On 2022-09-14, Michael <m...@spicemail.cc> wrote: > Hello, > > I was hoping to get some clarification on a warning I noticed today > after running wg-quick (part of wireguard-tools) to connect to a > commercial VPN provider. I run OpenBSD 7.1, with all the patches > installed. > > The notice was: > > "[!] WARNING: unwind will leak DNS queries" > > I was not able to find any discussion of this on the internet.
https://github.com/WireGuard/wireguard-tools/commit/84ac6add7e > My purpose in using unwind is to reduce the need for third-party DNS > queries (primarily for privacy). Is wg-quick saying that unwind may leak > the queries to the VPN provider? If that is the case I am not concerned. > The VPN provider has a connection check that says "No DNS leaks". > > What I would want to know is if my DNS queries are visible to > my ISP. I thought that they are not, with unwind + VPN, but this warning > causes some doubt. > > Any advice on how to clear this up would be appreciated. I would use "rdomain 2" on the network interface for the standard internet connection and "wgrtable 2" on the wg(4) interface so that wg uses that interface for its upstream connection, with the default route pointing over the wg(4) interface. That way all other traffic from the machine can only go over the wg tunnel. I don't know how (or whether it's possible) to translate this to wg-quick, I just configure it myself in hostname.wg<number> files. -- Please keep replies on the mailing list.
