Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Wireguard DNS leaks with ProtonVPN

Featured Replies

I’m trying to get a secure connection between the docker containers on my unraid server and the wider internet via Proton VPN setup. I’ve got the wireguard tunnel configured using the VPN tunnelled access for docker settings and if I connect a browser container to it, when I use the browser to check my IP, it comes up as the host city of my VPN. Yay!

I then go to dnsleaktest and get DNS results in my city rather than in the host city of my VPN. I’ve set the Peer DNS server to the IP of the ProtonVPN DNS, turned off DNS over HTTPS in the firefox container and double checked I’m not passing an address like 1.1.1.1 or something and I’m not… 

Any help getting this configured would be really appreciated!

To address the DNS leak issue when using ProtonVPN and WireGuard with Docker containers on Unraid, we need to ensure that all DNS traffic is routed securely through the VPN. Here’s how to tackle it:

 

Steps to Resolve WireGuard DNS Leaks


Ensure WireGuard Peer DNS Configuration

Make sure your WireGuard configuration explicitly specifies the ProtonVPN DNS server for the tunnel.

Go to the Settings for your WireGuard tunnel in Unraid.

Edit the Peer DNS Server field:

Use ProtonVPN's DNS, typically 10.8.8.1 or as specified in your ProtonVPN configuration.

Save and restart the WireGuard tunnel.

 

Force DNS Traffic Through the VPN

By default, DNS traffic might not be routed through the VPN tunnel, causing leaks. Use these steps to fix routing:

Modify Docker Container Routes:

Ensure the WireGuard tunnel is set as the default gateway for Docker containers connected to the VPN.

To do this, you may need to configure ip route manually for your Docker containers.

Add a route to force all traffic (including DNS) through the tunnel:

ip route add default dev wg0 table main

*Can be added to Web UI netowrk at bottm... This sounds more llike a iproute issue...
Replace wg0 with your WireGuard tunnel interface name.

 

Check Container DNS Settings:

cat /etc/resolv.conf

If it doesn’t show the ProtonVPN DNS, force it by adding the --dns flag to your Docker container:

Extra parmet advance togle..

docker run --dns 10.8.8.1 ...

 

Adjust Unraid’s Default Gateway:

Navigate to Settings > Network Settings in Unraid.

Ensure that Unraid itself is not leaking DNS by directing DNS traffic to the WireGuard tunnel:

Set the DNS server to 10.8.8.1 or the DNS IP specified by ProtonVPN.

 

ADVANCE SHOULD NOT NEED... Iptabels...

Use iptables to Enforce VPN Usage

Set up iptables rules to block any traffic that bypasses the WireGuard tunnel.

SSH into your Unraid server.

iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -A OUTPUT ! -o wg0 -m owner --uid-owner $(id -u nobody) -j DROP

Replace wg0 with the WireGuard interface name.

This ensures that any traffic from Docker containers (nobody user) must use the VPN tunnel.

 

Verify DNS Traffic

Once changes are applied:

Reconnect your browser container to the WireGuard network.

Check DNS resolution inside the container:

nslookup google.com

 

Test DNS leaks:

Use dnsleaktest.com or similar to ensure all results point to your VPN host city.

 

 

 

  • Author

Thanks for this, I really appreciate it!

So I’m working through the instructions you’ve listed and I’m trying to determine how to apply them. I’ve essentially reset everything as best as I’m able to ensure I’m not being tripped up by old mistakes. I’m trying to add the routing to the table in the network settings, but it doesn’t seem to apply properly? 

 

IMG_0173.thumb.jpeg.aeee146f323426bf816891c87e1439f3.jpeg

 

I’ve tried applying it via the terminal and whilst I can get it to show up, it disappeared after a reboot?

 

IMG_0174.thumb.jpeg.af6146e0dd4fbaa872e3fd929e8369b9.jpeg

 

I wondered if it was related to the preserve user defined networks option in the docker configuration? I tried forcing the DNS with the add additional parameters in the config of my firefox container, but it didn’t seem to work. Am I going to have to set some of this stuff up in a script which runs at boot or something to apply these configurations properly? I don’t feel confident that I know what I’m doing well enough to mess with IP tables at this point.

Preserver user defined is more a docker template if it called bond0 when your not using bonding...

I would still recommend enabling 

host access to custom network (which allows the docker to talk to your lan. and preserver as you would change or make edit and sometimes the temples can remove things when they don'et preserver.

Unraid setting vpn manger for wireguard:

some routes are set to allowed ip option under the peer:
image.thumb.png.0b0d09fac35379eed038251ea29c1202.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.