Unbound dns through wireguard VPN

[FredFresh]

Hi,
after several tries and reading of other forums I am here to seek help.

I have a working wireguard vpn connection and I would like to send through it anything coming out from the firewall, how should I proceed?

Following the official guide, I created what is needed to tunnel all the subnets but It remains everything that is managed diretly by the firewall, like the unbound dns request to the authoritative DNS server.

I tried to change  "Outgoing Network Interfaces" to only the VPN gateway, but it doesn't seem working.

Thanks

[dseven]

I assume you're using some VPN service, and want everything (all internet access) to go through it?

What "official guide" did you follow?

[FredFresh]

Hi, I used the official guide on opnsense webguide.

https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html

[dseven]

In step 3, checking "Disable Routes" would prevent adding routes offered by the VPN provider to OPNsense's routing table, which is not what you want. I've not tried this setup myself, but if you're feeling brave, try uncheckig that and see how it goes.

[FredFresh]

Thank you I will try, but should I also add specific rules on the wan interface and a nat rule?

[dseven]

I don't think you'd need any additional rules. Traffic from the firewall itself wouldn't need to be NAT'ed.

There may be other consequences of not disabling addition of routes - beware

[FredFresh]

Previously i tried to create a rule on wan interface, out connections to be redirected to vpn gateway but wasn't working.

As you suggested, how the system define to route outgoing connection from wan towards the von gateway?

[dseven]

You can't use a firewall rule to specify a gateway for traffic originating from the firewall itself. The firewall itself uses its routing table. When the VPN connection is established, it should add entries to the routing table, based on what routes the VPN server advertises, unless you tell it not to by checking that "Disable Routes" option... which is why I'm suggesting unchecking it.....

[FredFresh]

Hi @dseven, I disabled that flag, but still the traffic from the firewall is going through the WAN and standard ISP connection.

[dseven]

I assume you reconnected the VPN after changing that. It may be that your VPN provider doesn't advertise a default route, although that'd be a bit surprising....

[FredFresh]

The vpn gateway was marked as default, but nothing to do. I also restarted the firewall.

[FredFresh]

My configuration is basically the following:
3 VPNs with proton
1 Gateway group with the 3 vpn and the wan as last;
the routing (NAT+firewall rules) are according to the opnsense guide, but the destination is the gateway group in order to have something similar to a multi-wan system with automatic switch between the VPNs and the WAN (in case the gateway is offline, the next one is used).

This configuration work perfectly with the sub-lans, but it doesn't with what exit from the WAN.

Was someone able to route something going out from WAN interface to the VPN gateways?
Thanks

[FredFresh]

Someone could kindly explain to me what steps should I implement to do this:

Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts

Configure public DNS servers for your whole local network, rather than local DNS servers

taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)

thanks

[hushcoden]

Someone could kindly explain to me what steps should I implement to do this:

Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts

Configure public DNS servers for your whole local network, rather than local DNS servers

taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)

thanks

Just go to Services -> ISC DHCPv4 -> LAN and either select a single host or the entire LAN and type your preferred DNS servers IP addresses in the option DNS servers

[FredFresh]

I do not understand how this could resolve the routing issue through the vpn.
That settings only specify the external dns ip...isn't it?