NordVPN + AdGuard + VLAN + DNS Help please :\

[cgi2099]

Hello all, I am new to OPNSense and an amateur at networking for 100%. I am pretty good at following guides and getting things to "work" but I don't know what some of the technical stuff means or exactly what is going on afterwards. But I can learn pretty easy.

My current setup is:

Code Select Expand

                                                               > POE+ Dumb Switch > x5 CCTV Cameras
Modem > OPNSense (HP T740 + X710-T2L) > 10G Switch(semi smart) > TPLink Access Point
                                                               > Unraid Server > A few VMS
                                                                               > A Few Dockers
My subnets are:

OPNSense: 192.168.1/24

VLAN10: 10.10.10.1/24

VLAN20: 10.10.20.1/24

VLAN30: 10.10.30.1/24

VLAN40: 10.10.40.1/24



Currently I have everything configure and working about 95% how I would like. The problem I am having is with DNS on the VLAN20 that is routed through NordVPN, I followed this guide/video on how to set this up and mine is pretty much identical but through Nord and is working great: https://www.youtube.com/watch?v=ulRgecz0UsQ

I also have Adguard Home setup up identical to this guide: https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/

I have all of the VLANs and LAN going through Adguard and is working great. But I have an "override" (I guess that is what you would call it) on the DHCP server for VLAN20 and I simply have put Nords special DNS setting there. Which works great for Windows devices or phones connecting, they get the correct DNS that way.

BUT if I connect a chromecast, firestick or roku to that network they grab the generic DNS from the VPN (I believe, it is a datacamp dns, I have no way I know of to verify it is Nords). So I thought I was having DOH DNS problems and went down that rabbit hole but took a step back and figured I'd give VLAN10 a static DNS on the DHCP server to Cloudflare and connect to VLAN10 on the Chromecast and it worked just like it should so the chromecast isn't using hardcoded DNS settings.

So with all of this being said, is there a setting I missed or can change on the NordVPN client to make sure it uses/forces the DHCP DNS on all devices? The only next step I know to do is factory reset one of the Chromecasts and see if it grabs the correct DNS then.

My next problem is on the VLAN20 routed through the VPN, all local traffic is also going through the VPN. For instance when I connect to my plex server on 192.168.1.190 it thinks I am a remote user or if I log into the OPNSense web GUI it thinks I am remote. Is there a way to make to make local traffic stay local?

FYI, I currently let all subnets communicate with each other wide open. I am wanting to segregate some of them after I get everything working how I would like but that is for a later adventure.

Again sorry for my lack of knowledge on all of this and appreciate any help.

Josh

[Bob.Dig]

Pls show screenshots  ;)

[cgi2099]

Thank you so much for the reply :)

[Bob.Dig]

I am not that familiar with OPNsense but there seem to be some problems.

On your last screenshot your first rule will send everything from some hosts to nordvpn, so they can't use your local dns. So this rule must go down below the dns rules.
Also your outbound NAT rule looks wrong to me. Source has to be your local LANs like in the automatic rules below that, at least all those, who actually should be able to use nordvpn.

And you shouldn't have any Port forwards on nord vpn interface at all.
And also back again on your last screenshot you have a rule containing nordvpn net. This is also a nogo and is not doing anything for you.

Haven't watched your youtubevideo but you are really at the very beginning of all of that.

[cgi2099]

Not sure if this matters but I only want the NordVPN VLAN to go to the VPN everything else I want to stay on the local network. The port forwards are suppose to be to fool the streaming devices DNS. It is suppose to let those devices think they are getting their requested DNS but then be forward to my DNS if I have it setup correctly.

[Bob.Dig]

Ok, so one VLAN is named NordVPN... now it makes more sense, not a good name though.  ;)

[Bob.Dig]

Still the rule must go down, also the screenshots are not shown fully here for me, maybe post only thumbs here with a link to the whole picture.

[cgi2099]

:) I'm new to all of this and didn't know what to name everything lol. If I move it to the bottom it no longer connects to the VPN, does it need to be the second from bottom?

https://arkomasurvey-my.sharepoint.com/:i:/p/joshkelly/EaLTrNu5yXFFtwoyIrX4LgwBRdMy9TijKOXsnGwfvOX22g?e=QMDQol

https://arkomasurvey-my.sharepoint.com/:i:/p/joshkelly/EQVYvae3l65OqNRSu5FKxwQBRWtRRz5rQwZkRlGfdEZ-5w?e=EpwzDi

https://arkomasurvey-my.sharepoint.com/:i:/p/joshkelly/EdSdnkqyYfNMvxygwBM2gP8Btn5YE8Y3A3NTkAfEbb0P-Q?e=9KlBKy

https://arkomasurvey-my.sharepoint.com/:i:/p/joshkelly/EbBDuUk0sN9CsL6wEK3j8sEBPDdcJ5H0CFVmdkuM2CRVog?e=DS3gUj

[cgi2099]

Still the rule must go down, also the screenshots are not shown fully here for me, maybe post only thumbs here with a link to the whole picture.

It works if I move it to the second from last, but for some reason the DNS I apply in AdGuard, which is supposedly smart, won't grab the correct DNS :(. I suppose this is a Nord issue?

If I put the DNS, which are the same, in the DHCP section of the VLAN they work as should for all the devices except streaming stick devices because they have the DNS hard coded. I guess this is because of my port forward rules but I don't know how to get Adguard to pick up the VLAN without them?

Is there a way to route it through Nord without the Nat port forwarding?

[Bob.Dig]

Much better readable screenshots this time.

I think you can't do DNS Redirect with DoT and DoH...
Redirecting DNS isn't needed at all anyways.

So on which VLAN you have a problem, where is the dns server you want to use for that. One problem at a time.

[cgi2099]

The NordVPN VLAN (10.10.20.1) which is routes through the NordVPNRouted gateway.

If I set the DNS in the DHCP of the VLAN my DNS works like it should on every but streaming sticks but if I set it in adguard it does not work correctly on any device. It connects to the right DNS numbers but wrong location.

If I remove the NAT port forwardings the VLAN will not get a DNS, so it has no internet.

[cgi2099]

Much better readable screenshots this time.

I think you can't do DNS Redirect with DoT and DoH...
Redirecting DNS isn't needed at all anyways.

So on which VLAN you have a problem, where is the dns server you want to use for that. One problem at a time.

I thoroughly read your messages and made sure (changed a few to match) they were right and changed a couple of settings in my Nord Account, and everything is working great :).

Thank you so much :)