Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
PiHole + Unbound + Split Wireguard Proton VPN
« previous
next »
Print
Pages: [
1
]
Author
Topic: PiHole + Unbound + Split Wireguard Proton VPN (Read 1962 times)
swILeZBa
Newbie
Posts: 28
Karma: 2
PiHole + Unbound + Split Wireguard Proton VPN
«
on:
November 16, 2023, 02:28:36 pm »
Hello fellow network enthusiasts,
I followed the guide to setup
external VPN (Proton)
and now I am trying to address DNS leaks for my setup.
My goal is to setup the following.
All hosts (VPN + nonVPN) get a PiHole DNS server through DHCP.
PiHole DNS forwards to Unbound DNS.
For nonVPN hosts:
Route DNS traffic to Quad9 DoT server
For VPN hosts:
a) Unbound traffic goes through the Wireguard interface to ProtonVPN server (DNS server is provided through the wireguard interface)
b) If the VPN endpoint is down, route DNS traffic to Quad9 DoT server
If I have understood the use cases correctly they should look like this:
nonVPN Host -> Pihole -> Unbound DNS -> Quad9 DoT
VPN working:
VPN host -> Pihole -> Unbound DNS -> WG Interface -> ProtonVPN endpoint
VPN not working:
VPN host -> Pihole -> Unbound DNS -> Quad9 DoT
Can someone help me make the necessary adjustments to the guide so that this works?
Logged
swILeZBa
Newbie
Posts: 28
Karma: 2
Re: PiHole + Unbound + Split Wireguard Proton VPN
«
Reply #1 on:
November 19, 2023, 10:21:45 am »
So I found a solution to plug the DNS leak for the VPN hosts but there are some caveats.
If you add a NAT outbound rule as specified below then the VPN hosts will get DNS through the VPN but non-VPN hosts will get DNS through the VPN too. Also I am not sure what will happen if the VPN is unavailable (i.e. if the killswitch will work correctly)
NAT outbound rule
Interface: WAN (the default WAN)
TCP/IP: IPv4
Protocol: Any
Source invert: Unchecked
Source address: WAN address
Source port: Any
Destination invert: Checked
Destination address: RFC1918 (Alias with all the local subnets)
Destination port: DNS
Translation/target: VPN WAN
Logged
swILeZBa
Newbie
Posts: 28
Karma: 2
Re: PiHole + Unbound + Split Wireguard Proton VPN
«
Reply #2 on:
November 22, 2023, 10:37:16 am »
So I am working on a slightly better solution that consists of having a separate DNS server for the other hosts.
I think that the problem is that if Pihole is a forwarding DNS server then the packets are going to be in 2 parts:
1. from Pihole to OPNsense Unbound DNS and
2. from Unbound DNS to external DNS servers.
If both VPN and non-VPN hosts use Pihole as a DNS it is impossible to create a rule that will distinguish between those two in order to route them to different gateways because the outgoing packets in both these cases will have correspondingly the same source and destination.
Maybe you could set a tag but I am not too familiar with them.
What I am thinking is that the VPN hosts use a Pihole+Unbound DNS server on a Raspberry Pi. In this case the source would be the Raspberry Pi's local address and you could easily create a rule to send this traffic through the ProtonVPN gateway whilst all other traffic would be going through the other Pihole+OPNsense's Unbound DNS.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
PiHole + Unbound + Split Wireguard Proton VPN