ProtonVPN Wireguard DNS

[not_the_messiah]

Hi All,

Newbie here, although I like to think of myself as technically competent 

I have managed to configure a single WG interface and route selected clients over it, but I have become a bit unstuck WRT to DNS leaks. I have tried some of the suggestions https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks and only option 5 has been successful (I could do 4, but if the VPN goes down, I still need non-VPN devices to be able to resolve addresses.

What do I need to configure in order to be able to route DNS for all hosts in my VPN Alias to the VPN provider's DNS?

Many thanks in advance.

[not_the_messiah]

This is driving me nuts! I've triple checked my config and I really cannot see anything wrong - I'd really appreciate some help if anyone has a solution.

[cookiemonster]

I don't route to external VPNs but I imagine that if you show your rules, including (disabled)  the rule you created for option 4 if that's the one you want, then someone will be able to point out what might not be totally right.
You will also need to add what is your dns setup ie, are you using a local one in your network, Unbound on OPN, anything else.

[not_the_messiah]

Thanks for the reply

I've done a little more digging and I've found something (that I think is) interesting... When running a tracert from my machine (static lease, no DNS configured), I can see the second hop as the address of my VPN DNS (10.2.0.1). However, dnsleaktest and ipleak both report DNS leaks with this configuration.

If I update the static lease config to use the 10.2.0.1 address as DNS, then tracert still reports 10.2.0.1 as the second hop, but both sites mentioned above report no leaks.

I don't get it.

[opn_nwo]

Consider that the DNS for Proton is on a private IP 10.2.0.1. While setting up my FW rules I noticed that on this page:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

one of the rule only routes traffic with destination outside the RFC1918_Networks and that excludes access to Proton DNS so you need to change it or create one specifically for the DNS.

[not_the_messiah]

Yes -  the rule in step 8, right?! I've also configured this rule from the ProtonVPN guide, but it makes no difference...

https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html#protonvpn-dns-leaks

Any pointers on what rule I need to create?

[not_the_messiah]

Below are the rule definitions of all the rules I have created as a part of following the official guides.

This is my NAT rule:

Code: [Select]

      <rule>
        <source>
          <network>UK_PVPN_34_HOSTS</network>
        </source>
        <destination>
          <any>1</any>
        </destination>
        <descr/>
        <category/>
        <interface>opt5</interface>
        <tag/>
        <tagged/>
        <poolopts/>
        <poolopts_sourcehashkey/>
        <ipprotocol>inet</ipprotocol>
        <created>
          <username>XXX</username>
          <time>1708187169.4968</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </created>
        <target/>
        <targetip_subnet>0</targetip_subnet>
        <sourceport/>
        <updated>
          <username>XXX</username>
          <time>1708191104.6149</time>
          <description>/firewall_nat_out_edit.php made changes</description>
        </updated>
      </rule>

Floating Rules:

Code: [Select]

   
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>block</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>NO_WAN_EGRESS</tagged>
      <statetype>keep state</statetype>
      <direction>out</direction>
      <floating>yes</floating>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187354.2587</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>

LAN Rules:

Code: [Select]

    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <address>10.2.0.1</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
        <port>53</port>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708596677.5377</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708187872.924</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="XXX">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tag>NO_WAN_EGRESS</tag>
      <statetype>keep state</statetype>
      <gateway>UK_PVPN_34</gateway>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <address>UK_PVPN_34_HOSTS</address>
      </source>
      <destination>
        <address>RFC1918_Networks</address>
        <not>1</not>
      </destination>
      <updated>
        <username>XXX</username>
        <time>1708368610.472</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>XXX</username>
        <time>1708186855.4541</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
      <log>1</log>
    </rule>

with the first LAN rule, I have also tried with 10.2.0.2 and 192.168.1.1 with the same failures. I'm assuming it's the Destination settings that (not local networks) that causing this rule to fail, but don't know how to work around this. I've (blindly) tried quite a few different configurations, but these either don't work, or result in me having no internet access at all 

[not_the_messiah]

Somebody must have solved this, surely?! Apart from the config above, is there anything else I can provide that will enable further help?

[cookiemonster]

sorry not much to offer with this. Maybe if you post the screenshots of relevant rules and be a little clearer on the problem. You say you have one option that works, and then a question that can't have a single answer i.e. "What do I need to configure in order to be able to route DNS for all hosts in my VPN Alias to the VPN provider's DNS?"
but the answer to this question can't be right if the vpn tunnel goes down. Rules aren't able to apply in a variable way.

[not_the_messiah]

Thanks for the reply - really appreciate it, and I'm definitely not throwing shade at you (sorry if it comes across that way!)...

My requirements are as follows:

• Route all traffic for selected local clients (including DNS) over the WG gateway
• Traffic for all other hosts should route over the WAN gateway, including DNS for those hosts
• If point (2) is not possible, then I still need the hosts covered by (2) to be able to resolve DNS in the event the WG connection goes down

I have followed the 'official' guides for setting up WG to the letter and whilst selective routing works fine, no matter what I try, I cannot solve the DNS leak issue.

[not_the_messiah]

Consider that the DNS for Proton is on a private IP 10.2.0.1. While setting up my FW rules I noticed that on this page:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

one of the rule only routes traffic with destination outside the RFC1918_Networks and that excludes access to Proton DNS so you need to change it or create one specifically for the DNS.

How did you manage to solve this please?

[LovelyCupOfTea]

Seems you got further than me

https://forum.opnsense.org/index.php?topic=39783.0

Please can you advise if you got to the bottom of this, It feels like opnsense Wireguard needs a self contained VPN configuration section which creates and applies any Nat or Firewall rules required for a standard set up, a bit like on Asus Merlin. Can you see how your connection set up varied from mine?

Not sure why Surfshark or a lot of more technical providers like Mulvad don't create a guide themselves, I asked Mullvad but they refered me back the opnsense documentation which does not actually work even when you follow it exactly.

Said they might look at it in the future, but definately feels opnsense is missing from vpn providers guides especually surfshark where they do a guide for pretty much everything inluding pfsense.

[jlficken]

I'm new to OPNsense from Untangle and am struggling with this as well.

I can get DNS to route over the ProtonVPN WireGuard tunnel, however, it's for all devices on the network which I don't really want since it takes 200ms to reply over the tunnel rather than 15ms it takes otherwise.

[LovelyCupOfTea]

Save yourself the hassle

Got my self a gl.inet Flint 2 running open wrt. Took me all of about 5 min to get wireguard tunnel for whole network set up even with the odd static ip exclusion.

In opnsense and pfsense doing this is way overly complicated

Flint 2 can do just under 1gbs wireguard amd my local LAN speeds were good so I think the Nat acceleration issue with asus routers slowing local LAN when wireguard is enabled must be an Asus issue.

Had two of these Flint 2 routers running for a couple of days at two locations and so far so good. Brilliant wireguard throughput

Hope this helps all be it not the answer you might be wanting

[jlficken]

I got it working!!!!

It involves setting up the WG tunnels correctly and a Port Forward rule, however, it's working beautifully on my devices.

WireGuard Instance Config:


Gateway Config Overview:


Gateway Config Detail:


Aliases:


Port Forward Rule: