Check out some online articles or YouTube videos. DNSSEC does not provide encryption or confidentiality. What it does is provide integrity that when you ask for DNS you are getting the correct IP address back.
If you're looking for confidentiality you need to look for something like DNS over TLS (DoT) or DNS over HTTPS (DoH). Unbound can do, just have to put in the IP/port combo of a resolver that supports those protocols.
"DNS over TLS vs. DNS over HTTPS | Secure DNS | Cloudflare" https://www.cloudflare.com/learning/dns/dns-over-tls/
This is something I have also looked at, but for different reasons. It seems this is planned for the next release (21.7):
IPv6 prefix DHCP lease registration in Unbound/Dnsmasq
Thanks Top_Soil
>Quick and dirty - Connect your wired
devices to the Turris Omnia then those devices will be given an ip
address according to your DHCP rules for the LAN network. Everything is
right there.
That will get me started.
I don't have switches or anything fancy at this time. I think the most complicated thing I'll have is a Mullvad wireguard vpn.
OpenWRT would be a good choice if keeping the RT-AC68U. You could try that first without the OPNsense box as it might do everything you want from there.
Then a cheap vlan aware 8 port switch like the one below may be all you need to finish this off.
Also running opnsense on a Protectli with basic Bios. Absolutely no problems with either incoming WG from my phones/remote computers. Or outgoing WG through Mullvad. Devices connect without issue and stay connected.
If your normal WAN/LAN works with your Protectli it is very unlikely to be hardware. Try redoing the WG config from scratch.
Get one of these for 15$, set it on 1, Never look back. I use these on all mine & clients.
OK, I found these instead (much as I hate to use Amazon): https://smile.amazon.com/gp/product/B00ESFF2JC/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
Now I just have to hope that it fits in the available space.
Thanks for spotting that.
https://www.amazon.ca/dp/B07WZSNQNF?ref_=cm_sw_r_apan_dp_12XSCQ8P6K5VFW67KZVM
This is a Canadian listing but would something that size work for you?
It has quad core cpu and 2 rj45 network jacks built in.
See if you can lookup B07WZSNQNF on EU Amazon.
Hey just wanted to say thanks for responding before. I think I wasn't very clear with my setup so I'll try to clarify a few things and then if you have any further insight it would be appreciated. I think in general I'm alright, I'm just trying to understand a few things.
I have a vpn through Mullvad who uses wireguard. I set up a local connection on my router to connect to an endpoint on one of their servers, and configured the gateway WAN_VPN off of that. I then set an alias of the IP range x.x.x.80 - x.x.x.99. From there I use set firewall rules that I posted in a separate comment in this thread, but basically the LAN rule tells the VPN_Hosts alias to go through the WAN_VPN gateway. I set another LAN rule that blocks VPN_Hosts from going out of WAN_DHCP which is just the normal gateway. I also set some rules on the WAN interface to block traffic that is coming in or out when the source/destination is VPN_Hosts. (I'm not sure if the WAN rules are actually doing anything.)
In the log that I posted here, the .80 looks to be getting information from the WAN interface, but I thought it should be able to because It should be blocked/routed through the WAN_VPN interface.
Additionally, if I boot up a computer and put it on the VPN_Hosts range and go to the mullvad website, they have a quick check you can run to check for leaks and make sure you're connected to the endpoint. I always get green check marks meaning that my traffic doesn't appear to be leaking from what they can tell.
Anyway thanks again.
I use Mullvad VPN. If I do who is lookups it seems like it's mostly DNS providers, It just seems weird because the firewall is set to block all traffic to 192.168.1.80. The WG gateway is on the router.
It's listed as a HAMSING. Amazon page is https://smile.amazon.com/gp/product/B0BB3B2Q58/ref=ppx_yo_dt_b_asin_title_o02_s00?ie=UTF8&psc=1
There are some options to choose from regarding the memory and SSD size.
The unit I received came with PfSense installed but I replaced it.
​
It looks like the 8/128 and 16G/128 are the only ones in stock now.
Easily solvable issue, just set the upstream DNS for AdGuard to a ProtonVPN DNS server. That way any local lookups never even leave your local network, and any external lookups get filtered by AdGuard then sent to the VPN for privacy and ad/malware protection
>I'd recommend using an external VPN supporting Wireguard technology though.
ProtonVPN that OP is using already supports gives 10 simultaneous connections on their paid plan. And home connections generally have slow upload speed, so I'd hate routing all of my internet traffic back home.
For a laptop on the road, I'd consider doing wireguard <--> home but only routing the traffic for LAN resources ("split vpn") and wireguard <--> proton as the default route. Can still send DNS through the home network for adblocking, and you'd probably want to so that LAN hosted resources are easier to access. But Proton (like most VPNs) also has adblocking, so their DNS is an option, too.
For a phone I'd probably have a VPN client configured for both Proton and the Home network and just switch between them depending on if I need to access anything at home. IDK if you can do the sort of setup described above on either Android or iOS. I'm pretty sure they both only allow 1 VPN connection at a time.
Great, thanks a lot for your input! I’ll watch that video and once my OPNsense is ready and up running, I’ll see if I can’t get it working on mine as well.
Regarding Wireguard vs OpenVPN, I just saw that apparently, ProtonVPN now supports Wireguard as well, so I’ll be sure to opt for that over OpenVPN.
I’m actually planning a similar setup to OP, running my on-the-go internet connection to my OPNsense via Wireguard. Additionally, I also want all the devices connected to my OPNsense to automatically tunnel their connection through ProtonVPN via OpenVPN (with an AdGuard server running on my Proxmox as DNS server).
Now, I would like for my on-the-go connection to enter my home network via Wireguard, and then behave like any other device on the home network (i.e. use AdGuard as DNS and route outgoing traffic through ProtonVPN).
Is this technically feasible, and if so, how would I go about implementing it?
That’s odd it doesn’t run headless but perhaps it’s because the Wyse systems are designed to be thin clients.
You could always get an HDMI headless display adapter to run headless. I’ve used it before to run a headless Ubuntu desktop.
I personally use a Qotom box which works fine headless.
For anyones future reference, I got this working. The LAN rules from the guide were not enough to get my DNS requests working. Not entirely sure why. One of the online posts I found suggested an additional rule that specifically targets port 53 and the destination of ‘firewall’ or the router gateway IP. Initially, this did not work for me. However, I turned on logging for that rule and gave it a particular category and description. When I could not find it in the logs I knew something was up. The packets were being passed by the other rules from the guide before it got to my specific DNS rule. Now, I don’t know why the guide rules would pass these packets and not forward the returns, but that is exactly what it appears to be doing. I could even see the messages in the log where packets returned from the VPN interface to the routers ports 53, but somehow that was not producing a return packet to the calling lab client. Weird. Anyhow, because my DNS rule was never triggering, I knew it was too late in the rule list. I moved it above the rest of the rules specified by the NordVPN guide and BINGO. As soon as the specific rule started triggering on these packets, I started getting return DNS massages. FQDNs started resolving fine and I was in business.
Sorry for the lack of logs. I ran out of time last night and had limited options for harvesting the logs due to posting from iOS on an isolated network. I'll have logs posted this evening.
Based on my read of the logs however, two things jumped out. First, there was an entry that read 'Could not identify protocol IPv4/IPv6'. Could not really tell if this was an error. Other posts from the net indicate it might not be.
The other thing was that it could not resolve the host name for the Nord server. So, its literally not connecting to the VPN at the Network level. I am not sure if this is a DNS or firewall issue. I faithfully followed the instructions surrounding both from the NordVPN guide.
Can't help but feel like there is a blind assumption in the guide that is unaccounted for. For example, the guide gives DNS servers to enter into the DNS settings, but are these servers visible from the DMZ or only from the VPN. If it is the latter, how would the router be able to resolve a FQDN for the VPN server in the first place?
Another thing I am seeing is that I cannot ping the fiber modem from the router. I can't account for this. If I plug the modem directly into my laptop, I can ping it and it has a local IP (192.168.1.x). But it is not visible to ping from OPNsense. Though I can ping the laptop from the lan interface. That leads me to believe that I have a firewall rule problem.
I did find that the configuration of the wan interface was block 'bogon' packets. I turned that off once I figured out wtf a 'bogon' was. But it did not change the problem, much to my eternal rage.
This shit is way too complicated. I would not even bother if I did not have to figure out a way to bypass AT&T throttling. I don't even care about the throttling so much as the fact that their packet inspection adds so much latency to my connection that it is unusable. I fucking hate 21st Century internet.
Just wanted to say thanks to all. I did get it working. But, I had to use bits and pieces of each HOWTO to get it working. But, it is working. And, now that it's working on Opnsense running as a VM on my NAS, I'm not sure the performance is satisfactory. I probably need to play around with it a little. But, using the Mullvad app on my PC is about twice as fast as routing my PC through the VPN gateway.
My VPN gateway (Opnsense) is configured to use 2 cores, 4 threads and 4GB of memory from TrueNAS. Since my NAS is only running a Xeon E-2146G with 6 cores and 12 threads, I can't dedicate a lot more resources. So, I'm not sure what my long term solution to a whole home VPN gateway should be. Maybe a Protectli device would work better. That would free up resources on my NAS.
In the introduction of the link you sent, it has the following:
"For an example of configuring the peer at a VPN provider (Mullvad), see Step 1 of the how-to WireGuard MullvadVPN Road Warrior Setup."
When you follow that link, in the introduction, it refers you to another page:
MullvadVPN is a cloud-based VPN provider, offering secure tunneling in respect to privacy. To set up a WireGuard VPN to MullvadVPN we assume you are familiar with the concepts of WireGuard you that you have read the basic howto WireGuard Road Warrior Setup.
Which finally leads you to exactly where I started. I was trying to work my way back. But, if the introduction leads you to prerequisites, it's prudent to follow them, is it not?
1 - I just went with the default install options and just make sure to keep a backup of my config
2 - Do NOT use vlan1 for anything. It's usually the default VLAN and could create connectivity issues and also security issues down the road should you get a new piece of kit and plug it into your network. In my home network I have 12 VLANs. Both firewalls get their own IP from ISP. This way I can mess around with Main firewall during the work day not affect WFH.
RIPE - RIPE Atlas Probe - WAN access only
WFH firewall:
LAN - Same as above LAN so I can monitor firewall with SNMP
WORK1 - For devices from employer 1
WORK2 - For devices from employer 2
DMZ2 - Separate DMZ from the one above
3 - I block all inbound aside from a few IP Blocks from my mobile provider. I do this using Aliases and GeoIP.
4 - I use Pi-Hole for all my LAN devices with get the addresses manually entered or from DHCP on the firewall. All other devices use the firewall itself. I use Quad9 as my main DNS servers.
5 - ProtonVPN. The only provider I trust. Based in Switzerland and the speeds are great.
Yep, I tinkered with the router config for pfsense that they supplied, but I couldn’t get it working.
Given the opnsense how-to I linked to, can you see what’s potentially different compared to the pfsense config provided by Mullvad?
> So I can keep the CF proxy on, use the CF cert to HAProxy on OPNSense, and win that way?
Yep. If it all handshakes correctly, you're winning. Extra step I'd go is to get the list of IPv4s (or 6s, it's there too) and block access to 80/443 except from those IPs (since you're coming in from a proxied CF config. Gives you a little added security not to get crawled.
> What method/technology did you use to set up your internal DNS? Is there a guide for what you did?
OPNsense has a perfectly good DNS server in unbound (DNS resolver). Hand out OPNsense as the DNS server to your DHCP clients (or configure them for static ones) and set up your internal resolutions in the DNS resolver. Set up forwarding for outside request to go back up to CF or Google or whoever you use. OPNsense themselves has a pretty detailed doc about it.
