[SOLVED] Help with Unbound DNS' interaction with 2 ProtonVPN tunnels (DNS leaks)

[eldee]

Hey folks,

I am a recent user of OPNSense, who needs help with Unbound DNS and its interaction with my two ProtonVPN tunnels.

I have been trying to setup my new router to achieve the following goals.

• protect clients on 192.169.14.0 with one wireguard tunnel to the ProtonVPN endpoint in Denmark.
• protect clients on 192.169.13.0 with another wireguard tunnel to the ProtonVPN endpoint in Italy.
• ensure that all other clients in different subnets can access the internet through WAN *and* their DNS needs are served exclusively by UnboundDNS configured as resolver. I.e. I do not want to use ISP DNSes nor ones coming from Google, or others.
• It is important that clients on both subnets protected by ProtonVPN do not leak the ISP DNS, while accessing the internet.

For 1. and 2. effectively I followed https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks as general setup, and what truly made it work for two wireguard tunnels to ProtonVPN was following both https://www.reddit.com/r/ProtonVPN/s/NrZUVYqARH and what jlficken@ recommended here: https://forum.opnsense.org/index.php?topic=38911.msg195192#msg195192

For 3. I followed https://homenetworkguy.com/how-to/confused-about-dns-configuration-in-opnsense/ for general understanding of how OPNSense offers knobs to configure DNS, and I then proceeded configuring the system based on that understanding.

I seem to be failing in achieving 4. and here are my brief observations:

• when a client connects from an address on 192.169.14.xxx, or 192.169.13.xxx, they are correctly routed through the ProtonVPN endpoint and have access to the internet... but they leak my ISP DNS.
• If I do the same test, but *after* I have manually stopped Unbound in the OPNSense UI (pressing the "Stop" button), then I do not have leaks anymore and dnsleakstest.com correctly lists the ProtonVPN dns.

This seems to suggest that I misconfigured my system (Unbound? Firewall? NAT?), but I do not know exactly how to find nor resolve the issue.
Any suggestions?

My configuration is below, I tried to redact either private information, or experiments that I currently have disabled, to avoid confusion.

Thank you in advance for the help!

Services-Unbound DNS-General


Services-ISC DHCPv4-[LAN]


System-Gateways-Configuration


VPN-Wireguard-ProtonVPN_Denmark_Peer1


VPN-Wireguard-ProtonVPN-Denmark


Firewall-Settings-Advanced


Firewall-Rules-LAN


Firewall-Rules-Floating-WAN_ProtonVPN_Denmark-Routing


Firewall-Rules-Floating


Firewall-NAT-Outbound


Firewall-NAT-One-to-One


Firewall-NAT-Port Forward


Firewall-Aliases


Interfaces-Virtual IPs


Interfaces-Overview


System-Settings-General

[newsense]

The whole point of having a firewall is to controll traffic. A revolving door set of policies makes it no more useful than an off the shelf router.


Let's talk Lan rules:

1) Allow Alias to Alias - do whatever you want on whatever port GW 1
2) Allow Alias to Alias - do whatever you want on whatever port GW 2

3) Allow Alias to not_RFC1918 - do whatever you want on whatever port GW 1
4) Allow Alias to not_RFC1918 - do whatever you want on whatever port GW 2

5) Allow LAN IPv4 to ANY - do whatever you want on whatever port - ANY GW
6) Allow LAN IPv6 to ANY - do whatever you want on whatever port - ANY GW



The better ruleset would look like this

1-2)  Port FW rule, TCP/UDP, source (v)LANs, destination ANY destination port 53 - redirect to 127.0.0.1 port 53 (Unbound rule)

Configure Unbound as needed, preferably with DNS over TLS only -- and you don't have to use the Proton DNS IPs (it's in their docs actually if you read it carefully)

3) Allow TCP Alias_IPS_For_GW1 to ANY DPort Alias-Ports(80,443) GW1
4) Allow TCP Alias_IPS_For_GW2 to ANY DPort Alias-Ports(80,443) GW2

Similar rules as 3-4 should exist on other VLANs as needed, depending on what the source or source alias is.


5-6) No such rules should exist on your FW

Any other rules can be added before or after 3-4 rules, depending on which IPs it applies to and what the destination/port is.

[eldee]

I appreciate the reply, but I am not sure I completely understand. This is certainly due to my ignorance, so please bear with me.

3) Allow TCP Alias_IPS_For_GW1 to ANY DPort Alias-Ports(80,443) GW1
4) Allow TCP Alias_IPS_For_GW2 to ANY DPort Alias-Ports(80,443) GW2

I don’t understand this rule. For my setup is the configuration below what you meant?

• action: Allow
• interface: ? ? ?
• protocol: TCP
• source: 10.2.1.1
• destination: ANY
• destination ports: 80,443
• gateway: 10.2.1.1

Which interface should I use from my example? WAN_ProtonVPNDenmark and a separate similar rule for WAN_ProtonVPNItaky? Or LAN?
Note: I am using subnets on the LAN, I do not use VLANs

Why only ports 80 and 443?

1-2)  Port FW rule, TCP/UDP, source (v)LANs, destination ANY destination port 53 - redirect to 127.0.0.1 port 53 (Unbound rule)

This seems a NAT Port forward rule that does two things

• it replaces my two port forward rules specifically doing the same for each of the subnets independently, forwarding DNS requests towards their respective protonVPN DNS (which for Proton happens to be the same for all tunnels).
• it explicitly forwards other DNS requests from the rest of my LAN (not 192.169.(13|14).0) to the local Unbound DNS resolver.

Why do I need to do 2. explicitly? (Sorry again if this is trivial, I am trying to learn.)

More general follow ups to your reply:

• Can you explain what you mean by my configuration having revolving door set of policies?
• Also, how avoiding the use of the ProtonVPN DNS, helps me understand why Unbound seems to take precedence in resolving names for clients in the vpn protected subnets, despite having rules that redirect DNS traffic to the ProtonVPN DNS for those cases. And why things work (or seem to) work as expected when I disable Unbound?
• To your comment about DNS over TLS, I didn’t venture into using DNS over TLS yet (it is on the todo list). Given that, I wonder if the issue I am having could be resolved withoutt using DNS over TLS.

Again thank you in advance for all the help, and for going through my config.
I am trying to learn by reading and doing, so I apologize if my questions are too trivial, and if that is the case, feel free to redirect me to existing tutorials that I may have missed, covering a similar setup.

Cheers!
[/list][/list]

[DEC670airp414user]

your second screen shot under DNS is empty..
at 10.2.0.1 and reboot those devices and do a dns leakiest

or whatever DNS server proton uses now for their wireguard tunnels

[eldee]

your second screen shot under DNS is empty..

That is empty by design. I only want to use ProtonDNS for clients on the 13 and 14 subnets. For all other subnets I want to be able to use Unbound as resolver. Do you see a reason why this setup cannot work?

[eldee]

For future reference, I found out the issue with my configuration. 

I had to disable ipv6 on the WAN interface (I set Interfaces>[WAN]->IPv6 Configuration Type to “None”). It seems that my system’s ipv6 configuration (or lack of) was causing the DNS leak. As soon as I disabled it, everything started working as expected.

I wish I had a better understanding of why exactly this caused the leak.. In other words how does OPNSense prioritize firewall rules between ipv4 and ipv6 stacks, when your ISP assigns to your router one address per stack?