Force Unbound (resolver) to use a WG tunnel and not default route

[schnerring]

I use Unbound as a resolver and want to force Unbound to use the WireGuard VPN tunnel I configured but just can't figure out what's wrong. At this point I suspect it has to do with NAT or (floating) firewall rules I don't understand.

For reproduction, I factory reset OPNsense and started over leaving everything at defaults.

Next, I followed the WireGuard Selective Routing to External VPN Provider guide from the docs, and WireGuard is handshaking. The only thing missing is fixing the DNS leak, as mentioned in the guide. I want to implement option 1):

Force the local DNS server to use the tunnel as well. [...] For OPNsense itself, configure the DNS server to use the tunnel gateway.

I think this is the setting under Services > Unbound DNS > General > Outgoing Network Interfaces? I selected the WAN_VPN interface I created. I also blocked all IPv6 traffic by unchecking Firewall > Advanced > Allow IPv6. I rebooted and checked the DNS leak, and it's still  there.

I created a firewall live log filter to check DNS root server requests: dst=<any root dns server>. It turns out that DNS traffic leaves through the WAN gateway due to the let out anything from firewall host itself (force gw) rule. So to get rid of this rule, I check Disable force gateway under Firewall > Settings > Advanced. But the traffic still leaves through the WAN interface (let out anything from firewall host itself rule).

I also tried to uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN under System > Settings > General, but I this doesn't affect Unbound in resolver mode because it looks up root servers.

Switching from Hybrid outbound NAT rule generation to Manual is when everything stops working because the only NAT rule I have is the selective routing through the tunnel from one host.

To fix this, I just change the alias I created for selective routing from containing just a single host to the entire LAN network (192.168.1.1/24). I tested that all hosts are NATed through the VPN tunnel with traceroute, and indeed, everything hops through the tunnel. But DNS resolution is broken:

Code Select Expand


# works
tracepath -n 8.8.8.8
# doesn't work
tracepath 8.8.8.8


Looking at the generated rules when in hybrid mode, I can see that 127.0.0.0/8 and Loopback networks are NATed to WAN. What's the difference between those two networks anyway? Aren't 127.0.0.0/8 loopback networks? Anyway, adding 127.0.0.1/8 to the selective routing alias didn't work.

System > Routes > Status displays

Code Select Expand


Proto Destination Gateway        Flags   Use     MTU    Netif    Netif (name)
ipv4  default     <ISP WAN IP>   UGS     11793   1500 igb1     wan


I don't know how to proceed or what to debug. Any help is greatly appreciated.

[schnerring]

I saw this post also describing my problem: https://forum.opnsense.org/index.php?topic=24810.0

I changed the following settings:

• Enable forwarding mode for Unbound
• Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
• Add any system DNS servers, e.g., Cloudflare or Quad9

With this configuration Unbound forwards DNS queries to the specified system DNS through the tunnel.

It's not what I want (I want to use resolver mode) but an indicator that there's a problem with Unbound in resolver mode.

[schnerring]

Trying to understand Unbound more, I found the following in the pfSense docs:

In resolver mode (default) the DNS Resolver [...] contacts servers which cannot be known beforehand, it must utilize the default route on the firewall to make outbound connections.

This would explain the behavior of Unbound in resolver mode.

My desired behavior is that local DNS resolutions fails if my VPN tunnels are down. How do I implement this? How do I re-route DNS traffic using the default route?

[Patrick M. Hausen]

What are you trying to achieve? The most private way of doing DNS is to just use your local resolver without any forwarding.

You could use BIND instead of unbound. Set a forwarder that is reachable via you wireguard tunnle, only. And then set "forward-only" - this means resolution will fail if the forwarder cannot be reached.

[schnerring]

What are you trying to achieve? The most private way of doing DNS is to just use your local resolver without any forwarding.

I want to use Unbound in resolver mode and route DNS traffic from Unbound (running on OPNsense) through the VPN tunnel. Unbound seems to always use the default route of the routing table, which is not the "VPN WAN", but my ISP WAN.

How do I do this?

Changing the default gateway to VPN WAN breaks outbound connections. Can I do this policy-based or port forwarding?

[Patrick M. Hausen]

You can add a static host route to your VNP endpoint and then change the default route to your VPN tunnel. But again: why? If it's privacy concerns, commercial VPN vendors are not a solution!

[schnerring]

You can add a static host route to your VNP endpoint and then change the default route to your VPN tunnel.

Could you elaborate on how to do that? Do you mean a static route from the Local Endpoint interface IP to the ISP WAN? How would this work with multiple VPN gateways?

But again: why?

Well, I'm curious and want to make this work. And I already learned a lot about the OPNsense platform.

If it's privacy concerns, commercial VPN vendors are not a solution!

Do you mean no privacy when using a DNS resolver?

If you mean in general, I strongly disagree. If using a VPN is for privacy, it depends on your threat model:

• Is you adversary the NSA? Using a VPN more than won't do anything for you, or even hurt you.
• Is it your ISP selling data, hijacking DNS requests, or enforcing censorship? A VPN is will be useful in this case.

[schnerring]

Those are the default routes installed by WG when Disable Routes is unchecked on the local peer:

Code Select Expand


ipv4 0.0.0.0/1 wg0 US 35 1420 wg0 WAN_VPN
ipv4 128.0.0.0/1 wg0 US 250 1420 wg0 WAN_VPN


But this is not what you mean, do you?

[Greelan]

I haven't tried this myself, but maybe an outbound NAT rule that sends all traffic from the unbound IP to destination port 53 over the VPN WAN interface?

A static route may also be needed as earlier suggested

[Patrick M. Hausen]

Could you elaborate on how to do that? Do you mean a static route from the Local Endpoint interface IP to the ISP WAN? How would this work with multiple VPN gateways?

A static route for your single VPN gateway - or multiple static routes to all of your VPN gateways - /32 or /128 prefix length, so pointing to only a single host, with router <your ISP gateway>.
That's necessary to keep your tunnel(s) alive. Then you can route 0.0.0.0/0 or ::/0 through the tunnel.

Do you mean no privacy when using a DNS resolver?

Whenever you use an upstream resolver, be it through a VPN or not, that upstream resolver sees all your queries. I consider that a serious privacy problem.

When you run a local resolver without upstream and just let it do its magic, nobody sees those. At least nobody in particular in a single place.

I wrote about how a DNS lookup works here:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462

HTH,
Patrick

[schnerring]

Thank you for your answers, but I still can't make it work.

I haven't tried this myself, but maybe an outbound NAT rule that sends all traffic from the unbound IP to destination port 53 over the VPN WAN interface?

A static route may also be needed as earlier suggested

I tried adding the following outbound NAT rule which didn't work:

• Interface: WAN
• Source: Loopback net
• Destination Port: 53
• NAT Address: WAN_VPN

Did you mean a outbound NAT rule or a port forward? Can you please give me some more details? A static route from where to where?

As for the approach @pmhausen suggested; here are the routes before making changes:

Code Select Expand


Proto   Destination     Gateway     Flags   Use      MTU    Netif   Netif (name)

ipv4  default           X.X.X.1     UGS     434     1500    igb1    wan     
ipv4  10.10.10.54       wg0         UHS     0       1420    wg0     WAN_VPN     
ipv4  10.10.10.55       link#9      UHS     0       16384   lo0     Loopback     
ipv4  10.10.10.55/32    link#9      U       0       1420    wg0     WAN_VPN     
ipv4  X.X.X.0/24        link#2      U       0       1500    igb1    wan     
ipv4  X.X.X.X           link#2      UHS     0       16384   lo0     Loopback     
ipv4  127.0.0.1         link#6      UH      12      16384   lo0     Loopback     
ipv4  192.168.1.0/24    link#1      U       1470    1500    igb0    lan     
ipv4  192.168.1.1       link#1      UHS     0       16384   lo0     Loopback
ipv4  M.M.M.M           10.10.10.54 UGHS    2       1420    wg0     WAN_VPN


The IP of my local peer is 10.10.10.55 and the Gateway IP is 10.10.10.54. X.X.X.X is my ISP IP. M.M.M.M is the monitoring IP of my VPN gateway.

A static route for your single VPN gateway [...]  pointing to only a single host, with router <your ISP gateway>. [...] Then you can route 0.0.0.0/0.

