English Forums > Virtual private networks

[SOLVED] Wireguard selective routing

(1/6) > >>

Nikotine:
I'm following this guide (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) to have only a few local hosts use a Mullvad remote Wireguard peer.
At the end of that guide, there are a few options to solve DNS leaks. I've chosen option 2, using a port forward  for DNS requests to the Mullvad DNS server.

The problem is that now Chrome is complaining about the connection not being private (NET::ERR_CERT_COMMON_NAME_INVALID) or Opnsense complaining about a DNS rebind attack...

EDIT: I'm sorry for the huge screenshots. They looked fine on my screen, but huge after upload to imgur and inserting them here...

Wireguard connection to server in Switzerland:


Wireguard gateway:


Firewall aliases (all_local_clients and local_hosts_remote_Mullvad).
I'm 10.25.9.10, the computer I'm typing this on.
Currently that alias is disabled, otherwise I can't reach this forum.


Firewall rules.
Second rule is to have all traffic from local_hosts_remote_Mullvad alias, not destined to local networks, to use the Mullvad gateway.


NAT outbound rule:


Then finally, to resolve the DNS leaks, NAT port forward of DNS request from hosts in local_hosts_remote_Mullvad alias to Mullvad's DNS server:


Things I've tried:
1. enabling Reflection for port forwards, Reflection for 1:1 and Automatic outbound NAT for Reflection. Didn't help.

2. enabling, disabling or using system default NAT reflection setting in the DNS port forward rule. No difference.





Nikotine:
I'm just realizing that the error I get in Chrome is about the Let's Encrypt certificate I'm using locally, but it's only when I route the traffic over Wireguard...

Greelan:
What DNS servers do the relevant clients use otherwise?

Nikotine:
Cloudflare 1.1.1.1 and 1.1.0.0.

Greelan:
So the port forward rule destination shouldn’t be “this firewall”, but instead the Cloudflare IPs or even “any”? That is, what you are trying to capture is the DNS request packets from the clients - if they are directly using Cloudflare rather than eg OPNsense (which is in turn forwarding to Cloudflare), then that is what the rule should be directed at.

Navigation

[0] Message Index

[#] Next page

Go to full version