Route AdGuard queries via VPN gateway group

Started by Neo, February 16, 2023, 06:55:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 16, 2023, 06:55:23 AM
Background: I've setup OpnSense with multiple WAN gateways (dual internet + LTE fail-over) with a VPN tunnel (via public VPN provider) on each WAN link... I have a WAN_Gateway group and a VPN_Gateway group setup with the appropriate Tier1/Tier2 gateways and policy based routing via Firewall rules on LAN... all of that is working fine...

I am working on moving away from PiHole on separate device to AdGuard Home on the OpnSense... I have everything working EXCEPT I cannot figure out how to route the DNS queries from AdGuard to public DNS via the VPN_Gateway group (or even via a specific VPN gateway)... For PiHole (separate device on LAN) I just needed a rule with source being PiHole IP... But, for AdGuard (on the firewall itself), I can't get a rule to work (LAN or even floating)...

I can see queries going out in the live view of Firewall logs (via the "let out anything from firewall host itself" rule) and it shows ">WAN {LAN interface IP} {upstream DNS IP}" ...

I've tried rules on LAN, WAN, and floating... I fear I'm missing something silly... Hopefully this is in fact something simple... I don't fully understand the relationship between AdGuard and OpnSense with AGH running on the device itself... but it does everything I want, the way I want, except for routing the upstream queries over the VPN (preferably using a VPN Gateway group that load balances those tunnels)...

FYI: I am using a DNS-over-TLS connection to the upstream DNS servers... but I want to obfuscate both ends... DoT insures the payload of query/answer is not intercepted by ISP or snoopers in the routed path... VPN insures upstream DNS is not aware of the true origin of the query and load balancing across 2 VPN tunnels creates further obfuscation as well as redundancy (fault tolerance)... Again, I had this all working with PiHole (which sent queries through firewall via a DoH proxy on the PiHole using docker with PiHole & Cloudflaird) so the only real difficulty is that the LAN rule I was using for that does not seem to work with AdGuard running on the firewall itself...



September 04, 2023, 05:56:10 PM #1
I had the same issue as you, but I found the setting for specifying the gateway for your DNS servers.

I know my reply is a bit late for you, but someone else might land on this page looking for the answer.

Go to System -> Settings -> General -> Networking
Add the DNS servers you have entered in AdGuard Home to the list of DNS servers and select the gateway you want to use for each DNS server
Print
Go Up Pages1
User actions