Critique my VPN set up

Hi all,

So I use MacOS, the latest version. My current VPN setup is as follows:

• WireGuard GUI app, set to connect on system start to ProtonVPN.
• The WireGuard config points to NextDNS CLI as its DNS resolver.
• I’ve set up a kill switch using MacOS’s PF firewall: the only traffic that’s allowed is that which passes through WireGuard’s interface, so when WireGuard isn’t connected nothing can reach the internet.
• I use LittleSnitch with two profiles. The first profile, which loads automatically on boot, only allows NextDNS CLI to connect to NextDNS’s servers, and WireGuard to connect to ProtonVPN. It blocks all other connections by all other apps. The second profile is my normal one, and I manually switch to this one once I’ve confirmed that WireGuard is connected. I don’t have to do this very often since I don’t reboot very often.

I don’t seem to leak DNS on any test I’ve done in several browsers. Am I missing anything? I just want to make sure that all system traffic is routed through the VPN, and that if the VPN goes down my IP doesn’t leak. Any ideas/suggestions/tweaks very welcome.

You should just use your VPN providers DNS unless you have a specific use case that requires you not to.

Furthermore, configuring any third-party DNS service on your system makes it more likely DNS requests will be routed outside the VPN tunnel.

I’ve not heard of anyone set up the kill switch as you have. Does it really work as well I seem to understand reading about it? Hmm.

While I will read up more about it, can you share why and how you did it this way?

On the surface, I can’t see anything necessarily wrong with this set up. Though I would rather simply use the VPN DNS but that’s a personal choice and the standard recommendation. I’m guessing you have reasons for why NextDNS?

Proton’s DNS is just much less flexible than NextDNS’s. The former is a blanket approach, while NextDNS allows me to configure the domains I want blocked, and blocklists generally, way more specifically.

Is it really such a terrible idea to have NextDNS WITH a VPN?

The kill switch seems to work with all of my testing. As soon as WireGuard disconnects, my computer loses all internet connectivity. Only traffic routed through the VPN’s interface is allowed to reach the internet. It seems to work well! I just set up a simple PF config:

# Block all traffic by default
block all

# Allow loopback traffic
pass on lo0 all

# Allow DHCP for IP address negotiation
pass quick proto udp from any port 67:68 to any port 67:68

# Allow traffic ONLY through the WireGuard tunnel interface
pass on utun4 all

# Allow traffic to your VPN server endpoints
pass out proto udp from any to VPN_SERVER_IP_1 port 51820
pass out proto udp from any to VPN_SERVER_IP_2 port 51820
pass out proto udp from any to VPN_SERVER_IP_3 port 51820

Interesting. I am still reading and learning about it and since this is new info to me, it’s taking time. If you can write a guide to share with us all, I (and I’m sure others) would be much appreciative!

I recently wrote a similar community wiki post here for Linux so you may emulate that if you’d like. It would make a great companion piece.

Depends on your threat model. Using a private DNS instead of the VPNs DNS just increases the chance that DNS traffic is routed outside your VPN tunnel, as Proton explains in the post I linked. If that risk isn’t a concern or you feel you have done enough to mitigate it, thats fine.

There is nothing inherently wrong with using a third party DNS provider.

That is my opinion, I am not an expert.

I’ll do that! I made some notes myself when I tinkered with this setup, so I’ll compile them all into a guide and post it here.

As far as I understand it, with my setup the DNS traffic escapes the tunnel. I don’t think the NextDNS CLI routes its requests through WireGuard. I think I’m ok with that with my threat model.

Just a small note: many (including me in this case for this particular thing at least) are going to be new to this. So, ELI5 type guide as much as possible, if you can ensure. My piece will give you an idea. Thanks!

Love the little snitch setup here even if it sounds a little bit overkill to me, but hey why not go all the way.

I too see nothing wrong with this set up though I too would like to learn how you set up the kill switch on macOS. It would solve Proton VPN GUI issue plus I can have other VPNs I can use too should I feel the need to change servers and locations.

I hope and look forward to learning from your guide.

I believe that to reliably test system traffic, you should use specialized tools other than browser testing (like Wireshark or something like that).

I haven’t forgot about this guide! Currently working on it and will post it here soon.

Glad you didn’t! I was just about thinking you did.

I would be really interested in your guide! I have been trying NextDNS with ProtonVPN using WireGuard and it does leak my DNS per My IP Address - BrowserLeaks. I’m still learning how to configure these things in linux.

I used this community wiki post for Linux and it helped me well. Thanks again @JG

Of course, this only works if you don’t use custom DNS.

Here’s my guide!

Thank you! Reading it through now.

I think you should add how to undo everything and bring your system back to default and not have any networking issues in case you screw up during the set up so you can start over.

I’ve done that and added it in a comment below the guide.