An option to use instead of Firefox is DNS leaks.
An option to use instead of Firefox is DNS leaks.
I’m not sure how much I really understand about networking unless you’re a little overly cautious or unsure about tech details. If you’re using WireGuard with OPNsense, once connected, all your traffic should go through the VPN tunnel—unless split tunneling is enabled. That covers DNS as well. When I’m not on my local network, I usually have a split tunnel active, which redirects DNS through the tunnel so tools like pfblockerNG work inside OPNsense. I can also reach my home subnets, but with split tunneling I don’t get full VPN protection, so I keep using regular internet speeds. If you control your router and can open ports, you don’t need fancy zero-tier setups—just run WireGuard on the WAN port and everything is fine.
Many think I want to open a port on my home router. First, it’s not for security. Second, I plan to upgrade my internet soon and will likely be behind a NAT. That’s fine with you too. Wireguard and OpenVPN usually block on public Wi-Fi, which is exactly what happens here. Zerotier is built to bypass those restrictions—it works well. It’s free, so you don’t need to pay for a VPS for VPN use. A local one would be costly. The only challenge I know is setting up proper routing in Linux for it. I tried a proxy, but DNS requests didn’t go through, causing a leak. I’m frustrated because the trusted ublock origin was the cause. It’s a tricky situation when using public Wi-Fi.
This process is how services operate… they must bypass firewalls somehow, usually by opening a port. I’d be confident about a port on my network, which I manage, connecting to a service I own—whether it’s running on a virtual machine or within my firewall—routing traffic through unidentified jump points or proxy servers. No one should ever create ports for unknown services, but opening a port for WireGuard seems reasonable. Among all the risks of being compromised online, this is unlikely. You’re already behind NAT; OPNsense handles NAT for your network. Are you referring to CGNAT? How would that be blocked on public Wi-Fi? You’re linking to an IP address and a random port. I’ve never experienced any restrictions on my WireGuard connection. The only possible blocks would come from ISPs refusing access to certain IP ranges—essentially blocking home addresses—or only allowing whitelisted IPs, which is definitely not ideal. Could it be feasible to use something like Starlink without dealing with these issues? I’m still confused. If you’re using encrypted DNS, does that matter when you’re on public Wi-Fi? I’m not sure if this is just an exaggerated concern, possibly stemming from a restrictive environment, or maybe I’m misunderstanding. Perhaps it would make more sense to set up a travel router instead. Ultimately, you need to feel confident, and I’d lean toward trusting WireGuard and opening a port on my own device, relying on proxy servers I control.
My new internet setup seems to be routed through a native application and my router. - cgnat or something else. What’s the best way to connect to a WireGuard server at home in this scenario? I’m not sure how some VPNs work around public Wi-Fi, but zeroTier usually works. They provide encrypted DNS from my router to the outside network—correct. My traffic is wrapped in a tunnel via it. On public Wi-Fi where typical VPNs fail, ZeroTier appears to be the go-to. It seems to function only as a split tunnel on Linux. If you’re familiar with tunneling all traffic through it, let me know. I’m currently using a proxy server on my router that connects to the ZeroTier virtual LAN. This means any DNS leaks over unencrypted Wi-Fi are visible to everyone. My goal is mainly convenience—no need to set up or manage VPNs—and saving some money in the long run. Now it’s exactly how I wanted it. Yay, I’m ditching UBlock Origin now.