Policy routing to private IP on a VPN network


I’ve set up policy routing with policy routing to a privacy VPN provider setup. I’ve been using this for a while, successfully with OpenVPN and Wireguard gateways. I’m wondering what the best way to route to an IP on the VPN would be. For example IVPN have internal DNS servers on,, These route just fine from my LAN side but not for the firewall itself. PIA also has internal DNS servers so I am wondering if @lts_tom has been able to access those from his router.

When trying to ping one of those IPs from the firewall itself, I see a request on my WAN interface from my WAN IP address. Obviously that is not going to work as these are local IPs and needed to be routed over the VPN gateway.

I want is to be able to route those specific DNS servers over IVPN_GATEWAY_GW when they originate form the firewall. That way when the Unbound service forwards to them, there won’t be any leaks around the VPN. I feel this should be some kind of floating rule:

  • Interface: WAN
  • Direction: out
  • Destination:
  • Gateway: IVPN_GATEWAY_GW
  • Set local tag: vpn_only_ipv4

I’ve tried with various rules in the floating table such as this one and it hasn’t worked so far. :frowning:

You need to create a static route for the LAN address to the VPN provided network.

1 Like

I think your approach is flawed :slight_smile: though I will equally confess I don’t fully understand DNS and VPNs.

Though I see you are trying solve the problem of DNS leaks which I think is the actual issue. If your VPN provider changes their DNS ip then your static route will fail.

I use AirVPN and as far as I can tell I use their DNS servers, however, I use a vlan and the gateway exits via VPN. If the VPN gateway fails, the kill switch kicks in and all traffic stops. It seems to work. I have a DNS redirect for that vlan.

I’ve been playing around with 23.05 and noticed that on the OpenVPN client there is a new entry to use the servers DNS, I believe this is what I have already done without actually knowing how :crazy_face:

I can also say when I do leak tests, they pass so I’m doing something right. Setting up a vlan for VPN traffic might seem a pain but it seems less to think about once setup.

That was the issue. I solved this by making a route to the VPN gateway. Thanks for prompting me about that :+1:

That’s to be expected but it is unlikely that those internal private IP addresses would change, especially regularly, they are static. I do have other NAT rules which redirect usage of common DNS servers like to be the IP address of my router, which provides DNS via Unbound. The VPN’s DNS server is only used by the router’s Unbound instance to resolve queries not on my LAN.

It obviously does mean I’m limited to using regular DNS (not DoH or DoT), but as that is going over a Wireguard tunnel to a server on my VPN provider’s network, there is no benefit to using DoH or DoT. If I used something like cloudflare-dns.com or dns.quad9.net then that’s true I wouldn’t be able to predict the IP of the DNS server.

I have my router configured to not use my ISPs DNS servers. My Wireguard config has static endpoint addresses specified.

Sure that works for the LAN side of things.

I think the DNS option overrides the DNS servers pushed by the server. I didn’t notice that option in opnsense however. Nothing in the openvpn man file either, except for on Windows. In any case I’m using a Wireguard tunnel which doesn’t have that feature.

What I like about Wireguard as opposed to OpenVPN for this is that there are a lot less settings required. You literally only need 4 things:

  • edit a local configuration
    • pass the public key to the VPN provider
    • set the tunnel addresses they give you.
  • edit an end point to connect to:
    • specify the endpoint IP/Port and
    • it’s public key

One of the things about Wireguard is that the local address is not dynamic and passed over the tunnel like OpenVPN. I only use it for pseduo-anonymity to shield my public IP address from services. For anything where stronger anonymity is required there really is no substitute for Tor.

IVPN has a technical write up about their implementation here: Using WireGuard® for Privacy Protection - IVPN Help. It details some differences between OpenVPN and Wireguard when used in the context of a privacy provider.