Greetings. 1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.
2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules. 3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though. Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries. 4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice. I hope that is clear... The idea is that I don't want clients that the firewall rules direct through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example. But at the same time I want to protect the DNS queries from disclosure to my ISP. So while I'm technically "leaking" the DNS queries for the clients directed to exit through the VPN, those queries are protected with encryption. And at the same time, I am also protecting the DNS queries for the client directed to exit through the WAN as well. My question is this: is this a reasonable design? If not, why not? Thanks! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
