DNS Outgoing Network Interface through VPN is failing

[packeteer]

Hi all,

Beginning with a default installation of OPNsense 23.7.6, I've configured it as an OpenVPN client for ProtonVPN.  ProtonVPN offers no guide to OPNsense so I used the most recent guide offered for pfSense: https://protonvpn.com/support/pfsense-2-6-x-vpn-setup/.  Translating instructions from pfSense to OPNsense was straightforward and I got a client up and running (steps 1-4 of the guide).  It works fine except for leaking DNS to the server configured at 'System -> Settings -> General'.  The final step of the guide, #5, configures the DNS resolver to prevent leaks.

This step directs me to change the 'Outgoing Network Interfaces' of the pfSense DNS Resolver to the established VPN Interface, which makes perfect sense.  Translated to OPNsense, I did this under 'Unbound DNS' -> Advanced Mode -> 'Outgoing Network Interfaces'.  This immediately halted all outbound DNS queries.  The only interface which appears to permit outbound DNS queries is on the WAN.

I've tried creating a rule to explicitly pass port 53 on the VPN interface as a solution, but without success.

Suggestions welcome.

Thank you!

[cookiemonster]

you probably want to use Unbound on your OPN. There's a dropdown on it for outbound interface that seems to be what you're looking for, not the system one.

[packeteer]

Thanks Cookiemonster.

If I understand you correctly, you're suggesting I should change the Outgoing Network Interfaces dropdown from the System interface I created (called ProtonVPN) to one of the OpenVPN clients I've configured?  I've tried that also (see attached screenshot) but it doesn't fix the issue.

[cookiemonster]

yes that was the place I was suggesting to check out. I don't know if the instruction for pf is directly transferable to OPN though. I would probably be going with the firewall rule too to get what you seem to want, to get dns requests over the tunnel. Frankly I don't bother with those "dns leaks" fixes, I simply encrypt all my dns traffic using DoT. Sorry, no idea what you need to do in opn to make that guide "match".

[packeteer]

Thanks for the clarification.

Yes, firewall rules are my suspect.  I don't think the rest of my VPN traffic would be flowing if I had an issue with routes or NAT.

The biggest difference I've noted between the pfSense and OPNsense during this exercise is what NAT and firewall rules remain in place when Outbound NAT rule generation is switched from automatic to manual.  Based on the VPN setup document linked earlier, pfSense appears to retain the auto-generated rules and allows you to modify them.  OPNsense wipes the auto-generated rules.  If that's correct, the pfSense doc is probably quietly assuming a retained rule is in place which is passing DNS, which is not true under OPNsense.

I'll post the solution here when I find it.