Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound DNS Resolver through Wireguard Tunnel (Mullvad VPN)

    DHCP and DNS
    4
    18
    6.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      packetpirate @ShrinkMyProstateNow
      last edited by

      @shrinkmyprostatenow Yes exactly. Just follow the Mullvad instructions to setup an OpenVPN connection, then for the Unbound DNS resolver set the "Outbound Interface" to your OpenVPN interface.

      1 Reply Last reply Reply Quote 0
      • E
        emikaadeo @packetpirate
        last edited by

        @packetpirate said in Unbound DNS Resolver through Wireguard Tunnel (Mullvad VPN):

        @emikaadeo

        Thank you for confirming this.

        I am currently doing exactly as you said, putting Unbound in forwarding mode and forwarding to the Mullvad servers. The one you listed is I guess the non HTTPS version, they now have DNS over HTTPS at doh.mullvad.net (194.242.2.2), so I am using that now.

        https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/

        I would much prefer to run Unbound in "normal" mode, and act as my own DNS server. Is there any way for me to do this without leaking my IP? So far the only solution I have found is to run OpenVPN in parallel and then send my queries over the OpenVPN interface. It just feels quite overkill to have OpenVPN and Wireguard running on the box.

        I’ve found this: https://schnerring.net/blog/use-custom-dns-servers-with-mullvad-and-any-wireguard-client/
        It looks like there is a way to send DNS queries to root servers through Mullvad’s WireGuard tunnel.
        Maybe worth a try?

        P 1 Reply Last reply Reply Quote 1
        • P
          packetpirate @emikaadeo
          last edited by packetpirate

          @emikaadeo It worked! Amazing. Thank you for finding that blog post.

          I setup two WG interfaces, one using the regular IP generated from Mullvad, and one using the non-hijacked IP as described in the blog post, and only the non-hijacked is able to resolve DNS.

          In both cases I see the connections to the root servers, but only when using the second IP am I actually able to resolve.

          E 1 Reply Last reply Reply Quote 1
          • E
            emikaadeo @packetpirate
            last edited by

            @packetpirate Yep, it works here too ;)

            P 1 Reply Last reply Reply Quote 1
            • D dma_pf referenced this topic on
            • D dma_pf referenced this topic on
            • P
              packetpirate @emikaadeo
              last edited by packetpirate

              @emikaadeo My firewall log is exploding with blocks to and from the internal WG interface IP and the root name servers, for example the k-root server.

              The log entries are:
              WAN out -Default deny rule IPv4: Internal WG IP:port --> root server:53
              WG_Interface in - Default deny rule IPv4: root server:53--> Internal WG IP : random port

              The strange thing is that DNS works fine over the WG interface, so the communication must be happening, but I am seeing a lot of these log entries.

              Any idea? Do you see the same?

              E 1 Reply Last reply Reply Quote 0
              • E
                emikaadeo @packetpirate
                last edited by

                @packetpirate
                No, I don't see anything like it.
                My traffic to root servers on port 53 is on the "pass" side.

                P 1 Reply Last reply Reply Quote 0
                • P
                  packetpirate @emikaadeo
                  last edited by packetpirate

                  @emikaadeo
                  Do you have pass all firewall rules on the WG interface? Currently I have no rules at all in there.

                  Then again I don't think that would change anything, these blocks are happening on the WAN Outbound, so I would in theory need a rule on WAN saying pass WG interface to any port 53? Do you have such a rule?

                  E 1 Reply Last reply Reply Quote 0
                  • E
                    emikaadeo @packetpirate
                    last edited by

                    @packetpirate said in Unbound DNS Resolver through Wireguard Tunnel (Mullvad VPN):

                    @emikaadeo
                    Do you have pass all firewall rules on the WG interface? Currently I have no rules at all in there.

                    Then again I don't think that would change anything, these blocks are happening on the WAN Outbound, so I would in theory need a rule on WAN saying pass WG interface to any port 53? Do you have such a rule?

                    My pfSense setup is almost the same as here
                    The main difference is I don't have CLEARNET subnet and use WG instead of OpenVPN. You can compare this to your rules/setup.

                    P 2 Replies Last reply Reply Quote 1
                    • P
                      packetpirate @emikaadeo
                      last edited by

                      @emikaadeo
                      Wow, that is quite the guide.

                      I guess the part which confuses me is that when using wireguard, the wireguard interface itself gets an IP address (the internal IP given from Mullvad). When using OpenVPN as in the guide, the interface itself doesn't get any IP.

                      The issue I am seeing in my logs comes from this internal IP trying to access root servers directly, and I am not sure how to control that interaction.

                      I will have a good read through the guide to see if I can sort this out in my head, thanks.

                      1 Reply Last reply Reply Quote 0
                      • P
                        packetpirate @emikaadeo
                        last edited by

                        @emikaadeo
                        After quite a bit of head scratching I found the root cause. In the DNS Resolver Network Interface section I had ALL selected, this guide only chooses the interfaces which are set to use the DNS resolver. It seems that including the WAN and WG interfaces in that selection is what was causing my strange log entries. Thanks!

                        E 1 Reply Last reply Reply Quote 1
                        • E
                          emikaadeo @packetpirate
                          last edited by

                          @packetpirate
                          Glad you figured this out! :)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post