WireGuard and ProtonVPN

provels · Sep 5, 2024, 6:15 AM

I've followed these instructions at Proton a few times without issue, to a point anyway. That point is where DNS gets forwarded to Proton's own server. I get the tunnel up easily and get the rules set, but DNS fails shortly after I switch to Proton's server. At present, I use both pi-hole and pfBlocker but I've tried disabling both of those and just setting things up according to the doc without success. DNS just goes away. I've tried dumping states, rebooting, /release/renew, etc. Hopefully at least one kind soul here can help me out of this. Thanks for reading and any replies.

Bob.Dig · Sep 5, 2024, 6:16 AM

@provels Looking at those instructions, it is the all-approach, everything should go through proton which is not that great imho. Those instructions are correct, they want you to not use any other DNS-Servers than theirs.
You are probably using other DNS-Servers? How I read their setup, pfSense can't do DNS until Proton is connected.
Personally I wouldn't change my DNS-Servers to Proton but change the DNS-Server for some hosts only to always use external DNS, which will then go through the VPN for those hosts.

provels · Sep 5, 2024, 12:07 PM

@Bob-Dig Thanks for the reply. I have been using pfB (Resolver) up to now. I figured I'd just follow the instructions completely and at least get things working before I start modding things. Should I be able to use my current DNS to WAN and just send client traffic out the tunnel? Guess I'd need a LAN->WAN rule for DNS ahead of the LAN->Proton rule then. There's nothing stopping using the WAN outside the tunnel, right? Rules are rules? Thanks again.

Bob.Dig · Sep 5, 2024, 12:15 PM

@provels Yes. So I can't tell why it is not working right now. But my advice is to use policy based routing anyways. So only some hosts go through the VPN. And the easiest way to stop DNS-leaks ist to give those hosts not pfSense but some public servers like 8.8.8.8 for DNS. With that, that will run just like any other external traffic through the VPN.
And for my main machine, I don't care for some DNS leak. I always use unbound as a "forwarder".

provels · Sep 5, 2024, 12:17 PM

@Bob-Dig Thanks, never used policy based routing, but that's what the Internet is for! I'll read up. Thanks again.

Bob.Dig · Sep 5, 2024, 12:22 PM

@provels said in WireGuard and ProtonVPN:

never used policy based routing

Just an easy example, in this VLAN everything will go out through a privacy-VPN-Provider.

Antibiotic · Nov 17, 2024, 9:41 PM

@Bob-Dig said in WireGuard and ProtonVPN:

Personally I wouldn't change my DNS-Servers to Proton but change the DNS-Server for some hosts only to always use external DNS, which will then go through the VPN for those hosts.

Could you please, show example of firewall rule to pass DNS request via VPN fore some hosts?