Unbound dns through wireguard VPN

[FredFresh]

Hello, after reading and trying several things i (think) I wasn't succesfull in routingthrough the VPN the unbound dns requests to my external dns service.

I followed the official guide for the wireguard VPN instalation and everything is working.
I also added a second VPN and created a GW group: tier1-VPN1, tier2-VPN2, tier3-WAN. In case the two VPNs don't work I am ok going with the public IP.

Now I would like to route also all the connections directly from the opnsense through that GW group (also to include the unbound dns<->external DNS service connections).

After the opnsense I have a modem which has (obviously) an internal IP address.

Can you kindly suggest how should I proceed?
Thanks

[The_Istar]

You ever got this working?

In the old days you could get this working giving the interface a static IP, but this stopped working a while back.
Since then I have had no luck getting this to work again.

[FredFresh]

Hi, nope...no luck. Unfortunately no one replied on this. I did some test but without results.

[The_Istar]

Thanks for the reply. I also tried a lot of different configuration yet I can't get ti to work.
The annoying thing is that it works fine when using OpenVPN. But not with Wireguard.

[not_the_messiah]

I'm searching for exactly the same solution - it's really frustrating that nobody is able to offer a solution/alternative, or an explanation why this capability was removed a few years back!

[FredFresh]

Hi,

my request originated from the results of this website https://www.dnsleaktest.com/

The detection of your DNS provider (if different from the one provided by the VPN) cannot be avoided, because it will always be outside of the VPN "cloud" thefore the website will always able to see both your IP (VPN IP) and the IP of the DNS provider. Please see also here https://www.dnsleaktest.com/what-is-a-dns-leak.html

Instead, if you use the DNS provided by the VPN, the website will only see one single IP (both you and the DNS server are behind the same IP), therefore it will not be able to identify it....but in the all the VPN IPs are identified and related to its provider, so the DNS server will be also identified.

In the end, the DNS provider will always be identified...you just need to trust it / choose one with a good privacy policy.

[bringbacklanparties]

I was able to get DNS resolving working through a Mullvad VPN connection. I first noticed that Mullvad hijacks DNS requests, so to get Unbound's resolver to pass through the VPN I used Michael Schnerring's approach, sending a CLI request to Mullvad's site to establish a new device that does not use DNS hijacking. Then, for single connections (i.e., not gateway groups), I referred to landinggear's post, set up the VPN tunnel gateways as far gateways, and passed DNS traffic through the gateway for the VPN tunnel using a rule applied to outbound traffic from the firewall, monitoring the VPN exit points and setting up static routes through the WAN interface for the monitors to ping the exit points. I enabled default gateway switching. I also configured Unbound to pass traffic through all interfaces and made sure my desired VPN tunnel was a default gateway with the highest priority. That worked, short of failover. When I then set up a gateway group, updated my floating rule to send traffic through it, and made sure the failover group gateways use the new failover and failback features, I ran into what appear to be implementation issues for OPNSense 25.1.7-12 that affect the way monitoring and default gateway switching takes place. That keeps failover from working smoothly: when the primary gateway goes down the monitors don't catch it and the firewall rules don't change. The behavior doesn't look like a configuration error, I hope that gets sorted out soon.

[bringbacklanparties]

Other related references are here.