• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN + WireGuard breaking DNS resolver. [SOLVED]

Scheduled Pinned Locked Moved General pfSense Questions
15 Posts 2 Posters 3.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    stephenw10 Netgate Administrator
    last edited by Jul 22, 2022, 11:33 PM

    I would try adding a floating outbound block rule on WAN to match that and prevent any states opening on WAN.

    N 1 Reply Last reply Jul 23, 2022, 12:30 AM Reply Quote 1
    • N
      nimrod @stephenw10
      last edited by Jul 23, 2022, 12:30 AM

      @stephenw10 said in OpenVPN + WireGuard breaking DNS resolver.:

      I would try adding a floating outbound block rule on WAN to match that and prevent any states opening on WAN.

      I tried but it didnt work. BlockWAN is the alias containing both MullvadVPN DNS IPs. I tried block and reject, and i enabled Quick option.

      03db3fb3-7ed6-432f-9b67-f70db5eb67d8-image.png

      After reboot, state table still shows DNS requests made on port 53 on on my WAN IP 192.168.5.2. It seems like these DNS requests are taking place before firewall rules have the chance to block them.

      Again, once the system is fully up, i just click save in System / General and everything starts working.

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Jul 23, 2022, 6:04 PM

        The source port should be 'any' there not 53. If the look at the states created the source port is a random high numbered port.

        Steve

        N 1 Reply Last reply Jul 24, 2022, 12:44 AM Reply Quote 0
        • N
          nimrod @stephenw10
          last edited by Jul 24, 2022, 12:44 AM

          @stephenw10 said in OpenVPN + WireGuard breaking DNS resolver.:

          The source port should be 'any' there not 53. If the look at the states created the source port is a random high numbered port.

          Steve

          I fixed that, but this rule blocks DNS resolution completely.
          026f2b90-5efc-48b1-9987-87229164aeac-image.png

          I tried setting port to "any" in destination, but same thing happens. Going to System / General and hitting save no longer works if this rule is enabled.

          I experimented some more, and i made a tiny progress. If i set my DNS Server Settings like this

          a2607ff9-f571-4767-9b2c-3b40141e5fc4-image.png

          and then i select Mullvad OpenVPN interface as gateway in firewall rules, everything works fine after reboot. However, roles have been switched now. And all clients that use WireGuard gateway dont have DNS resolution or any traffic for that matter. WireGuard applet now shows 0 peers.

          3c778af5-a954-4dff-8afb-d63917b457f1-image.png

          There is also no handshake

          3bd3a564-d978-4559-aa0d-8200dbd5fa88-image.png

          And going to System / General doesnt help like before.

          S 1 Reply Last reply Jul 24, 2022, 12:55 AM Reply Quote 0
          • S
            stephenw10 Netgate Administrator @nimrod
            last edited by Jul 24, 2022, 12:55 AM

            @nimrod said in OpenVPN + WireGuard breaking DNS resolver.:

            and then i select Mullvad OpenVPN interface as gateway in firewall rules, everything works fine after reboot.

            In what firewall rules? Traffic from the firewall itself cannot be policy routed. It will always use the system routing table which is why I was asking you about the static route to the DNS server added by setting a gateway against them.

            Steve

            N 1 Reply Last reply Jul 24, 2022, 3:49 PM Reply Quote 0
            • N
              nimrod @stephenw10
              last edited by Jul 24, 2022, 3:49 PM

              @stephenw10 said in OpenVPN + WireGuard breaking DNS resolver.:

              @nimrod said in OpenVPN + WireGuard breaking DNS resolver.:

              and then i select Mullvad OpenVPN interface as gateway in firewall rules, everything works fine after reboot.

              In what firewall rules? Traffic from the firewall itself cannot be policy routed. It will always use the system routing table which is why I was asking you about the static route to the DNS server added by setting a gateway against them.

              Steve

              I think we didnt understand each other because im bad at explaining things. Sorry. Here is the entire configuration for the scenario that i described in the first post.

              This is the status of the Mullvad OpenVPN client once its configured using their instructions.
              a85635b0-8a3a-48d2-bc2d-791d895f6087-image.png
              As you can see, it connects with no issues.

              Here is the interface configuration of the Mullvad OpenVPN client.

              2da14882-2d9e-4f28-811e-dfe18ee007ca-image.png
              Here is the OpenVPN gateway that gets automatically created when i add and enable OpenVPN interface. I just added MullvadDNS IP as the gateway monitoring address.

              fd9426ee-28ed-4809-aa63-5004060a9fcd-image.png

              This is the configuration under System / Advanced /
              / Miscellaneous

              3af57c40-6224-4fbd-8804-de4b4960a4c6-image.png

              These are the manual NAT rules. Only local subnets are using OpenVPN and sometimes i switch to WG as well. I also have a WAN NAT rule so i can access DSL modem web configuration.

