Multiple Wireguard VPN Gateways with Unbound DNS - Working in OPNsense 24.1

Started by landinggear, February 24, 2024, 12:20:29 PM

Previous topic - Next topic
Hey, this is a note for future self and anyone dealing with this pain, but I've managed to piece together a working setup for a multiple endpoint VPN configuration that allows Unbound DNS to work through the tunnels. (This has become an even greater pain that it used to be since OPNsense doesn't allow Static Interface IP addresses anymore.

This following tutorial can guide you through most of the process so I'm not going to waste time with that here, please follow it but mind the changes below that you will likely have to do to make things work as of today:
https://wiki.opnsense.org/manual/how-tos/wireguard-selective-routing.html#

Step 1:
Follow instructions...

Step 2: (adjustments)
Tunnel Address: The IP must end with /30 instead of /32. You can use any 10.x.x.x IP but use logic as you will need a new subnet for each tunnel. I recommend something like 10.24.24.10/30, 10.25.24.10/30, 10.26.24.10/30, etc... (Note: This IP could theoretically be anything, it is just for routing inside the tunnel, but the gateway IP will be used later on)
Gateway IP must be one number below the tunnel IP (such as 10.24.24.9).

Step 3:
Follow instructions...

Step 4:
Follow instructions...

Step 5:
Follow instructions...

Step 6: (adjustments)
    - IP Address: Use the gateway IP you gave in the WG interface dialog (10.24.24.9 in the example above)
    - Far Gateway: Checked
    - Disable Gateway Monitoring: Unchecked
    - Disable Host Route: Checked
    - Monitor IP: The public IP address of the VPN server, the same IP the Endpoint Address in the Wireguard Peer dialog in Step 1.
This trick enables gateway monitoring while still using the gateway address defined in the WG connection, which is required for Unbound to work through the tunnel.

Step 6.1:
Add a static route to the VPN endpoint IP (Step 1) through the WAN gateway to make sure that IP is always routed through there. (Without this in place I could not ping it.)

Step 7:
Follow instructions...

Step 8:
Follow instructions and define what clients will use the tunnels. This step won't route Unbound through the tunnel, only external clients.

Step 9:
Follow instructions... but make sure to turn on logging on the rule. This will help us verify if everything is working later on.

Step 10:
Follow instructions... (it works, just trust it)

Step 11:
Follow instructions...

Step 12: Unbound DNS settings
    - DNS over TLS page: Set your DNS upstream server of choice. Note that every resolver will be tied to one gateway only, so you should give some alternatives here for redundancy if any gateway goes down.
    - General > Advanced > Outgoing Network Interfaces: Check the VPN Gateway(s) and uncheck anything else.

Step 13:
Create a static route for the IP address one of your preferred upstream DNS server through the VPN gateway. For example if you're using 1.1.1.1 as your resolver in the DNS over TLS section of Unbound, use 1.1.1.1/32 as Network Address.
Note: One DNS resolver will have to be assigned to one gateway here. This is a limitation I could not overcome. All requests or any connection to this IP will be routed through the VPN gateway.

Step 14:
By now you should have a working VPN tunnel. If you see the handshake for the Wireguard instance<>peer in the diagnostic page or out on the dashboard, it is alive. If your gateway seems to be offline, you should double check the settings and what IPs you used in there. If it still doesn't want to work, try restarting these things in this order on the Dashboard: Wireguard (VPN connection), VPN Gateway, System Routing. If still no, either SSH into OPNsense and Restart All Services or just do a reboot in the GUI.

If it's all alive and green, make sure you can test the connection with a device that is supposed to be routed through the tunnel and test it using the "curl ifconfig.me" command in a terminal or a command prompt window. It should return the IP of the VPN server on the other end.

To test Unbound, head into Firewall > Log Files > Live View and set a filter to Port 853 (DNS over TLS) and if everything is right, you should see that log entry populating the view whenever a DNS request is sent out by Unbound going from the internal IP address (10.24.24.10) of the VPN gateway through the VPN gateway towards your upstream DNS server.

Step 15: Repeat the process above
Repeat this with as many VPN servers as you think you want, not quite sure what is the limit but I'd say for redundancy you should be good around 3-5)
Note: Remember to set routing for each upstream DNS server through one of the gateways so each one of them is routed through another one.

Step 16: Create a Gateway Group
Head to System > Gateways > Group and add the new gateways, set them all Tier 1. Trigger level is Packet loss or High Latency.
Go back to the Step 8 and modify the rule created to define what traffic goes through the VPN gateway. Go in and edit the Gateway, select the new Group Gateway and save/apply.

If everything is right, from here on all your traffic defined in that rule should be able to utilize the group gateway through multiple VPN connections at the same time while Unbound should be able to resolve DNS through the individual tunnels.

Hope this helps some of you and make sure to turn off logging where you don't need them if things are working well. Good luck!





Is there any possibility to use unbound over a WireGuard interface without using an DNS over TLD forwarder?

As with the change to the no static IP on a tunnel interface, unbound can't use it to route DNS request to.

" By default all interfaces are used. Note that setting explicit outgoing interfaces only works when they are statically configured."

Yes, there is.
It is even mentioned in the OPNsense documentation:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Step 9 is what you're looking for.
As soon as you implement such a rule and configure Unbound to use the WireGuard Interface the outgoing DNS request will go through the WireGuard Interface. Make sure you configure manual NAT rules first. With the Automatic and Hybrid rules, the WireGuard network itself gets NAT'ed as well, which is something you do not want and breaks your config.

see also: https://github.com/opnsense/core/issues/5329

QuoteStep 6.1:
Add a static route to the VPN endpoint IP (Step 1) through the WAN gateway to make sure that IP is always routed through there. (Without this in place I could not ping it.)

What on earth does this mean?

There's no instructions for this!  I got stuck here because I have no idea what this means



I went to Routes and tried doing whats in this picture, not knowing if this is at all what you meant in the instructions, but it won't allow it anyways as it keeps telling me "Specify a valid network matching the gateways ip protocol"..  Completely jibberish to me, I have no idea what's wrong

The IP I inserted is the AzireVPN IP that I connect to

Edit 1:  I asked Gemini on Google what the error meant and it told me I had to add a /32 to it, and then it let me add it..  I am going to proceed for the sake of experimenting and hope I did it right, this is how it looks now at step 6.1 for me

You cannot view this attachment.

thanks again!