Unbound dns through wireguard VPN

Started by FredFresh, October 24, 2024, 06:42:16 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 24, 2024, 06:42:16 PM Last Edit: October 24, 2024, 06:47:53 PM by FredFresh
Hi,
after several tries and reading of other forums I am here to seek help.

I have a working wireguard vpn connection and I would like to send through it anything coming out from the firewall, how should I proceed?

Following the official guide, I created what is needed to tunnel all the subnets but It remains everything that is managed diretly by the firewall, like the unbound dns request to the authoritative DNS server.

I tried to change  "Outgoing Network Interfaces" to only the VPN gateway, but it doesn't seem working.

Thanks
October 25, 2024, 10:12:10 AM #1
I assume you're using some VPN service, and want everything (all internet access) to go through it?

What "official guide" did you follow?
October 25, 2024, 10:18:18 AM #2
Hi, I used the official guide on opnsense webguide.

https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
October 25, 2024, 10:32:40 AM #3
In step 3, checking "Disable Routes" would prevent adding routes offered by the VPN provider to OPNsense's routing table, which is not what you want. I've not tried this setup myself, but if you're feeling brave, try uncheckig that and see how it goes.
October 25, 2024, 11:24:49 AM #4
Thank you I will try, but should I also add specific rules on the wan interface and a nat rule?
October 25, 2024, 11:45:59 AM #5
I don't think you'd need any additional rules. Traffic from the firewall itself wouldn't need to be NAT'ed.

There may be other consequences of not disabling addition of routes - beware ;)
October 25, 2024, 12:22:09 PM #6
Previously i tried to create a rule on wan interface, out connections to be redirected to vpn gateway but wasn't working.

As you suggested, how the system define to route outgoing connection from wan towards the von gateway?
October 25, 2024, 12:27:32 PM #7
You can't use a firewall rule to specify a gateway for traffic originating from the firewall itself. The firewall itself uses its routing table. When the VPN connection is established, it should add entries to the routing table, based on what routes the VPN server advertises, unless you tell it not to by checking that "Disable Routes" option... which is why I'm suggesting unchecking it.....
October 25, 2024, 05:27:23 PM #8
Hi @dseven, I disabled that flag, but still the traffic from the firewall is going through the WAN and standard ISP connection.
October 25, 2024, 08:43:57 PM #9
I assume you reconnected the VPN after changing that. It may be that your VPN provider doesn't advertise a default route, although that'd be a bit surprising....
October 25, 2024, 08:49:52 PM #10
The vpn gateway was marked as default, but nothing to do. I also restarted the firewall.
October 26, 2024, 01:27:26 PM #11
My configuration is basically the following:
3 VPNs with proton
1 Gateway group with the 3 vpn and the wan as last;
the routing (NAT+firewall rules) are according to the opnsense guide, but the destination is the gateway group in order to have something similar to a multi-wan system with automatic switch between the VPNs and the WAN (in case the gateway is offline, the next one is used).

This configuration work perfectly with the sub-lans, but it doesn't with what exit from the WAN.

Was someone able to route something going out from WAN interface to the VPN gateways?
Thanks
October 26, 2024, 04:34:25 PM #12
Someone could kindly explain to me what steps should I implement to do this:

Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts

Configure public DNS servers for your whole local network, rather than local DNS servers

taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)

thanks
October 29, 2024, 10:46:27 AM #13
Quote from: FredFresh on October 26, 2024, 04:34:25 PM
Someone could kindly explain to me what steps should I implement to do this:

Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts

Configure public DNS servers for your whole local network, rather than local DNS servers

taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)

thanks
Just go to Services -> ISC DHCPv4 -> LAN and either select a single host or the entire LAN and type your preferred DNS servers IP addresses in the option DNS servers
October 29, 2024, 11:08:33 AM #14
I do not understand how this could resolve the routing issue through the vpn.
That settings only specify the external dns ip...isn't it?
Print
Go Up Pages1 2
User actions