Some clarification on DNS via VPN

[hushcoden]

I have configured one of my appliance ports to use ProtonVPN and I followed the official instructions including this: https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html#protonvpn-dns-leaks

I have only a smart TV connected to that port (LAN2), with a static IP address of 192.168.10.16 (for ProtonVPN is then 10.2.0.2).
Using the embedded browser, I've checked any potential DNS leaks browsing to www.dnsleaktest.com website, and no leaks occur (it only detects the ProtonVPN server).

In ISC DHCPv4 for LAN2, I have included the DNS server as the Proton one - 10.2.0.1

Now, if I look at the Firewall -> Live View of both the above IP addresses + port=53, I see the smart tv querying not just the ProtonVPN IP address (10.2.0.1) but also Google DNS servers, how is that possible?

Any suggestions would be much appreciated.

Tia.

[tiermutter]

Is the TVs Proton IP 10.2.0.1 (used in rules) or 10.2.0.2 mentioned above?
Google DNS is very likely hardcoded or set somewhere, though not a DNS leak to detect with this test.

[hushcoden]

Is the TVs Proton IP 10.2.0.1 (used in rules) or 10.2.0.2 mentioned above?

10.2.0.1 is the IP address for Proton DNS server, and 10.2.0.2 is the Proton IP address of the TV

Question: in the mentioned guide where it states source, should I put the ProtonVPN DNS server IP address or Unbound/OPNsense IP address (in this case it would be 192.168.0.1) or the the LAN2 interface IP address (192.168.10.1)?

I've attached a screenshot of the live view for both the LAAN2 address and the Proton IP address.

Thanks.

[hushcoden]

Google DNS is very likely hardcoded or set somewhere, though not a DNS leak to detect with this test.

Should I use a port forward?

[tiermutter]

You need a rule for the TVs IP to force it using your DNS servers / disallow other DNS, but you set Protons DNS IP. Setting your TVs IP here will cause that only your DNS are allowed and eg Google DNS is blocked.
No need for a forward so far, this (a redirect) is needed when you want the TV using your DNS instead of hardcoded Google, without it is simply blocked.

[hushcoden]

You need a rule for the TVs IP to force it using your DNS servers / disallow other DNS, but you set Protons DNS IP.

So, because I've set the Proton DNS IP address in the DHCP section then I don't have to add a firewall rule or anything else? Is there perhaps a better way to do this?

Setting your TVs IP here will cause that only your DNS are allowed and eg Google DNS is blocked.

When you say 'here' you mean where?

And are those two Firewall rules correct? As I said, I'm not sure about the first one related to DNS...

[Brink7564]

Should I use a port forward?

I did this for a network that is also supposed to be routed via ProtonVPN, and it works like a charm. I've attached a screenshot of the respective rule, where the redacted parts are the name of the interface.

[hushcoden]

Thanks Brink7564 !

Do I have to port-forward the LAN2 interface or the ProtonVPN interface?

Also, will I just need the automated firewall rule created by the port forward?

I have attached the port forward and the firewall rules for LAN2.

Tia.

[Brink7564]

Sorry, I think I my reply can be misunderstood. What I mean is that I think you should add a rule like the one below the default LAN rule in my screenshot.

So basically, you have to create the Port Forward on the interface that should be routed through ProtonVPN, so LAN2 in your case:
Interface: LAN2
Protocol: TCP/UDP
Source: LAN2 net
Destination port range: DNS DNS
Redirect Target IP: 10.2.0.1
Redirect Target Port: DNS

I'm not sure this is the best way to do it, and I'm unaware of any downsides this might have to different setups, but it is working very well for me. dnsleaktest . com shows only ProtonVPN servers in the extended test.

Regarding additional firewall rules, I believe I only implemented the ones from the OPNsense guide. See if the Port Forward from above works for you and if you still have leaks, we can see if additional rules might be necessary! :)

[hushcoden]

Alright, it seems is working good, and no DNS leaks, overall happy with this Smart TV  :)

Also :P  for some unknown (to me) reasons, some apps work such as browser, YouTube & Netflix whereas others don't, e.g. I cannot even try to update the TV OS or some of the installed apps as I get a network error (but everything works if there is no VPN).

The only difference I have noticed in the TV network settings is that with VPN the DNS IP address is the ProtonVPN one (10.2.0.1) and with no VPN the DNS IP address listed is the same as the gateway that is 192.168.10.1  ???  ::)

Any suggestions would be much appreciated.

Tia.

[Brink7564]

some apps work such as browser, YouTube & Netflix whereas others don't, e.g. I cannot even try to update the TV OS or some of the installed apps as I get a network error (but everything works if there is no VPN).

Sounds like maybe your smart TV is somehow programmed to use a hardcoded DNS, and if that isn't reachable it just defaults to a network error? I don't know the first thing about smart TVs cause I never own(ed) one, but hardcoded DNS seems to be a common thing among IoT. You could try setting an override in your local DNS for whichever IP the TV wants to connect to for DNS. Say it's looking to connect to 1.1.1.1, so you set an override for 1.1.1.1 to go to e.g. 9.9.9.9. I'm not sure this would work, but might be worth a shot.

with VPN the DNS IP address is the ProtonVPN one (10.2.0.1) and with no VPN the DNS IP address listed is the same as the gateway that is 192.168.10.1  ???  ::)

This is to be expected, I believe, since in standard networks, the gateway often acts as a DNS server, too. Can other hosts in the 192.168.10.0/24 net resolve DNS queries (or rather, have them resolved by the DNS)? If not, then your DNS is likely the culprit.

[hushcoden]

Sounds like maybe your smart TV is somehow programmed to use a hardcoded DNS, and if that isn't reachable it just defaults to a network error? I don't know the first thing about smart TVs cause I never own(ed) one, but hardcoded DNS seems to be a common thing among IoT. You could try setting an override in your local DNS for whichever IP the TV wants to connect to for DNS. Say it's looking to connect to 1.1.1.1, so you set an override for 1.1.1.1 to go to e.g. 9.9.9.9. I'm not sure this would work, but might be worth a shot.

And how do I set that override?  ::)

This is to be expected, I believe, since in standard networks, the gateway often acts as a DNS server, too. Can other hosts in the 192.168.10.0/24 net resolve DNS queries (or rather, have them resolved by the DNS)? If not, then your DNS is likely the culprit.

Actually the smart TV is the only device attached to that port.

It's a shame if there is no way to make the smart TV properly working through a VPN...  :-\

Could you confirm the port forward is correct (see attachments in my previous post) ?

[hushcoden]

Tried to play around but I don't understand enough, it is what it is  :-\

Also, looking at the firewall live, I saw some rdr rules, can anyone let me know what those rules mean?

Tia.