TUTORIAL: Set up WireGuard for limited local hosts to use external VPN provider

[djronh1]

Oh then if they're simple websites, this is very doable.

Have you made sure your SitesToVPn rule is above your rule that allows traffic to the internet?
Also you need to make sure the Outbound NAT rule is there.

Yes, I've made sure SitesToVpn rule is the first (top) rule for my LAN interface.
And I also had created my Outbound NAT rule per OP instructions.

Everything works fine when I use !RFC, but when I swap that out with alias of websites I'm trying to use (and undo the Inverse match), then traffic does not use VPN.

[FingerlessGloves]

Ah ok :-)

Go to "Firewall: Diagnostics: pfTables" and select your alias from the drop down, is it populated with the IPs you expect?

[djronh1]

Yes, pTables does have IP resolved for FQDN I had set

[FingerlessGloves]

Yes, pTables does have IP resolved for FQDN I had set

Screenshot us your rule then, cause it sounds like it should be working.

[djronh1]

Here is screenshot

[djronh1]

BUMP

[Greelan]

I think you have people stumped as to why it is not working. Maybe open a new thread rather than continuing in this tutorial thread - you might get a wider audience

[CactusFractal]

Hi Greelan and Fingerlessgloves,

Thank you both so much for working on this Wireguard selective routing guide, and very glad it got added to official OPNSense documentation.

I have been banging my head trying to figure out why I am leaking my ISP DNS after implementing your guide exactly as suggested twice from a bone-stock OPNSense configuration.

How can we route DNS traffic through the VPN without leaking DNS when using your guide?  I took the following steps based on a redditor's suggestions, but nothing has worked so far:

OK, reverted to bone stock OPNsense, disabled IPV6, few minor tweaks, then spun up the guide.

Tried setting unbound to use WG interface only, it didn't work. It still used ISP DNS (even ignored DNS settings from System -> Settings -> General).

Then I tried setting it to forwarding mode and specifying VPN-provided DNS in System -> Settings -> General, this didn't work. Static clients got no DNS at all.

I then theorized that the firewall alias (and thus rule) in step 8 contained networks which include the DNS servers my VPN provider has specified for use, so maybe the firewall was forcing that traffic to NOT use the WG gateway I created. So I removed those networks from the firewall. Still didn't work, but I'm tired and maybe I needed to flush DNS or something, I don't know.

This has me stumped. Surely other people are using this official Wireguard selective routing guide and not leaking DNS?

Lastly, when I traceroute from a static client, it actually routes through the Wireguard VPN DNS, and VPN tunnel. But when I fire up Firefox, dnsleaktest.com clearly shows my ISP DNS and IP, which I literally put nowhere in any setting.

Thanks for any help you can provide, I'd like to make the guide and documentation improved for the benefit of others if we can figure this out.

[Greelan]

What’s handing out the DNS configuration in your network, and what is that configuration? What are the DNS settings on the computer on which you are browsing with Firefox? If you route everything over the tunnel (ie don’t exclude local IPs), what result do you get?

[CactusFractal]

Thanks for the reply, Greelan!

I have opnSense as close to default config as possible, with DNSMASQ disabled, and Unbound Enabled. 

The computer I'm browsing with receives a static IP and is in the VPN alias configured in your guide.  The device is set for standard DHCP, not static, no overrides.  Further, I have both "Allow DNS server list to be overridden by DHCP/PPP on WAN" and "Allow default gateway switching" unchecked (disabled).  There is only one DNS set in System - Settings - General and that is 1.1.1.1 (Cloudflare).

When I configure the router from stock defaults using my provider's VPN guide, I get ALL traffic routed over the VPN tunnel, no leaks at all.

Here is my latest post on the reddit thread, let me know what you think:

That's just it - Firefox on a desktop client given a static IP as defined in the step 7 alias shows the VPN IP, but shows my ISP DNS server as reported by DNSleaktest.com.

I did also set Unbound to only send traffic out via the WG interface. It did not work, it still used my ISP DNS servers. It would not even use 1.1.1.1 which was the only DNS I set in General Settings.

I have both the boxes you mention unchecked under Settings: General.

I am wondering if this situation is because of the differences between Wireguard and OpenVPN, and perhaps the guide author did not fully test for DNS leaks. As I understand it, DNS traffic can use both TCP and UDP protocols, which is fine for OpenVPN. But Wireguard does not use TCP, only UDP. (https://www.wireguard.com/known-limitations/) Could this be causing the router to fall back to ISP DNS when nothing else works? I'm running short on new theories. As it stands, I do not believe this guide works as intended, unless I'm still not configuring something correctly.

