Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Unbound dns through wireguard VPN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound dns through wireguard VPN (Read 242 times)
FredFresh
Jr. Member
Posts: 63
Karma: 1
Unbound dns through wireguard VPN
«
on:
October 24, 2024, 06:42:16 pm »
Hi,
after several tries and reading of other forums I am here to seek help.
I have a working wireguard vpn connection and I would like to send through it anything coming out from the firewall, how should I proceed?
Following the official guide, I created what is needed to tunnel all the subnets but It remains everything that is managed diretly by the firewall, like the unbound dns request to the authoritative DNS server.
I tried to change "Outgoing Network Interfaces" to only the VPN gateway, but it doesn't seem working.
Thanks
«
Last Edit: October 24, 2024, 06:47:53 pm by FredFresh
»
Logged
dseven
Full Member
Posts: 209
Karma: 25
Re: Unbound dns through wireguard VPN
«
Reply #1 on:
October 25, 2024, 10:12:10 am »
I assume you're using some VPN service, and want everything (all internet access) to go through it?
What "official guide" did you follow?
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #2 on:
October 25, 2024, 10:18:18 am »
Hi, I used the official guide on opnsense webguide.
https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
Logged
dseven
Full Member
Posts: 209
Karma: 25
Re: Unbound dns through wireguard VPN
«
Reply #3 on:
October 25, 2024, 10:32:40 am »
In step 3, checking "Disable Routes" would prevent adding routes offered by the VPN provider to OPNsense's routing table, which is not what you want. I've not tried this setup myself, but if you're feeling brave, try uncheckig that and see how it goes.
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #4 on:
October 25, 2024, 11:24:49 am »
Thank you I will try, but should I also add specific rules on the wan interface and a nat rule?
Logged
dseven
Full Member
Posts: 209
Karma: 25
Re: Unbound dns through wireguard VPN
«
Reply #5 on:
October 25, 2024, 11:45:59 am »
I don't think you'd need any additional rules. Traffic from the firewall itself wouldn't need to be NAT'ed.
There may be other consequences of not disabling addition of routes - beware
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #6 on:
October 25, 2024, 12:22:09 pm »
Previously i tried to create a rule on wan interface, out connections to be redirected to vpn gateway but wasn't working.
As you suggested, how the system define to route outgoing connection from wan towards the von gateway?
Logged
dseven
Full Member
Posts: 209
Karma: 25
Re: Unbound dns through wireguard VPN
«
Reply #7 on:
October 25, 2024, 12:27:32 pm »
You can't use a firewall rule to specify a gateway for traffic originating from the firewall itself. The firewall itself uses its routing table. When the VPN connection is established, it should add entries to the routing table, based on what routes the VPN server advertises, unless you tell it not to by checking that "Disable Routes" option... which is why I'm suggesting unchecking it.....
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #8 on:
October 25, 2024, 05:27:23 pm »
Hi @dseven, I disabled that flag, but still the traffic from the firewall is going through the WAN and standard ISP connection.
Logged
dseven
Full Member
Posts: 209
Karma: 25
Re: Unbound dns through wireguard VPN
«
Reply #9 on:
October 25, 2024, 08:43:57 pm »
I assume you reconnected the VPN after changing that. It may be that your VPN provider doesn't advertise a default route, although that'd be a bit surprising....
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #10 on:
October 25, 2024, 08:49:52 pm »
The vpn gateway was marked as default, but nothing to do. I also restarted the firewall.
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #11 on:
October 26, 2024, 01:27:26 pm »
My configuration is basically the following:
3 VPNs with proton
1 Gateway group with the 3 vpn and the wan as last;
the routing (NAT+firewall rules) are according to the opnsense guide, but the destination is the gateway group in order to have something similar to a multi-wan system with automatic switch between the VPNs and the WAN (in case the gateway is offline, the next one is used).
This configuration work perfectly with the sub-lans, but it doesn't with what exit from the WAN.
Was someone able to route something going out from WAN interface to the VPN gateways?
Thanks
Logged
FredFresh
Jr. Member
Posts: 63
Karma: 1
Re: Unbound dns through wireguard VPN
«
Reply #12 on:
October 26, 2024, 04:34:25 pm »
Someone could kindly explain to me what steps should I implement to do this:
Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts
Configure public DNS servers for your whole local network, rather than local DNS servers
taken from
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
(steps 3 and 4 to avoid dns leak)
thanks
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Unbound dns through wireguard VPN