Configuration Wireguard Tunnels using Proton DNS while local active DNS over TLS

Started by eXcoRe, December 04, 2025, 10:10:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 04, 2025, 10:10:17 PM
Dear OPNsense community,

first of all, I want to say that I really enjoy using OPNsense. It is a great project that supports many extensions and allows configuring a wide range of scenarios. I am just an enthusiastic user who is here to learn more and gain a better overall understanding. Any support is most welcome — and please be kind, as I do not have 10+ years of networking experience :)

I have already set up OPNsense with working WireGuard connections. The goal is to configure the WireGuard tunnels using Proton DNS without any DNS leakage, while also running Unbound DNS on the firewall.

Only the WireGuard clients (e.g., 192.168.1.90–192.168.1.91) should use the WireGuard tunnel including its DNS, and all other internal clients (e.g., 192.168.1.100–192.168.1.101) should use the Unbound DNS service — in other words, a split DNS configuration.

The OPNsense firewall is configured with Unbound DNS over TLS (port 853), and clients use, for example, Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9).

Additionally, my configuration currently has a working Squid web proxy, which some VLAN clients and some LAN clients use to access the internet.
For testing purposes, I also deactivated it on the LAN interface, but it still did not work as expected.

Current situation:
The WireGuard clients are routed through the tunnel and receive the Proton IPs. However, during DNS testing, Proton DNS is not displayed — instead, the Unbound DNS appears. Testing was done using https://www.dnsleaktest.com

Traceroute result:

  1    <1 ms    <1 ms    <1 ms  OPNsense.localdomain [192.168.1.1]
  2    18 ms    15 ms    15 ms  10.2.0.1  --> Proton WG tunnel active and working; my IP address is showing from the VPN
  3    16 ms    16 ms    16 ms  205.xxx.xx.xxx --> Proton Server
  4    16 ms    16 ms    16 ms  vl221.ams-eq6-core-2.cdn77.com [79.127.194.82] --> this is what I want to avoid for WG clients
  5    17 ms    17 ms    17 ms  142.250.163.178
  6    17 ms    16 ms    16 ms  74.125.243.81
  7    15 ms    16 ms    15 ms  209.85.240.100
  8    17 ms    16 ms    17 ms  108.170.238.127
  9    22 ms    22 ms    23 ms  192.178.75.29
 10    24 ms    26 ms    25 ms  209.85.252.76
 11    21 ms    21 ms    21 ms  108.170.238.3
 12    21 ms    21 ms    21 ms  142.250.214.195
 13    22 ms    22 ms    22 ms  fra24s07-in-f3.1e100.net [142.250.186.131]

Unbound DNS is maybe "overwriting" or my WG clients are just passing around tunnel, not sure...
But I am quite sure that some firewall rules — and especially NAT — may not be configured correctly. I have not yet been able to identify what exactly is wrong.

Before overloading this post with to many pictures, I have created an extract of my current set up, see below picture:

You cannot view this attachment.

If you need anything more specific to identify this issue, just let me know.
I guess my problem should be clear, so looking forward to your valueable feedbacks.

Thanks
Print
Go Up Pages1
User actions