I added a static route from 10.10.10.54/32 to the WAN gateway ("WAN_DHCP") under System > Routes > Configuration. Then I made my VPN gateway the default gateway by lowering its priority to 250. When I do that, I lose connectivity. Here is the routing table after that change:

Code Select Expand


Proto   Destination     Gateway     Flags   Use      MTU    Netif   Netif (name)

ipv4    default         10.10.10.54 UGS 285         1420    wg0     WAN_VPN   
ipv4    10.10.10.54     wg0         UHS     0       1420    wg0     WAN_VPN   
ipv4 10.10.10.54/32 X.X.X.1     UGS     0     1500 igb1 wan
ipv4    10.10.10.55     link#9      UHS     0       16384   lo0     Loopback   
ipv4    10.10.10.55/32  link#9      U       0       1420    wg0     WAN_VPN   
ipv4    X.X.X.X.0/24    link#2      U       0       1500    igb1    wan   
ipv4    X.X.X.X         link#2      UHS     0       16384   lo0     Loopback   
ipv4    127.0.0.1       link#6      UH      374     16384   lo0     Loopback   
ipv4    192.168.1.0/24  link#1      U       1962    1500    igb0    lan   
ipv4    192.168.1.1     link#1      UHS     0       16384   lo0     Loopback   
ipv4    M.M.M.M         10.10.10.54 UGHS    325     1420    wg0     WAN_VPN 


Is the 10.10.10.54 -> wg0 static route the issue here?

Do you mean no privacy when using a DNS resolver?

Whenever you use an upstream resolver, be it through a VPN or not, that upstream resolver sees all your queries. I consider that a serious privacy problem.

I didn't mean to ask whether or not a resolver improves privacy, I understand that it does. I meant to ask whether you think that sending DNS queries from the resolver through the a VPN tunnel has no privacy benefits. I don't know why I wanted to ask this, because I think we both agree that it doesn't make a difference regarding privacy.

[...] nobody sees those. At least nobody in particular in a single place.

Either the ISP or VPN provider will see the queries of the resolver. If we put on our tinfoil hats for a second, with that data someone could reconstruct part of my browsing behavior from these iterative DNS server queries. So it becomes a question of who I rather entrust with that data: the VPN provider accepting my cash payments via mail and knowing nothing else about me. Or my ISP who knows exactly who I am. If we're realistic here, it's more than likely a wasted effort.

A more valid reason would be an ISP hijacking DNS queries because that would trip up a resolver.

In my case it's mostly wasted effort - wouldn't it be for the learning experience and fun I have tinkering with OPNsense ;D

[Greelan]

I tried the following:

• Interface: WAN
• Source: Loopback net
• Destination Port: 53
• NAT Address: WAN_VPN

Did you mean a outbound NAT rule or a port forward? Can you please give me some more details? A static route from where to where?

I had something different in mind for the outbound NAT rule, such as:

Interface: VPN_WAN
Source: This Firewall
Destination Port: 53
Translation / target: Interface address

But I have also just noticed that under Services/Unbound DNS/General/Advanced, you can set the Outgoing Network Interfaces. Setting this to WAN_VPN may solve your issue, even without a manual outbound NAT rule (setting the unbound advanced option might deal with that for you).

Sorry, this is a bit of (somewhat educated) guesswork. I don't use unbound on OPNsense (I have a separate box that does DNS for my network). :)

[schnerring]

Interface: VPN_WAN
Source: This Firewall
Destination Port: 53
Translation / target: Interface address

I tried the NAT rule without success. I think this rule doesn't get applied because Unbound uses the default route, not VPN_WAN...

Sorry, this is a bit of (somewhat educated) guesswork. I don't use unbound on OPNsense (I have a separate box that does DNS for my network). :)

No worries, any help I can get is very much appreciated.

But I have also just noticed that under Services/Unbound DNS/General/Advanced, you can set the Outgoing Network Interfaces.

I already have this set (I mentioned this in the initial post) but traffic still leaves through WAN. It seems the setting is just ignored...... What could be the reason that this happens? Wrong NAT rules? Missing rules? 

[Greelan]

I already have this set (I mentioned this in the initial post) but traffic still leaves through WAN. It seems the setting is just ignored...... What could be the reason that this happens? Wrong NAT rules? Missing rules?

Did you restart unbound after changing the outbound interface?

[schnerring]

Yes, more often than not I restart the whole system just to make sure everything is applied properly. As I said, I factory reset the whole system and use as little configuration as possible to understand.