> Aside from the personalized CF cert (what's the benefit?), what else is there for the $10/mo?
Nope lol.
You can use the classic Shield's Up site to scan your network: https://www.grc.com/x/ne.dll?bh0bkyd2
You can also use Shodan, although it requires creating an account and some know how regarding API requests. https://www.shodan.io/
Unfortunately, OpenWRT support for the Broadcom wireless in RT-AC68U is partly supported for 2.4GHz and not at all for 5GHz (https://openwrt.org/unsupported/wifi_2.4ghz_partly)
​
I can't even use 2 SSID using OpenWRT, what a bummer :(
I'm running a protectli vault 6 (https://www.amazon.com/gp/product/B076B6SWG5/ref=ppx_yo_dt_b_asin_title_o05_s00?ie=UTF8&th=1). I run DHCP from Opnsense, and use unbound to do DNS over TLS to CloudFlare...and to create the state records in DNS. I run Adguard on the same box as a plugin to do the "pihole" type dns filtering. Love it.
Will this work? Kingston A400 SSD Internal Solid State Drive M.2 2280 SATA Rev 3.0, 120GB - SA400M8/120G https://www.amazon.co.uk/dp/B07P22T3VD/ref=cm_sw_r_cp_api_glt_fabc_X0591YERTCKSKYW1BSJ3?_encoding=UTF8&psc=1
Hard to go wrong with the APC units you can get on Amazon. Make sure it has the ability to connect to your machine via usb or by network.
For example, https://www.amazon.com/dp/B06VY12HW4/ref=cm_sw_r_cp_api_glt_fabc_3XKW0DAN2R0A7S93R0CJ
I've managed a bit of hack to get this working. I've made my normal WAN gateway have priority and created a rule for internet traffic on the LAN (e.g. !internal) to go via the NordVPN, that seems to be working. It feels like a bit of a hack I'd prefer the NordVPN to be the priority gateway (just in case), but unless someone has a better idea, this works for now.
It's a combination of different things. Two firewall rules each pointing to separate Mullvad servers. Also a no-wan rule so any traffic I am routing via Mullvad won't fall back to WAN if both Mullvad servers go down.
Maybe I can upload some Imgur screenies if needed.
No because I use neither. But I wouldn’t have thought so. WG uses its own crypto, so I wouldn’t have thought LibreSSL vs OpenSSL would make a difference.
I did specify the max MSS for my Mullvad WG interface as being 1380, given some recommendations I had seen. But I was still able to connect without that.
You need to configure the console settings in "System: Settings: Administration". Under console you'll see secondary console, just select serial console and set the serial speed.
Make sure you have the right serial cable, I thought the serial port on my router was faulty, but turned out I needed nulled cable. Rookie serial user mistake that was! Hopefully you know you've got the right serial cable required for your unit. Nulled cable just means its flips the RX and TX around, so traffic can flow correctly, otherwise device A TX is linked to device B TX, which of course won't work. Needs to be TX->RX and RX->TX
I would assumed something like this is what you need... https://www.amazon.co.uk/Cisco-Console-Cable-Windows-Vista/dp/B01AFNBC3K/
Take a look at this setup guide here. The part I’m referring to is step 6 and the final section of that table. So the monitor IP. It’s saying to use the endpoint server IP. And not the public IP. I actually guess I can’t find that internal IP of the wireguard interface on the Mullvad server anywhere.
This is what I used:
https://www.amazon.com/PLINKUSA-RACKBUY-Rackmount-Micro-ATX-IPC-2360F/dp/B01LX0SO53
I had plenty of rack space, so I wasn't limited to 1U, and I wanted to have room for standard parts and air flow.
> This is what I used: > > https://www.amazon.com/PLINKUSA-RACKBUY-Rackmount-Micro-ATX-IPC-2360F/dp/B01LX0SO53 > > I had plenty of rack space, so I wasn't limited to 1U, and I wanted to have room for standard parts and air flow.
