I’m currently sending traffic from LAN mainly through WireGuard VPN interface to VPN peer provider having it configured as Allowed IPs: 0.0.0.0/0
There’s no firewall ‘kill switch’ because as I’m utilizing PRB had to not set it up that way otherwise it’s not possible for certain devices on LAN to bypass VPN.
Doing it because don’t need to route IPTV for example through VPN, seems excessive to me.
As setting up this it raise my awareness what else should not delegate on VPN provider. And since it’s possible to have encrypted DNS therefore not necessary anymore having the VPN resolving for my connection, so choose to do it more locally.
Therefore on the WG VPN interface did check ‘Use default gateway’ (so expecting the Omnia/Kresd is now fully responsible for DNS queries, caching them) and erase entry in custom DNS servers having here in before the ones delivered to me in VPN config.
Rebooted Omnia and looking in LuCI on Status - Overview can see for both network interfaces 1) DHCP, WAN ethernet, having DNS 1/2: 192.168.0.1, same as gateway and 2) WG VPN - no DNS config.
In reForis for DNS: ‘Use forwarding/Enable DNSSEC’ and one of available choices. Test is OK.
But after checking the DNS behavior as to be seen from the Internet here the public IP address is the one provided by VPN. The DNS servers are to be the ones I choose so that is OK.
It does working as 0.0.0.0/0 catching all traffic if the interface is up so by default that is as expected - VPN provider doesn’t resolving but the query is send through VPN.
Therefore expanded the PBR with one more entry for DNS and since it’s hosted on Omnia, should it be the gateway IP(?), set that up for 192.168.0.1:443 853 (ports in case I decided use custom DNS and it’s the DoH instead DoT).
After running check again, switching multiple DNS providers (also custom) the result is the very same, DNS IP’s are ok, but my IP is still the VPN one not my ISP one.
If curl from ssh session in Turris it’s the VPNs also, if from the devices with already established PBR rule for it it’s the ISPs IP.
logs from /var/log/resolver
19 15:50:22 TO kresd[5276]: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
19 16:01:49 TO kresd[9185]: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
20 12:39:29 TO kresd[7324]: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
20 16:22:42 TO kresd[7324]: [taupd ] active refresh failed for . with rcode: 2
20 22:57:22 TO kresd[7324]: [taupd ] active refresh failed for . with rcode: 2
20 23:36:51 TO kresd[13619]: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
21 15:35:40 TO kresd[13619]: [taupd ] active refresh failed for . with rcode: 2
(Searching here for what does it means - the file descriptor should be OK, that is standard message after restart(?), probably as I changed DNS server. The rcode: 2 however have no idea, but that’s outside of the scope with this post.)
nslookup example.xyz from Omnia will return 127.0.0.1:53 since that’s for Kresd process resides in machine I suppose. As from LAN the machines respond 127.0.0.53#53 for nslookup, pointing to Omnia.
tcpdump should show me Omnia (192.168.0.1) > WAN or WireGuard connections.
So from ssh in Omnia:
tcpdump -ttti eth2 src 192.168.0.1 and port 443 or 853
This one print nothing, that’s the WAN so here I’m expecting to be what wg0 is returning.
tcpdump -ttti wg0 src 192.168.0.1 and port 443 or 853
The last one capturing returning quite a lot ‘dns10.quad9.net.853 > 172.27.123.XXX.58237’ as the page testing DNS doing even 100+ queries.
Having the rule in PBR doesn’t working for traffic from Omnia on those ports.
Where’s my mistake if someone could spot it?
Than you all.