Wireguard with 2 ProtonVPN tunnels and unbound - issues

[sdsfgd]

Hi all,
I am trying to setup 2 wireguard ProtonVPN tunnels, with unbound as the dns resolver. I have several vlans in interface groups. One group for outbound traffic with VPN and one without (wan group does not use unbound). The VPNs are in a gateway group, one main tunnel, the other backup

I put together by copying and pasting from the various guides I followed, the steps I took but it is incomplete, DNS firewall rule missing.

Issues

   
• Gateways: Whenever I restart opnsense, the gateways are offline. I have press edit on the second one, save without making any changes, and apply, then they show as online. No changes are made. Before this I get the errors in the attachments.
• DNS: I have no idea what rule I need to avoid DNS leaks. I've tried several rules from various guides but none seemed to work

For the wireguard instances, seems to work but unclear

   
• MTU: I'm using 1420 but I've also seen 1412 and other options. How do i know what i need?
• Tunnel Address: I'm using /32 but have also seen /30 and /28. I'm not clear how this works and what I should use

Note: I am also using a pi-hole. I have the DNS of the pi-hole set for the vlan DNS, and pi-hole has the opnsense unbound as DNS.

Thanks for any help!!

__________________________

Step 1 - Download ProtonVPN configurations

Config 1 example

Code Select Expand

[Interface]
.......
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
.....
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 11.11.11.11:51820

Config 2 example

Code Select Expand

[Interface]
.......
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
.....
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 22.22.22.22:51820

Step 2 - Generate public keys from private keys

ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI. The public key will be derived from the private key with the "wg pubkey" command.
Run the command for both configs using the PrivateKey in the Interface section

Code Select Expand

none wg pubkey < PrivateKey


Step 3 - Setup WireGuard Instances

   
• Go to VPN ‣ WireGuard ‣ Instances
• Click + to add a new Instance configuration
• Turn on "advanced mode"
• Configure the Instances from the downloaded ProtonVPN configurations as follows (if an option is not mentioned below, leave it as the default):

  Enabled	Checked
  Name	Call it whatever you want, like the exit country (eg CH60)
  Public Key	Insert the derived PublicKey from the previous step
  Private Key	Insert the PrivateKey field from the [Interface] section
  Listen Port	A unique port, 51820 or above 51820 for first instance 51821 for the second
  MTU	Needs to be 80 bytes shorter than normal MTU. Default 1420 (1500 - 80 = 1420?) 1420 Some suggest 1412?
  DNS Server	Leave blank
  Tunnel Address	Insert the Address field from the [Interface] section in CIDR format, 10.2.0.2/32 for the first instance 10.3.0.2/32 for the second instance Some suggest /30 or /28?
  Peers	Leave blank for now
  Disable Routes	Checked
  Gateway	Tunnel address -1 10.2.0.1 for the first instance 10.3.0.1 for the second instance

• Save the Instance configuration, and then click Apply

Step 4 - Setup Wireguard Peers

   
• Go to VPN ‣ WireGuard ‣ Peers
• Click + to add a new Peer
• Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):

  Enabled	Checked
  Name	Call it whatever you want, like the exit country (eg CA60)
  Public Key	Insert the PublicKey field from the [Peer] section
  Allowed IPs	0.0.0.0/0
  Endpoint address	Insert the IP address from the Endpoint field in the [Peer] section
  Endpoint port	Insert the port number from the Endpoint field in the [Peer] section 51820 for both
  Instances	Select the instance configured in the previous step
  Keepalive interval	25

• Save the Peer configuration, and then click Apply

Step 5 - Turn on WireGuard

Turn on WireGuard under VPN ‣ WireGuard ‣ Instances ‣ Enable WireGuard ‣ Checked

Step 6 - Assign interfaces to WireGuard and enable them

   
• Go to Interfaces ‣ Assignments
• In the Device dropdown in the "Assign a new interface", select the WireGuard device (e.g. wg1 and wg2)
• Add a description (e.g. VPN0 for first and VPN1 for second)
• Press Add to add it, then click Save
• Then select your new interfaces under the Interfaces menu
• Configure it as follows (if an option is not mentioned below, leave it as the default):

