Help with Unifi Proton Privacy VPN issue

Networking & Firewalls
1

Hi everyone

This is my first post here :slight_smile:

I am struggling to get Proton privacy VPN to work.

I am on latest Unifi os and firewall version on a new UCG max.

I followed Tom’s excellent guide :

  • I used WG downloaded config file
  • I attached network to the client.
  • created an object policy with kill switch.

I am unable to connect online. The troubleshooting I’ve done so far

  • moved the network to open zone so I ensure it’s not FW rule issue
  • Changed the config to different countries
  • tried WR and OPNVPN
  • tried wired and wireless
  • Created new network

It seems that the kill switch stops the vpn client from resolving DNS

Any help appreciated

Thank you Tom for all the education you’ve done over the years to secure our home :hugs:

1 Like
2

This is because all your traffic is going out the wireguard interface. You have to use a DNS server that can be reached through the tunnel and not local. Otherwise you have a potential DNS leak situation.

1 Like
3

Thank you so much for this.

I am puzzled because the Tom didn’t seem to need to do this in his tutorial and the config file from Proton does contain a DNS

How do I set up this DNS. Is it inside Unifi or on the end device ?

Sorry for the newbie question :blush:

Thanks Again

4

You can use proton DNS or quad9

1 Like
5

Just keep in mind that if you use any other DNS than protons, you will “fail” their dns leak test. And to be clear, thats completely fine.

1 Like
6

Thanks @xMAXIMUSx & @svirepi

That has certainly worked on my laptop and Phone :smile:

Is this not going to leak DNS ?

Still feels weird that I have to do this and Tom didn’t need this step!

Much appreciated again

7

You are only going to “leak” dns if you set DNS that is not proton. And im saying “leak”, because from proton perspective, anything that is not their DNS is considered leaking which is not really true. From your perspective, if you are not leaking DNS from your ISP, there is no DNS leak. To test it, go here and scroll down and check the DNS Addresses field. As long as you dont see your ISP`s DNS in that list, you are not leaking and everything is fine.

8

Because his DNS was probably set to quad9 in his DHCP settings.

9

This is my setup if someone interested

LOL man. You are spot on sir :sweat_smile:

I changed the DNS to 9999 in the network setting and everyting started working

No I feel silly!

10

BTW, what a friendly forum

Really appreciated

2 Likes