TUTORIAL: Set up WireGuard for limited local hosts to use external VPN provider

[Greelan]

Yes, a quick test has DNS leaking. I will have to spend some time trying to figure out how to address it. I have OPNsense handing out over DHCP the local IPs of my pihole / unbound box for DNS, and I suspect the relevant client just continues to use those

[CactusFractal]

I considered spinning up a PiHole with Unbound to hand off DNS as well, let me know how it goes with your continued testing.

Do you happen to know if your VPN provider intercepts / redirects DNS traffic?  If not, it would seem that the issue could be related to my #1 or #2 theory above.

[Greelan]

No it doesn’t

And your theory 1 doesn’t hold if everything is going through the tunnel (including DNS) when you are running full routing. If TCP didn’t work down the tunnel then you couldn’t browse websites over the VPN, as http/https is (mostly) TCP

Theory 2 I also don’t think is related. What I do think is resulting in this behaviour is when a local DNS server is used in the network setup generally. If a public DNS server was simply configured on the hosts, then I think that would go down the tunnel just fine

Something is not right with the routing it seems

[Greelan]

OK, the issue is indeed if the network is set up generally with a local DNS server - such as OPNsense itself or another local host. In my case I have a Raspberry Pi box running Pi-hole and unbound that is my DNS server for the whole network.

So the hosts that are meant to use the tunnel have the local IPs of the RPi box as their DNS servers. If the local networks (RFC1918 networks) are excluded from the firewall rules set up for WG as per the guide, then obviously all DNS requests will go in the normal way to the DNS server local IPs, and then from there out of the network through the normal WAN gateway (assuming the DNS server local IPs are not in the "VPN hosts" alias that is meant to use the WG tunnel). Result: DNS leaks.

As I see it, potential solutions are:

1. Include the DNS server local IPs in the "VPN hosts" alias. This will mean that all DNS traffic for the network will go over the tunnel, not just the DNS traffic for the hosts that are in the "VPN hosts" alias.

2. (If possible) intercept DNS traffic coming from the "VPN hosts" and port forward that traffic to a DNS server supplied by the VPN provider,* or to a public DNS server. Note that I say "if possible" because if the local DNS server that is configured generally for the network is not OPNsense itself and is on the same subnet as the "VPN hosts", then DNS requests won't be routed through OPNsense (they will be layer 2) and so a port forward on OPNsense won't work.

3. In the DHCP static mappings for the "VPN hosts", specify either the DNS servers supplied by the VPN provider,* or public DNS servers. This will override the network-wide DNS settings for those hosts.

4. Configure public DNS servers for the whole local network, rather than local DNS servers.

5. Manually override the DNS settings on the "VPN hosts" so that the DNS servers provided by DHCP are ignored, and either the DNS servers supplied by the VPN provider,* or public DNS servers, are used instead.

* Note: If the DNS servers supplied by the VPN provider are local IPs (ie within the RFC1918 subnets), then the firewall rules will have to be configured so that the WG gateway (rather than the normal WAN gateway) is used for the relevant IPs - in effect, the IPs will need to be excluded from the exception for RFC1918 networks.

Obviously what solution works best will depend on each user's network configuration and desired outcomes.

I will in due course add a warning about potential DNS leaks to the OPNsense documentation and outline the potential solutions. Happy to hear anyone else's thoughts on potential solutions as well.

[styr0]

Greelan, thank you for this. Works like a charm.

[pb81]

Great guide best one I've seen yet for WireGuard VPN Providers! I have one recommendation on the firewall rule.

Create a Second ALIAS called RFC1918, and put RFC1918 networks (192.168.0.0/16.10.0.0.0/8,172.16.0.0/12) in it. Then use it in the Firewall rule Destination

Create a firewall rule

   Destination / Invert: Checked
   Destination: RFC1918
   Destination port range: any

This will make it so only internet traffic will go over the VPN, making any other local traffic not be interfered with by the VPN gateway, this can then be blocked or allowed by any rules after it.

And exactly how do i add this second rule? My WireGuard provider uses the 10.x.x.x range.
Can somebody add this step to the guide please =)

[Greelan]

It already is. See steps 7 and 8 in the how-to: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

[pb81]

Ahh ok =)