Help with Unifi Proton Privacy VPN issue

Hi everyone

This is my first post here

I am struggling to get Proton privacy VPN to work.

I am on latest Unifi os and firewall version on a new UCG max.

I followed Tom’s excellent guide :

• I used WG downloaded config file
• I attached network to the client.
• created an object policy with kill switch.

I am unable to connect online. The troubleshooting I’ve done so far

• moved the network to open zone so I ensure it’s not FW rule issue
• Changed the config to different countries
• tried WR and OPNVPN
• tried wired and wireless
• Created new network

It seems that the kill switch stops the vpn client from resolving DNS

Any help appreciated

Thank you Tom for all the education you’ve done over the years to secure our home

This is because all your traffic is going out the wireguard interface. You have to use a DNS server that can be reached through the tunnel and not local. Otherwise you have a potential DNS leak situation.

Thank you so much for this.

I am puzzled because the Tom didn’t seem to need to do this in his tutorial and the config file from Proton does contain a DNS

How do I set up this DNS. Is it inside Unifi or on the end device ?

Sorry for the newbie question

Thanks Again

You can use proton DNS or quad9

Just keep in mind that if you use any other DNS than protons, you will “fail” their dns leak test. And to be clear, thats completely fine.

Thanks @xMAXIMUSx & @svirepi

That has certainly worked on my laptop and Phone

Is this not going to leak DNS ?

Still feels weird that I have to do this and Tom didn’t need this step!

Much appreciated again

You are only going to “leak” dns if you set DNS that is not proton. And im saying “leak”, because from proton perspective, anything that is not their DNS is considered leaking which is not really true. From your perspective, if you are not leaking DNS from your ISP, there is no DNS leak. To test it, go here and scroll down and check the DNS Addresses field. As long as you dont see your ISP`s DNS in that list, you are not leaking and everything is fine.

Because his DNS was probably set to quad9 in his DHCP settings.

This is my setup if someone interested

LOL man. You are spot on sir

I changed the DNS to 9999 in the network setting and everyting started working

No I feel silly!

BTW, what a friendly forum

Really appreciated

Just to pick this up again, as I was facing the same issue.

I have several other local services that I have running like Immich and Seafile, does this mean when using the privacy VPN I can no longer have a direct connection locally to these services? Or would it be fine as long as I use a public DNS server that has the same local records?

Also, would there be any way to use some policy routing or something similar to still use my two local AdGuard Home instances as the resolver?

Something to consider. You can set your client(s) to use your AdGuard Home instances for DNS. For public DNS resolution, configure the AdGuard Home instances to forward to Quad9 (or the public DNS of your choice) via DoH. Then for local DNS resolution, you have a few options:

1 - Configure your AdGuard Home to forward local resolution to your UCG. On your UCG, make sure to setup DoH to Quad9 (or whatever you prefer) in case your UCG decides to forward the query to public DNS. Your ISP will see you making an HTTPS connection to the DNS service, but they will not be able to view the details.

2 - Add your local DNS records to the AdGuard instances themselves, and ensure nothing gets forwarded to your UCG.

3 - Point your clients to your UCG for DNS, and configure your UCG to forward to your AdGuard Home instances.

With all options you then, via policy, route your AdGuard instances out the same privacy VPN tunnel for when they forward to public DNS. You could even route them out a different VPN tunnel if you wish to keep them separate from your other traffic.

I believe this might still be considered a DNS leak. But the question is are you okay with the limited leakage? (Do you trust the public DNS provider you’re forwarding to?)