I hope I made some simple error, and we can get to the bottom of this.

Edit: I realize your second question referred to removing the RFC1918 alias as Destination in the LAN firewall rule.  When I do that, the static client gets no DNS at all.

[Greelan]

You are right, I didn’t do a comprehensive test of DNS leakage, although this would likely be a broader issue for non-selective routing setups too? What I wonder is how your ISP DNS is being introduced into your network in the first place, which may reflect an entirely separate issue. 

[Greelan]

When you removed the RFC1918 alias from the firewall rule, did you also uncheck the invert checkbox for the destination?

[CactusFractal]

Yes, I did remove the invert checkbox, it got no DNS at all after that.  I am using a VPN provider that I believe does DNS "hijacking" when connecting over WG, I suppose in an effort to prevent DNS leaks.  Maybe this is an issue, I'm not sure.  But I just can't fathom why even if that's the case, I would be leaking DNS to my ISP when checking at dnsleaktest.com.

Just to confirm - what do you see when you test your connection at dnsleaktest.com?  Is it working properly without leaks for you?

Thank you so much.

Edit: So I took the following steps to force ALL DNS through the WG tunnel, and it worked without leaking DNS on a client in the WG VPN Alias:

In unbound, try setting the outgoing interface to the WG interface AND set unbound to forward mode and set the DNS servers in systems: settings to 1.1.1.1. I think that may fix the issue for you. I'm not sure why it does not work in recursive mode.

I recall reading that Mullvad does DNS hijacking on WG servers. Unlike their OpenVPN servers, where you can connect to a specific port to avoid DNS hacking, they do not have the option for WG servers (perhaps to be added in the future).

OK, when I did all those three things simultaneously (unbound to forwarding mode, use only WG interface, set system settings general DNS), I actually got the Cloudflare servers returned on the DNSleaktest.com test.

Then, I set the DNS server in System -> Settings -> General to my VPN provider's DNS, and also set it to "Use Gateway: WG_VPN" and HOLY CRAP, it appears to be working without leaking DNS.

This is fantastic, I can't believe it seems to be working. Need to run some more tests to verify non-VPN client connectivity, but WOW!

OK so the net result (as we intended) is that ALL DNS traffic is forced over the VPN, even from clients not in the WG VPN alias. Clients not in the VPN alias appear to be routing non-DNS traffic over the ISP, also as intended. WOW. YOU ARE A LEGEND.

I'm not sure yet whether this setup will result in unintended breakage of services, so maybe there is a way to force clients not in the VPN alias to use different DNS servers by setting them to use DNSMASQ or something? That seems difficult given the particulars of this setup and workaround, but I don't know. It's probably fine.

The whole point in doing this exercise is that I need some clients on my network to egress over the VPN and cannot install VPN software directly on them hence this firewall solution, but I also need to forward some inbound ports to an internal IP to stand up Nextcloud behind a LEMP stack (reverse proxy). I'm hoping I can achieve this with this setup. WHEW!

EDIT: In further testing after deploying settings above, another client that I set a static mapping for and added to the VPN Hosts alias fails to resolve DNS at all.  I'm unsure as to why, but my theory is either that the limitations of Wireguard prevent DNS over TCP from working properly in this scenario, or my VPN provider's interception of DNS is causing issues.  Frustrating.

[Greelan]

I will need to do some more testing when I get a chance.

As a matter of interest, did you set any DNS entries in the Local config for your VPN on OPNsense?

[CactusFractal]

Yes, I set the DNS entry to the one provided by my VPN provider.

For now, I have reverted to a base config without policy routing, which routes ALL traffic from my router through my VPN using Wireguard.  It's working great, near my rated line speed even with the WG-Go userspace implementation, so I'm super frustrated I have not yet been able to get policy routing working.  I am loving OPNSense's speed and interface so far.

My working theories are still some combination of:
1) An issue with the Wireguard protocol or WG-Go being unable to route TCP DNS traffic by design
2) The particular DNS addresses my VPN provider issues being in the RFC1918 space
3) The fact that I believe my VPN provider intercepts DNS traffic (in the name of preventing leaks, but it may break this implementation)

I look forward to your further testing, and thanks.