Wiregaurd Vpn split dns

jagradang

I have multiple permanent vpn setups on my pfsense for security (mullvad - multiple fail over connections) and connecting to my work. I also have clients that go directly through my wan.

I want to be able to specify which dns each uses, but not on the specific devices. More on a global level with everything that exits that interface.

The main reason is I have a very complex setup. So for example I have machine set to go through vpn, but certain websites on this machine will also route out of the wan as they don't work with vpn. (banking for example.)

All of this works flawless and perfectly. The only issue I have is every dns query is sent to pfsense and they just use the general tab Cloudflare DNS.

I want to be able to say anything going through x interface goes to their specific dns. The issue I have is I have multiple connection to the same vpn and in general tab you can only use 1 dns per interface.

Is there a way to maybe use a virtual ip for the other interfaces to forward to the same dns or using a custom option on the dns to forward-addr to the specific dns per interface?

Or is there a way I can say anything that uses the a wiregaurd interface to use specific DNS configured somewhere?

Bob.Dig

@jagradang Basically no. If you use Unbound on pfSense, it will go the way Unbound is configured, etc.

jagradang

@Bob-Dig Somebody had a way to use port forwarding to forward all requests from an alias to a specific dns - but that is a lot of work for me to set up - There must be a simple way of controlling what DNS is used for which clients/connections. I can't believe that we are forced to push all clients regardless down a single DNS?

Bob.Dig

@jagradang You can use what you want. But you can't say, use unbound and then go here and in another case, then go there. If you use unbound, then it will go out the way it is configured for unbound.

Tigo

@jagradang

So your setup is,

Vlan 1 -> pfsense > VPN (WAN DNS1)
Vlan 2 -> pfsense > VPN (WAN DNS1)
Vlan 3 -> pfsense > VPN (WAN DNS1)
etc.

Your goal is,
Vlan 1 -> pfsense > - VPN DNS1
Vlan 2 -> pfsense > VPN DNS2
Vlan 3 -> pfsense > VPN DNS3
Specific websites (banking) accessible from all VLANs -> pfsense > WAN DNS

And you'd be using the DNS resolver in pfSense? & perhaps pfBlocker?

An easy route that works for me, was to setup Adguard instances - per vlan, and route all associated traffic for the DNS per vlan. Adguard can then use a local hosted unbound or bind9, or pfsense resolver for just local hosted domains.

jagradang

@Tigo My aim is as follows

WAN -> DNS 1
VPN 1 -> DNS 2
VPN 2 -> DNS 2
VPN 3 -> DNS 2

So i use cloudflare for my WAN and my vpn provider dns for the vpn.

I then also wanted the ability to break that down more in that i can have selective groups routing through to different dns.

I currently have 2 gateway groups - wan (wan connection) and vpn (containing vpn and 2 failover vpns - wiregaurd)

So I have rules which send traffic to either VPN or WAN. I wanted to be able to also route the DNS - so if the client is routed to VPN it uses the VPN dns, if its routed to WAN it uses the WAN dns.

Tigo

@jagradang

Hmmmm, that's a bit of an interesting scenario!

Perhaps, remove all DNS settings from the General Tab (or deselect the interface). Have the DNS resolver to listen to all VLANs & local host, and outgoing only to VPNs and WAN. (default settings would listen to all and outgoing to all.)
Then, setup forwarding rules for DNS & DNS overt TLS forcing all respective traffic from each VLAN to exit via specific VPN gateway. Then, test for DNS leak.

NB: If all the clients are configured with the pfsense for DNS resolution, it'll get messy. But if the Clients with the different DNS servers, - then the FW rules will work.

jagradang

@Tigo Thanks i'll give that a go.

I have a temp work around by using forwarding rules to forward alias's do specific dns which might work. Its a massive lot of work though for a simple task! so i was hoping to try and avoid having to do all the work but it might be the only way to get it working.

Main reason is to prevent dns leak when using VPN connections

Tigo

@jagradang
Let us know what you end up with.

What's the work-around that you have with aliases?

I'm currently experimenting trying to see whether I can get the Unbound for pfsense, to send queries down different VPNs - depending on which VLAN sent in the request. ChatGPT says it's possible, but, I'm yet to see it work. My workaround, was spinning up different adguard instances for each VLAN, and they work fine per vlan - per vpn. Prefer to keep things on pfsense if that's even possible. But don't know.