  Enable	Checked
  Lock	Checked
  Description	Same as under Assignments, if this box is not already populated
  IPv4 Configuration Type	None
  IPv6 Configuration Type	None

• Save the interface configuration and then click Apply changes
• Restart WireGuard

Step 7 - Create gateways

   
• Go to System ‣ Gateways ‣ Configuration
• Click Add
• Configure the gateway as follows (if an option is not mentioned below, leave it as the default):

  Name	Name them same as the interfaces VPN0 VPN1
  Description	Add one if you wish to
  Interface	Select the newly created interfaces in the dropdown
  Address Family	Select IPv4 in the dropdown
  IP address	Insert the gateway IP that you configured under the WireGuard Instance configuration 10.2.0.1 for the first instance 10.3.0.1 for the second instance
  Far Gateway	Checked
  Disable Gateway Monitoring	Unchecked
  Disable Host Route	Checked
  Monitor IP	Insert the Endpoint IP from the config file

• Save the gateway configuration and then click Apply changes

Step 8 - Gateway Group

   
• Navigate to System ‣ Gateways ‣ Group and click Add

  Group Name	VPN_GROUP
  VPN0	Tier 1
  VPN1	Tier 2 (failover)
  Trigger Level	Packet Loss or High Latency

It's also possible to configure load balancing by putting multiple interfaces into the same tier.

Step 9 - Create Interface Groups
requires vlans being already set upWe use interface groups to apply policies to multiple interfaces at once and reduce the number of required firewall rules significantly.

   
• Navigate to Firewall ‣ Groups and add the following interface groups.#IG_OUT_WAN

  Name	IG_OUT_WAN
  Description	Interfaces allowing outbound WAN traffic
  Members	Select vlans that will not go through the VPN

  #IG_OUT_VPN

  Name	IG_OUT_VPN
  Description	Interfaces allowing outbound VPN traffic
  Members	Select vlans that will go through the VPN

Step 10 - Firewall Rules

1. RFC1918 Alias

   
• First go to Firewall ‣ Aliases
• Click + to add a new Alias
• Configure the Alias as follows (if an option is not mentioned below, leave it as the default):

  Enabled	Checked
  Name	RFC1918
  Type	Select Network(s) in the dropdown
  Content	Option 1: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 Option 2: select all opt networks and lan network
  Description	All local networks

• Save the Alias, and then click Apply

2. Traffic trough WireGuard rule

   
• Then go to Firewall ‣ Rules ‣ IG_OUT_VPN
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default):

  Action	Pass
  Quick	Checked
  Interface	IG_OUT_VPN
  Direction	in
  TCP/IP Version	IPv4
  Protocol	any
  Source / Invert	Unchecked
  Source	IG_OUT_VPN net
  Destination / Invert	Checked
  Destination	Select the RFC1918 Alias you created above in the dropdown
  Destination port range	any
  Description	wireguard
  Gateway	Select the gateway group you created above VPN_GROUP
  Set local tag	NO_WAN_EGRESS The NO_WAN_EGRESS local tag will be used for the killswitch to prevent traffic leaking out if a tunnel is down

• Save the rule, and then click Apply Changes
• Then make sure that the new rule is above any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the "Default allow LAN to any rule"

3. *.local addresses rule
requires mDNS Repeater. Install and activate plugin on interfaces using VPN

   
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default):

  Action	Pass
  Quick	Checked
  Interface	IG_OUT_VPN
  Direction	in
  TCP/IP Version	IPv4
  Protocol	UDP
  Source / Invert	Unchecked
  Source	IG_OUT_VPN net
  Destination / Invert	Unchecked
  Destination	224.0.0.251/24
  Destination port range	for both from and to select (other) 5353
  Description	Allow multicast mDNS traffic

• Save the rule, and then click Apply Changes

4. DNS rule
???

5. Killswitch rule

   
• Go to Firewall ‣ Rules ‣ IG_OUT_VPN
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default). You need to click the Show/Hide button next to "Advanced Options" to reveal the last setting:

