Force Unbound (resolver) to use a WG tunnel and not default route

Started by schnerring, October 30, 2021, 12:59:03 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 31, 2021, 04:18:53 AM #15
I saw a reddit post earlier today on another unbound/wireguard topic that suggested just rebooting was not enough, unbound had to be restarted: https://www.reddit.com/r/OPNsenseFirewall/comments/qistyl/wireguard_handshake_success_cannot_get_web_pages/himiflq/?utm_source=share&utm_medium=ios_app&utm_name=iossmf&context=3
October 31, 2021, 04:25:44 AM #16
BTW, what VPN provider are you using? If Mullvad, maybe this is your issue?
October 31, 2021, 04:39:41 AM #17 Last Edit: October 31, 2021, 02:27:26 PM by ask
Restarted Unbound, nothing changed. Have a look at those minimal NAT rules... it's late... am I missing the obvious here?

[how do I embed an attachment?]

Yes, I use Mullvad, but the info is kinda outdated. You simply have to generate the WG keys with the API that the Mullvad app uses. It's undocumented but easy enough to find in the app code on GitHub. I have verified this by using my generated keys with a custom DNS with another client. The custom DNS servers I configured in the client successfully leaked through the tunnel.
October 31, 2021, 03:30:26 PM #18
QuoteI added a static route from 10.10.10.54/32 to the WAN gateway ("WAN_DHCP") under System > Routes > Configuration. Then I made my VPN gateway the default gateway by lowering its priority to 250. When I do that, I lose connectivity.
What is the IP address of your Wireguard peer? What I meant was a router for

<your wireguard peer>/32 --> <your ISP upstream gateway>

This is necessary so the tunnel encapsulated packets find their way to the peer. Then you can route everything else (0.0.0.0/0) into the tunnel.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 31, 2021, 07:55:56 PM #19
Thanks you so much guys, I finally figured it out and successfully configured the static route. I already thought that I was going to lose my mind, but turns out I'm just a networking newbie and didn't understand what I had to route where ;D

Quote<your wireguard peer>/32 --> <your ISP upstream gateway>

In hindsight, it's obvious that you mean the remote wireguard peer's IP address and not the IP of the local peer. I only understood this after looking at the routes that WG installs automatically when Disable Routes on the local peer is disabled.

I tested around some more with the Outgoing Network Interfaces option, but it has no effect. The info of the settings states:

Quote
Note that setting explicit outgoing interfaces only works when they are statically configured.

Since the WG interface has no IP configuration, might this be the reason this setting is ignored?

My tests show that Unbound only cares about the routing table. Next, I'm gonna try to configure multiple VPN gateways.

If new questions regarding multi-WAN come up, I'm gonna start a new topic.

Again, thanks so much guys, I couldn't have done it without you. I learned a lot  :-*
November 17, 2021, 11:25:03 PM #20
The Outgoing Network Interfaces Unbound option is what I was looking for. I got confused due to a bug that was unknown at the time.
May 17, 2023, 07:03:51 AM #21
I am trying to do the same, did you find a solution to this? I configured Wireguard VPN interface as outboud intf, but it's being ignored and traffic is going out WAN interface, unencrypted.
July 02, 2024, 12:19:18 AM #22
Hi everybody

Quick post as I ran into a similar issue ;D Made me scratch up my head for a good while, hopefully with the help of all the fine folks here I managed to get it working !

The solution I found appear simpler than the previous one, but it could lead to a different result. I'm not good enough in networking to find out the difference anyway - but I'm sure one of you will :)

On 24.1.9, assuming you already have a Wireguard instance (and gateway) running, with "Disable routes" option checked...

Go to "System > Settings > General" under DNS configuration and select your WG gateway ; then, make sure that the gateway AND the Wireguard VPN instance have the same, fixed IP - the trick being : the later one is hidden :P under "Advanced mode" when editing the instance in "VPN > Wireguard > Instances".

Once done, routing is pretty much automatic - DNS traffic is routed through WG without having to define any route or editing the firewall 8) I'm using it on top of AdGuard and UnboundDNS
February 09, 2025, 10:53:51 AM #23
I tried your solution, but get the error message "This Gateway IP address already exists."
Print
Go Up Pages 1 2
User actions