of this page, and it seems other have had this issue many times before, even found GitHub issues about it where they just said the note at the bottom is good enough and didn't address it -- but it's not good enough..  I am a novice user, and the "solutions" are like reading another language almost

You guys can't just drop these vague notes at the bottom and expect people to understand it..  Further information, steps, diagrams or examples would be greatly appreciated

I am also stuck with leaking DNS servers after completing the Selective Routing to External VPN guide.  Thanks kindly for any help!