[SOLVED] pfSense 2.6.0+MullvadVPN+WireGuard+pfBlockerNG

nimrod

Not sure if this is the correct place, but moderators can move this thread into correct section if they think its necessary.

I have recently switched from NordVPN to MullvadVPN, and i have decided to try WireGuard instead of OpenVPN. I installed WireGuard package, and configured it to work with Mullvad and everything was working perfect. Im getting much higher speeds, and i made decision to stick with WireGuard. I had issues with DNS leaks, which i was quickly able to resolve by manually assigning DNS server IPs in DHCP Server section of pfSense. MullvadVPN provides these IP on their site.

As soon as i did that, pfBlocker DNSBL stopped working. Just for the testing purposes, i removed manually assigned DNS servers in DHCP section of pfSense, and ofcourse, pfBlocker started working again as it should, but now im leaking DNS again.

Any ideas how to resolve this and not switch back to OpenVPN?

Thank you.

stephenw10

pfBlocker DNSBL works by filtering DNS queries in Unbound so it can only work if clients are using Unbound in pfSense for DNS. As soon as you pass them some external DNS server to use via DHCP it's not filtered.
What you can do it leave the clients using Unbound and then set Unbound to forward queries to Mulvards DNS servers. Or set Unbound to use the Wireguard interface for it's outgoing queries which will then by sourced from the remote side of the VPN.

Steve

nimrod

@stephenw10 said in pfSense 2.6.0+MullvadVPN+WireGuard+pfBlockerNG:

pfBlocker DNSBL works by filtering DNS queries in Unbound so it can only work is clients are using Unbound in pfSense for DNS. As son as you pass them some external DNS server to use via DHCP it's not filtered.
What you can do it leave the clients using Unbound and then set Unbound to forward queries to Mulvards DNS servers. Or set Unbound to use the Wireguard interface for it's outgoing queries which will then by sourced from the remote side of the VPN.

Steve

Hi Steve. Thanks for your quick reply.

Can you tell me where in pfSense is the option to forward queries to Mullvalds DNS IPs? Is that done with firewall rules or NAT rules with port 53 ?

Also, where and how to set unbount to use wireguard interface. Is tahat done in pfBlocker ?

Thank you. Much appreciated.

stephenw10

To forward queries you would set Mulvards DNS servers in Sys > Gen Setup and uncheck 'DNS Server Override'. Then set Unbound to Forwarding mode in Services > DNS Resolver.

To have Unbound use the wireguard tunnel you would leave it in resolving mode and select only the Wireguard interface for 'Outgoing Network Interfaces'.

Steve

nimrod

@stephenw10

That did it. I cant believe that i actually did all this already, but i forgot to to enable DNS Query Forwarding. I was so close.

Thank you very much Steve !!!!

Moogle Stiltzkin

@stephenw10

i use pfsense too. but rather than setup mullvad on pfsense, i use the desktop app (because other users may or may not want vpn all the time or at all; also setting up tunneling for specific client devices is not ez).

So for mullvad desktop app users, is there a solution for pblockerng dns?

stephenw10

Probably not. If there is it would be in the Mullvad application. By default it almost certainly sends all dns queries from the host over the VPN so pfSense never sees them at all.

Steve

nimrod

@moogle-stiltzkin said in pfSense 2.6.0+MullvadVPN+WireGuard+pfBlockerNG:

@stephenw10

i use pfsense too. but rather than setup mullvad on pfsense, i use the desktop app (because other users may or may not want vpn all the time or at all; also setting up tunneling for specific client devices is not ez).

What do you mean by "not ez" ? All you have to do is create static DHCP mapping and firewall rules for each device. Then you can chose which device is going to use VPN by simply changing gateway in the firewall rule.

So for mullvad desktop app users, is there a solution for pblockerng dns?

I dont use VPN provider provided applications. They are too limited and bloated. Use generic WireGuard and OpenVPN applications instead.

However, for home use, i dont use any applications at all. There is no need for them because everything goes through pfsense.

Also, on Mullvad website you can configure your account so that ad blocking is done at their end. Last time i checked, there were 4 different block lists to chose from. Its not as effective as pfblocker but its something.

Moogle Stiltzkin

so in short, it sounds like to get pfblocker and mullvad to work best, then you should setup mullvad directly on pfsense rather than use the desktop app (seeing as there doesn't seem to be a similar working solution in regards to utilizing the pfblocker dns part of the equation).

hopefully i understood that correctly.

thx for the feedback.

currently, when i don't use the desktop vpn, pfblock works. but when i do, then mullvad vpn dns settings takes over (doesn't seem that pfblocker blocks what it did before from observation).

so in my setup, it sucks that it doesn't seem i can get pfblocker to work all the time unless i don't use the desktop vpn :{ o well...

stephenw10

The desktop app exists to hide all communication so that's what it does. pfSense and pfBlocker cannot see it inside the tunnel.

But, yes, you can easily just policy route single clients over the VPN rather than the full subnet.

Steve