Forcing Unbound to use a WG tunnel without setting a static ip to WG interface?

[New_User]

Hi all,

In previous versions of OPNsense, it was possible to assign a static ip to a WG interface, and by doing so, it was possible to make Unbound to use WG tunnels rather than the system’s DNS.

However, since this option was canceled in one of the recent OPNsense updates (not sure which one, but it didn't work in 23.7.9), I can not force Unbound to use the WG tunnel anymore.

I’ve read a very interesting discussion on this topic on github https://github.com/opnsense/core/issues/5329, but in my case, setting a floating FW rule as suggested therein, did not solve the problem.

Is it still possible to force Outbound to use the WG tunnel?

Additional information:

- I use an external VPN provider.
- I configured VIPs and appropriate Gateways.
- When I change the Outgoing Network Interfaces (under Outbound DNS -> General) to a non WG interface, Outbound works (with DNS leaks..).

Any idea / help would be highly appreciated

Thank you.

[firewall]

generally speaking, you'd spare hair follicles and/or restful sleep by moving resolution elsewhere on your lan. there are countless ways to skin that cat, clearly, but i've had near zero problems with pi-hole running a local instance of unbound.

this blog attempts to clarify how the different components of / config options for, dns resolution on opnsense, interoperate. have a look if you haven't already but fwiw i surmised that dns subsystems on opnsense are convoluted at best and bordering on broken either way.

that said, you can (probably) hack something together that'll function...
- have you defined a gateway for the vpn? i couldn't understand from your post of "without setting a static ip" was intended behavior or merely the outcome of whichever tutorial you followed.
- option 1: set a static route (system > routes > configuration) for the ip addresses corresponding to your dns forwarder (e.g. 9.9.9.9), specifying the vpn gateway.
-option 2: revise gateway priorities to, in essence, force opnsense to choose your vpn gateway(s) as default (e.g. VPN_GW priority 100, WAN_GW priority 255). i'd advise this regardless if you're mitigating most wan traffic being sent in the clear. be sure you've configured static routes for your vpn endpoints such that their traffic is sent via wan.

[New_User]

firewall, thank you for your response!

generally speaking, you'd spare hair follicles and/or restful sleep by moving resolution elsewhere on your lan. there are countless ways to skin that cat, clearly, but i've had near zero problems with pi-hole running a local instance of unbound.

I always thought that Pi-hole would be an overkill for me, but given the time I already spent on trying to solve this issue and the fact that currently (as far as I know) there is no solution for that problem, perhaps trying Pi-hole is not such a bad idea after all... I just doubt it will run properly on my 10-year old raspberry pi

this blog attempts to clarify how the different components of / config options for, dns resolution on opnsense, interoperate. have a look if you haven't already but fwiw i surmised that dns subsystems on opnsense are convoluted at best and bordering on broken either way.

I've seen this blog before, but I will read it to make sure I'm not missing anything. Thanks.

that said, you can (probably) hack something together that'll function...
- have you defined a gateway for the vpn?

  Yes, I have defined a gateway for the vpn.

  i couldn't understand from your post of "without setting a static ip" was intended behavior or merely the outcome of whichever tutorial you followed. 

You're right, it was not very clear. I did follow a tutorial according to which there is a need to assign a static ip to an interface, but this option was removed in one of the recent OPNsense versions. However, it is my understanding (after reading the discussion on github I referred to - https://github.com/opnsense/core/issues/5329), that setting a static ip was the trick that allowed this setup to work.. But there is a chance that I misunderstood it...

- option 1: set a static route (system > routes > configuration) for the ip addresses corresponding to your dns forwarder (e.g. 9.9.9.9), specifying the vpn gateway.

I hope that I understand your suggestion correctly - under network, I configured my vpn provider's DNS address (/32) and under gateway I selected the relevant vpn gateway. Unfortunately, it did not work.

-option 2: revise gateway priorities to, in essence, force opnsense to choose your vpn gateway(s) as default (e.g. VPN_GW priority 100, WAN_GW priority 255). i'd advise this regardless if you're mitigating most wan traffic being sent in the clear.

That's a very interesting idea, I did not think about. However, it did not solve the problem, but ping times went through the roof (ping to a specific ip address works). I tried playing with it a bit, but perhaps I should give it another try.

be sure you've configured static routes for your vpn endpoints such that their traffic is sent via wan.

  Yep, I did configure static routes for my vpn endpoints via wan.

I'm open to any other ideas / suggestions

Thank you again!

[New_User]

Just a quick update.

Firewall, further to your suggestion, I outsourced the DNS resolutions to a pi-hole (running unbound), which I installed on a 12-year old Raspberry pi 1

However, it is my understanding that the trick that solved the issue for me, was re configuring the WG connections from scratch (on second thought, I suspect that the issue was a conflict between the unbound running on OPNsense and the vpn provider's DNS).

I can't believe I spent so much time looking for a solution in all the wrong places.. 

P.s. Now I should test it with unbound running on OPNsense.

Thanks again.

[firewall]

Firewall, further to your suggestion, I outsourced the DNS resolutions to a pi-hole (running unbound), which I installed on a 12-year old Raspberry pi 1

so...did it not work?

However, it is my understanding that the trick that solved the issue for me, was re configuring the WG connections from scratch (on second thought, I suspect that the issue was a conflict between the unbound running on OPNsense and the vpn provider's DNS).

...which led you to try this instead?

I can't believe I spent so much time looking for a solution in all the wrong places.. 

you didn't

Now I should test it with unbound running on OPNsense.

godspeed

[New_User]

so...did it not work?

DNS on pi-hole works and it has been running since then but this is not what fixed the DNS issue in OPNsense itself.

...which led you to try this instead?

I read somewhere about DNS hijacking by default by vpn providers and decided to eliminate this possibility.

you didn't

You are right, I learned a lot during the process

Thanks again for your help!