  Action	Block
  Quick	Checked
  Interface	IG_OUT_VPN
  Direction	out
  TCP/IP Version	IPv4
  Protocol	any
  Source / Invert	Unchecked
  Source	any
  Destination / Invert	Unchecked
  Destination	any
  Destination port range	any
  Description	Killswitch
  Match local tag	NO_WAN_EGRESS

• Save the rule, and then click Apply Changes

Step 11 - Create outbound NAT rules

   
• Go to Firewall ‣ NAT ‣ Outbound
• Select "Hybrid outbound NAT rule generation" if it is not already selected, and click Save and then Apply changes
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default):

  Interface	Select the interface for your WireGuard VPN VPN0 VPN1
  TCP/IP Version	IPv4
  Protocol	any
  Source invert	Unchecked
  Source address	IG_OUT_VPN net
  Source port	any
  Destination invert	Unchecked
  Destination address	any
  Destination port	any
  Translation / target	Interface address

• Save the rule, and then click Apply changes

   
• https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
• https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
• https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/
• https://forum.opnsense.org/index.php?topic=39061.0
• https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8

[hushcoden]

Hi there, I'm not able to solve your probelm, but I just wanted to make a few observations:

1) MTU standard value is 1420, but if your connection is PPPoE then use 1412.

2) Step 3 (instances) - don't use 51820 as it's default port of each peer.

3) Step 4 (DNS) - I don't use Unbound but the ProtoVPN DNS server, that is 10.2.0.1, with a port forward.

4) Step 5 (killswitch) - the documentation states to set it up as a floating rule, so no idea while you're using the IG_OUT_VPN interafce instead...

[sdsfgd]

Thanks!

1) With PPoE, do you mean if I have devices connected to the vlans in this group that use ppoe, I should change the MTU, or if my opensense device is ppoe? For example my pi-hole is powered by ppoe

2) Yes I am using 51820 and 51821

3) For the moment I have enabled Query Forwarding to the System Nameservers (quad9) in unbound and it seems I no longer have leaks, but I don't think this is good. May change it to simply use the protonvpn dns without unbound like you if I cant get it to work

4) As a floating rule, it seemed to affect the vlans that are not on vpn too, blocking them. Not sure it is correct but since the killswitch is just for the vlans in that group, i put it there

I have also added the top 2 rules since putting together the steps (see attachment). Given not vlans in the group can reach other vlans, needed to give access to pi-hole and unbound

[FredFresh]

Hi, I have your configuration almost working (just one issue that i am trying to solve).
Let me ask some question: which priority did you set in the gateways? The wan shall be the same or higher than the others (lower number).

[FredFresh]

Also, the IPs to be used inside the gateway configuration is not the endpoint provided inside the config file! That is a public ip, instead you need the ip inside the vpn network (for details have a look again to the guide).

[sdsfgd]

Hi,

You mean in the gateway group? I have it set to never for wan, see attachment.

Regarding the gateway IP, I'm a bit confused, how do I determine the one for ProtonVPN? It says to use traceroute but I'm not clear on what to look for

[FredFresh]

Hi, actually I was referring to the more general gateway page System/gateway/configuration.
In this page, which priority you gave to each one?

Still in this page, if you go in the detailed configuration of one of the proton gateways, there is a "MONITOR IP" box, which value you used here? try to use something like 9.9.9.9 (quad9 dns server)

[sdsfgd]

Ah sorry, misunderstood. They are both set to 255.
I also tried putting the quad9 ips in the monitor ips (9.9.9.9 and 149.112.112.112) but the gateways were still offline until I pressed apply again

[FredFresh]

Try to set the wan to higher priority. Thw wan is gateway is online correct?

[opn_minded]

Hi, just wanted to know if someone could tell me what I need to if wanted to route all internal DNS-requests (xyz.localhub) to unbound (overrides) and the rest to Proton's DNS server (10.2.0.1)? Thank you!