[SOLVED] Can't get wireguard road warrior to block ads using unbound

[wallaby501]

I've reasoned about this a bit and can't get it.

I used the road warrior setup for wireguard. The idea being that I could use mainly mobile phones to connect back home and get all the benefits of ad blocking, LAN access, etc.

While at home, I can confirm that adblocking and such works just fine though I will note that I run only IPv4 on my main wifi VLAN. That DHCP server offers up my main LAN IP as the sole DNS provider.

For wireguard, I followed the guide all the way through 5 (so I have a WG interface.) I can see the rule automatically added in NAT outbound.

• Firewall rules for the WG interface
  block ipv6
  (linked NAT port forward ---> IPv4 tcp/udp * * dst ! LAN_ADDRESS on 53 )
  IPv4 tcp/udp * * 127.0.0.3 53

That loopback is a new interface that I created and unbound listens on.

Now...in my wireguard configs I set my main LAN_ADDRESS as the sole dns server. DNS is NOT set on wireguard local (server) portion and disable routes is unchecked.

I can use termux and do nslookup on known domains that are redirected to 0.0.0.0.

nslookup 2no.co 8.8.8.8

Returns 0.0.0.0 and I can see in the unbound logs that it answers that itself. I can't seem to understand just how ads are getting in then.

If I open a game I can see via PCAPdroid that it's looking for certain domains and some are blocked, some aren't. It can be the same domain and one attempt is "error" and one is succeeded. Usually takes 15 seconds for the first ad to get through but then it's constant.

I feel like I'm missing something but can't see what. Anyone else have this going without issue?

Edit- apologies if it's a little scattered. I can provide any more info on request. Just not sure where to look at this moment.

[entree3437]

I have the same setup (minus the loopback) and for me I had to specify the gateway of my wireguard subnet as the DNS address in my phone's wireguard config.

[CJ]

I set my DNS in the WG config as well.  I don't bother with having a redirect rule.

What do you have set for Private DNS on the phone?

[wallaby501]

I set my DNS in the WG config as well.  I don't bother with having a redirect rule.

What do you have set for Private DNS on the phone?

I did have my main LAN address as the DNS in the wireguard config on the phone. I changed that to the wireguard gateway and it still lets ads through.

I have nothing set for private DNS on the phone itself. I assume the wireguard app itself will direct all DNS to what I tell it.

I will note that I recently upgraded to 23.1.x (and still on that until 23.7 has another patch or two) and it now has the wireguard kernel implementation and no longer the go version. Did that introduce something different? Figured it'd be a seamless transition.

[newsense]

Check the phone settings including the browser, I think Android has a default now using secure dns on some devices like the Pixels and will prioritize that traffic instead of doing regular lookups that you can control

https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

[CJ]

I set my DNS in the WG config as well.  I don't bother with having a redirect rule.

What do you have set for Private DNS on the phone?

I did have my main LAN address as the DNS in the wireguard config on the phone. I changed that to the wireguard gateway and it still lets ads through.

I have nothing set for private DNS on the phone itself. I assume the wireguard app itself will direct all DNS to what I tell it.

I will note that I recently upgraded to 23.1.x (and still on that until 23.7 has another patch or two) and it now has the wireguard kernel implementation and no longer the go version. Did that introduce something different? Figured it'd be a seamless transition.

You have Private DNS set to Off or Automatic?  You should be using the os-wireguard plugin and not the go implementation, but that shouldn't be causing this.

What are you seeing in the unbound reporting?  What domains get queried when you start a game?  These are game apps, correct?

Can you have OPNSense grab a packet capture?  I'm wondering if the game is falling back to DoT or DoH after getting failures using the system DNS.  A lot of things will either hardcode additional DNS servers and/or use DoT/DoH.

[wallaby501]

I set my DNS in the WG config as well.  I don't bother with having a redirect rule.

What do you have set for Private DNS on the phone?

I did have my main LAN address as the DNS in the wireguard config on the phone. I changed that to the wireguard gateway and it still lets ads through.

I have nothing set for private DNS on the phone itself. I assume the wireguard app itself will direct all DNS to what I tell it.

I will note that I recently upgraded to 23.1.x (and still on that until 23.7 has another patch or two) and it now has the wireguard kernel implementation and no longer the go version. Did that introduce something different? Figured it'd be a seamless transition.