              1c94c6d0-ee67-4821-b19a-e8119ea81f2b-image.png

              These are the firewall rules on the LAN interface aka Local Subnets.

              bfa814ba-7069-4209-afb7-fcfd87bd3b48-image.png
              These are the firewall rules on the WiFi interface aka WiFi Networks subnet. As you can see here all wifi devices are going through Mullvad WireGuard gateway. I just censored their descriptions and aliases containing their IP addresses.

              4a294a9f-8c3d-4fdb-ae6a-fb4c4f434de2-image.png

              And these are the firewall rules on the final subnet. A single PC running FreeBSD.

              eceeeb93-c782-4c81-b445-7905080f7af3-image.png

              These are the settings under System / General Setup

              37ed7547-7233-476e-9d6c-09f8d9eaf9bf-image.png

              These are the settings in Services / DNS Resolver / General Settings

              f954812d-af72-4950-9212-9cbef5969397-image.png
              7f84642f-04dc-40e6-b723-9a51b801c3af-image.png

              This is the status of WireGuard VPN
              b87e723a-e8b3-4548-810e-a6e4a8830680-image.png
              This is how it all looks like in System / Routing / Gateways
              b50506c5-8d15-40ab-882e-3417c816cabe-image.png

              This is how it all looks like after reboot, however, none of the 3 subnets have DNS resolution.

              dacddb4a-9a49-4e4d-b70a-e6648f876128-image.png

              As i said before, i go to System / General Setup, i change nothing, hit the save button, and thats it.

              Local Subnets start working without any issues going through OpenVPN gateway, and the other two subnets start working without any issues going through WireGuard gateway. Confirmend by using MullvadVPN connection check.

              194b4e74-742e-492f-ada3-b2152395b215-image.png

              Its obvious that this setup works. Its just that it stops working after reboot. What am i doing wrong here ?

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Jul 25, 2022, 4:23 PM

                When you add an alternative monitoring IP to a gateway a static route to that IP via the gateway is added to ensure it's actually monitoring the correct gateway. Since you are using the Mulvard DNS server there it means it can only ever connect over the WG VPN.

                You have not set 'Skip rules when gateway is down' which means that means that if a gateway does go down the rules are just created without a gateway which here means traffic would just leave over the WAN. That's probably not what you want.

                Steve

                N 1 Reply Last reply Jul 25, 2022, 4:40 PM Reply Quote 1
                • N
                  nimrod @stephenw10
                  last edited by Jul 25, 2022, 4:40 PM

                  @stephenw10 said in OpenVPN + WireGuard breaking DNS resolver.:

                  When you add an alternative monitoring IP to a gateway a static route to that IP via the gateway is added to ensure it's actually monitoring the correct gateway. Since you are using the Mulvard DNS server there it means it can only ever connect over the WG VPN.

                  Unbelivalble. I cant belive this was causing the issue.

                  You have not set 'Skip rules when gateway is down' which means that means that if a gateway does go down the rules are just created without a gateway which here means traffic would just leave over the WAN. That's probably not what you want.

                  Steve

                  Thank for very much for your help @stephenw10 !!!

                  Cheers.

                  1 Reply Last reply Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator
                    last edited by Jul 25, 2022, 4:50 PM

                    No worries. Let me know if that helps. There easily be more interactions happening there based on the connection timing.

                    Steve

                    N 1 Reply Last reply Jul 25, 2022, 4:56 PM Reply Quote 0
                    • N
                      nimrod @stephenw10
                      last edited by Jul 25, 2022, 4:56 PM

                      @stephenw10 said in OpenVPN + WireGuard breaking DNS resolver.:

                      No worries. Let me know if that helps. There easily be more interactions happening there based on the connection timing.

                      Steve

                      It works !!

                      I removed the monitoring IP`s on both gateways, and i enabled "Do not create rules when gateway is down" in System / Advanced / Miscellaneous.

                      After reboot, both WireGuard and OpenVPN clients connected as usual and all subnets are going through their designated gateways.

                      Once again, thank you @stephenw10 !!!

                      1 Reply Last reply Reply Quote 1
                      • L LaUs3r referenced this topic on Jan 15, 2025, 5:04 PM
                      15 out of 15
                      • First post
                        15/15
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received