Apologies in advance for any silly questions - I'm about as beginner as you can get.
My current set up is as follows:
- LAN: Client (macbook, etc) -> RPi4 (running the RPi4 community build of OpenWrt) -> different RPi4 (Pi-hole -> Unbound as upstream DNS server) -> WAN
- WLAN: Client (iPhones, etc) -> TP-Link AX-1500 (WAP) -> RPi4 (OpenWrt) -> different RPi4 (Pi-hole -> Unbound) -> WAN
What I would like to accomplish is something like this:
- LAN: Client -> RPi4 (OpenWrt) -> RPi4 (Pi-hole -> Unbound) -> RPi4 (Mullvad with Wireguard) -> WAN
- WLAN: Client -> TP-Link AX-1500 -> RPi4 (OpenWrt) -> RPi4 (Pi-hole -> Unbound) -> RPi4 (Mullvad with Wireguard) -> WAN
In essence, I'd like all of my local traffic to be routed through Mullvad, but before entering the tunnel, be routed through a separate RPi4 with Pi-hole and Unbound as the upstream DNS server.
So far, I've managed to get to a point where some of my traffic gets properly routed Pi-hole + unbound first (DHCP advanced setting "6,pi-holeip"), then through Mullvad, but other sites never properly resolve (this is the problem I'm facing):
- When I look at the query log on Pi-hole, a number of requests end up with a reply of "SERVFAIL" or "NXDOMAIN" with a status saying "Retried", or when there is a status saying "OK (forwarded to localhost - unbound)", the reply is "N/A." This results in me not being able to access a number of websites.
Some potential problem areas I considered were:
Firewall zones (here's my current config):
Zone -> Forwardings
lan -> WGZ0: input (accept), output (accept), forward (accept)
wan -> REJECT: input(reject), output (accept), forward (reject)
WGZ0 -> lan: input (reject), output (accept), forward (reject)
WG zone config:
- masquerading on
- MSS clamping on
- allow forward to lan
- allow forward from lan
Mullvad WG interface config (configured mostly according to Mullvad documentation with the primary exceptions being not using their DNS server):
- Listen Port: 51280
- IP Addresses: IP from Mullvad
- No Host Routes (unchecked)
- Use built-in IPv6-management (checked)
- Force Link (checked)
- Metric = 0
- MTU = 1420
- Public Key: key from Mullvad servers
- Allowed IPs: 0.0.0.0/0
- Route allowed IPs (checked)
- Endpoint Host (IP of Mullvad server)
- Endpoint Port (Port from Mullvad server)
- Persistent Keep Alive = 25
I've tried playing around with the MTU values and endpoint port to no avail.
Unbound config on the other RPi4 (configured according to Pi-hole documentation):
Unfortunately, I'm a bit stumped as to where to go from here. Some sites continue to load properly through Pi-hole/unbound -> Mullvad while others never seem to make it out. It may also be worth noting that when there is no WG interface configured on OpenWrt, all traffic is properly resolved by Pi-hole and Unbound.
Please let me know if you need any further explanation of the problem (OpenWrt only allows me to post one picture in my post for some reason). Thanks!