You have Private DNS set to Off or Automatic?  You should be using the os-wireguard plugin and not the go implementation, but that shouldn't be causing this.

What are you seeing in the unbound reporting?  What domains get queried when you start a game?  These are game apps, correct?

Can you have OPNSense grab a packet capture?  I'm wondering if the game is falling back to DoT or DoH after getting failures using the system DNS.  A lot of things will either hardcode additional DNS servers and/or use DoT/DoH.

Thank you both. I didn't have time for the longest time to troubleshoot further but finally got a sec.

Private DNS- *was* set to Automatic (by default I guess). Switched off and on. No change it seems.
Unbound- I do *not* see queries for it in my logs.
IPv6- I have configured this on a separate VLAN and tested- all works well at home. I can safely say ipv6 queries are successfully blocking it too.

But just sitting here, I will explain how I have it set up and how I figured out the issue.

1) Configure wireguard VPN per docs. https://docs.opnsense.org/manual/how-tos/wireguard-client.html
  a. Can configure ipv6 too and use this site to create a UL prefix for it- https://www.unique-local-ipv6.com/

2) *Optional* but I think it's prudent- assign the interfaces for your wireguard connection in opnsense (Step 5 from above guide). You can leave IPv4 set to "None" but I recommend taking one address (that isn't assigned to a wireguard client) and assigning it as a static IPv6 address on the interface. Reason why- unbound will now listen on this interface (if you allow it to listen on this or "All" interfaces) and can set this as a DNS server in your Android/mobile wireguard settings. IPv4 (for me) can be set to just your normal LAN IP of opnsense (assuming you allow traffic to your LAN, which is half of what I intend when setting this up, the other half blocking ads/scams/bs.) IPv6 (for my ISP) sometimes changes the prefix (no static here) so by leveraging a private address (instead of trying to track a randomly set "track" interface from your WAN on your WG or LAN interface) we can set this to always listen. It will thus be available without fail once you connect to the VPN.

3) Firewall-NAT-Port Forward- I set 4 rules here (NOTE the inverted destination with "!" and allow it to create filter rule association on the WG interface itself)
  a. Ipv4 tcp/udp to ! LAN_IP (for unbound) on DNS (53) and redirect to LAN IP on DNS (port 53)
  b. Ipv4 tcp/udp to ! LAN_IP (for unbound) on DoT (853) and redirect to LAN IP on DNS (port 53)
  c. Ipv6 tcp/udp to ! <our private IPv6 address set in step 2> on DNS (53) and redirect to <our private IPv6 address set in step 2> on DNS (port 53)
  d. Ipv6 tcp/udp to ! <our private IPv6 address set in step 2> on DoT (853) and redirect to <our private IPv6 address set in step 2> on DNS (port 53)
  e. I cannot guarantee this is absolutely necessary but...we're here so why not. Might help with apps that hardcode to google DNS, etc.

4) Firewall-WG interface - set up an IPv4/v6 pass * rule BELOW the automatically created rules (pass all traffic- if desired. Customize however you like)

5) Can leave Private DNS to Automatic (seems to work fine now that I've figured it out.)

Now...the actual crux of the issue that I had not even thought of is that the faulty app (among others) exist in my work profile. I run CalyxOS so all my "trusted" apps are basically FOSS and reside in the normal profile. All the google BS and stuff I like to freeze (with Shelter) or that I don't care to get any other data by whatever means they might go in the work profile.

Google, for good or bad reasons, doesn't want work profile traffic going over a VPN initiated in the main profile. That is why I was not seeing the queries.

This portion can be solved in one of two ways:
1) Install the offending app in the main profile.
2) Clone/install the VPN app (wireguard) into the work profile. Activate it from there, etc.

So once again, THANK YOU guys for helping me get this. Figuring out that ipv6 worked over wifi at home (for ad blocking) and all that helped me to really hone in on Android and then it just clicked when I thought of it being in the work profile.

Hopefully this helps someone in the future.

Edit- we don't listen on 853 with unbound (no infra set up for that- at least on my config) so I changed the 853 redirect to go to 53.

[CJ]

I've never been a big fan of redirecting DNS.  I just configure everything to use the DHCP DNS option.

In the firewall I have ports 53 and 853 blocked as well as a DoH IP blocklist.