Route DNS queries over WG VPN client connection

[Learning]

Good day everyone.  I've been searching for some answers and guides, but haven't stumbled on the correct solution yet it seems :-(

I set up OPNSense a few days ago, and I'm loving it. 
I set up a WG tunnel with my commercial VPN provider, and managed to find enough forum posts to help me figure out most of the firewall settings.  Hooray.

I've now got an Alias set up that routes specific IPs through the WG tunnel.  Other hosts remain on the standard WAN connection.

Problem :
The devices routing over the tunnel are not passing DNS leak tests.  They are showing the DNS address of Cloudflare (the public DSN provider I selected).

Question :
Is there a simple way to route DNS requests to my VPN provider for those devices that are part of the WG group and using the VPN IP address?

[RamSense]

I'm also new in opensense. I use it now for around 8 months and love it a lot.
If you use WireGuard on your device like apple iphone with the WireGuard app, what I have done is in the config on the WireGuard on my iPhone I am able to point the dns to the ip I want.
maybe that works for you also.

[Greelan]

See these suggested solutions: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks

[Learning]

See these suggested solutions: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks

Thanks.  I had been studying that document, but was unsure if how to apply it.
Probably #2 is the option I want.  That way I could ultimately route non-VPN queries via public secure DNS, and VPN connected clients to the VPN's DNS servers.  However I'm not sure whether that can all be done on a single rule.

Right now I have a DNS rule set up (or name queries don't work at all).  It is a LAN rule that passes any TCP/UDP on interface LAN to Destination "This firewall" on Destination port DNS.

So would I need to create a quick rule placed above this to capture DNS queries from source "MyVPN Alias list" with Destination "WG_VPN_Tunnel"?  If so, where would I set the VPN provider DNS server addresses, or would that not be necessary?

Edit : tried this and it didn't work.

Edit 2 :  Created an Alias for the VPN DNS server IPs.  Set up a rule on LAN to match my VPN Alias and set destination as VPN_DNS alias using the VPN gateway.  DNS queries still going to the public DNS server :-(

[Learning]

I'm still having no luck with routing the DNS queries correctly.

If there is anyone who knows how to implement #2 from the following link and could provide a brief tutorial, I would be deeply appreciative!

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks

[Greelan]

Have you set up a port forward? Are you VPN provider’s DNS public or private IPs?

[Learning]

Have you set up a port forward? Are you VPN provider’s DNS public or private IPs?

I attempted, without success, to set up a port forward.  Well, I set one up, it just didn't seem to work correctly.  When I ran a leak test I got weird IP ranges back, and not my VPN provider's public IP address.

The VPN provider uses public IP addresses.

[Greelan]

It’s a little hard to make suggestions on this without understanding how your network DNS is set up (local resolver in the network?) and how IPs of the clients you are sending down the tunnel relate to the DNS servers (same subnet?).

One alternative that might be easier though is to create static leases in OPNsense for the relevant clients (if you haven’t already), and specify the VPN provider’s DNS servers in the static lease configuration (see under Services/DHCPv4/[Interface Name]/DHCP Static Mappings for this interface at the bottom). This should mean that those clients are provided the VPN provider’s DNS servers by DHCP, rather than the system’s general DNS servers, which hopefully overcomes the issue (because the traffic to those public DNS servers should be going down the tunnel if the rest of the configuration has been set up correctly).

[Learning]

It’s a little hard to make suggestions on this without understanding how your network DNS is set up (local resolver in the network?) and how IPs of the clients you are sending down the tunnel relate to the DNS servers (same subnet?).

Opnsense is handling all the DNS and DHCP for the network.

One alternative that might be easier though is to create static leases in OPNsense for the relevant clients (if you haven’t already), and specify the VPN provider’s DNS servers in the static lease configuration (see under Services/DHCPv4/[Interface Name]/DHCP Static Mappings for this interface at the bottom). This should mean that those clients are provided the VPN provider’s DNS servers by DHCP, rather than the system’s general DNS servers, which hopefully overcomes the issue (because the traffic to those public DNS servers should be going down the tunnel if the rest of the configuration has been set up correctly).

That is basically the reverse of what I'd like to do.
I would like to have all DHCP clients use the VPN DNS servers by default, and the static leases (of which there are just a few) use a public DNS server.

Way less configuration if it can be done that way...

[AegeanDad]

I have the same selective routing setup on OPNSense using WireGuard. I have two sites. Selective routing is happening at Site A. Site B has another OPNSense server that I own. So, it is a site-to-site setup. But Site B could have been a commercial VPN service provider and it should work the same way. Here is what I recommend:

1. Set up a port forward rule (Firewall -> NAT -> Port Forward) that redirects all packets sourced from your LAN clients that should be using WG (you created an alias for those) with a destination port of DNS (port 53) to the target IP of your VPN service provider's tunnel IP. This isn't the tunnel IP you set up on your OPNSense VPN -> WireGuard -> Local; it is the tunnel IP they have on their side. If you don't have it, ask them.   

2. Set up an outbound NAT rule that translates your source IP to the interface address of your WG interface. When the traffic (including DNS) originating from your LAN clients that should be routed to the WG gateway pass through your WG tunnel, this outbound NAT rule will override the source IP to the IP address of your WG tunnel IP so that when your VPN provider responds to your packets, OPNSense knows which client to route it back to.

3. Add your VPN server provider's public DNS server IP to System -> Settings -> General -> DNS Servers (select your WG Gateway under "Use gateway" (your VPN service may be requiring inbound DNS requests coming to their DNS server to be encrypted via WG; not sure but it would explain the behavior you are seeing). Also on this page, "Allow DNS server list to be overridden by DHCP/PPP on WAN" may or may not need to be unchecked depending on your circumstances.

4. Set up a static route (System -> Routes -> Configuration) and add a rule that forces traffic to the specific IP address of the DNS server you want to use for your WG clients to the WG Gateway.

5. Set up (which you probably already have) a quick LAN pass rule that sends all traffic originating from those LAN clients that are supposed to go through WG to use the WG Gateway. 

This configuration works in my case.