This is not a bad idea. I ended up buying a $27 shelf on amazon that's vented to stuff in the rack, it's also about 2us with the thinkcenter machine. I may have to consider returning this as I have itx board/memory/processor in my pile of "stuff"
> Kettop I5 Firewall Box Mi6200U Firewall Micro Appliance Core I5-6200U,2.3Ghz (Barebone WiFi) AES-Ni,Dual Core Active Cooling,6 Intel Gigabit Ethernet,Mini Pc Firewall Router > > Via: https://www.amazon.com/dp/B08NPNYMW4/?coliid=I15X2UZZA97XNK
This looks great, but unavailable in the states.
I've recently replaced our router with:
Kettop I5 Firewall Box Mi6200U Firewall Micro Appliance Core I5-6200U,2.3Ghz (Barebone WiFi) AES-Ni,Dual Core Active Cooling,6 Intel Gigabit Ethernet,Mini Pc Firewall Router
Via: https://www.amazon.com/dp/B08NPNYMW4/?coliid=I15X2UZZA97XNK
For #1, check the settings under Firewall. There's a setting there for "Reflection for port forwards". Enabling that should solve your problem. If it's already enabled then I'm at a loss. Lol.
For #2, run a Pihole or another instance of Ad Guard Home on another VM or server. Add that instance to your VLAN that you want to go out over Mullvad and have that Ad Guard query Mullvad's DNS directly without using your OPNsense unbound. I don't know AdGuard Home but for Pihole there is a pretty good community script to sync settings between multiple instances.
Edit: fixing iPhone autocorrect madness.
What about a NAT on the LAN interface (Unbound) with source from :53 and destination to QUAD 9:53 redirect to Mullvad DNS IP?
I'm just not sure if when DNS gets forwarded, whether it returns to the forwarder or returns to the original sender (e.g. from quad 9 does it go back to unbound and then back to adguard and then back to original sender, or does it go from quad 9 back to original sender)
I used to have a lot of problems with my site to site tunnel where it only worked half of the time.
I was running 1 site-to-site, one regular WG server for phone, laptop etc and one Mullvad connection that i could route specific traffic through.
What eventually solved it for me was when i made a interface/gateway for each of the above, after that everything works great all the time :-)
One indicator i had of a faulty system was when i ran a traceroute to the site-to-site end it tried to go through one of the other wg-interfaces. Thats why it was so important to create specific gateways to specify the route manually.
Most people call remote access VPN a road warrior. People who travel a lot and need to access the network. I have 3 different setup. Site-to-site between my main and remote sites. Access from anywhere from laptop, phone, etc and Torguard. I don't use Mullvad, but what I have is Torguard as my VPN provider. I know the Torguard is working for me since it is outbound traffic. The site-so-site and remote access are both inbound. I have not tried the site-to-site yet, but the way the remote access is behaving, I can assume that it will fail. I know that I need a gateway for the Torguard since I may need to route some/specific traffic to this tunnel. I don't think I would the gateways for the site-to-site and remote access.
Nslookup lists all the DNS servers that I have set up in the general settings with different response times in ms. The top one listed is the box itself 127.0.0.1. The others are Google's 8.8.8.8, 8.8.4.4, then 1.1.1.1, and I also see the ones NordVPN provides.
I don't know what Dig is, sorry.
I have Unbound DNS enabled because I have an OpenVPN Client set up on the OPNSense box to NordVPN and their instructions require you to enable it. A subset of my devices is set up to route to that NordVPN interface/gateway via specific firewall rules (floating). Note that these sites are inaccessible to me regardless of which device I use to access it, either through NordVPN interface or otherwise.
DNS Query Forwarding is not enabled on Unbound DNS. DNS Blacklists is not enabled. In the Unbound DNS - Advanced Configuration, I have "Hide Identity" and "Hide Version" checked by default.