Below is a list of VPNs that we have worked with to ensure ease of use and compatibility:

• Guardian VPN
• Cato Networks VPN
• Twingate
• Perimeter 81
• Cloudflare WARP
• Forticlient VPN
• Opera (VPN, Turbo, Mini)

Though other VPNs may work, their functionality will depend on how they are configured! 

Configure DNSFilter within Twingate 

✍️ If your network environment is utilizing our Roaming Client, skip all this and just update the registry UpstreamOrder to tls-tcp,tcp (add HKLM\Software\DNSFilter\Agent” /v UpstreamOrder /d “tcp-tls,tcp to the registry).

Follow these steps to add our servers as accessible resources if your environment is only deploying Network Sites.

1. When Logged in to TwinGate Admin - on the Network Page, click Add Resource
2. Choose the Applicable Remote Network
3. Click the CIDR Tab/Button
4. Label it however you want (I have used DNSFilter Server DNS 1 in the attached shot)
5. Put 103.247.36.36 in the CIDR Address Field
6. Click Add Port Restriction and put 53,853 in the box - this allows just DNS traffic to access these servers. (Optional)
7. Repeat Steps 1-6 for DNS2 - 103.247.37.37

Perimeter 81

Since Perimeter 81 was acquired by Check Point, there may be updates or changes in the software and its functionality. However, many core concepts and settings related to DNSFilter and network configuration could still be applicable, especially if they haven't been fundamentally altered in the newer versions.

To ensure accuracy:

• Check for Updates: Review the latest documentation from Check Point regarding Perimeter 81 to see if there have been significant changes that affect compatibility or settings
  🚨 Version 10.1.1.1438 and older of Perimeter 81 software causes DNS traffic errors. Update to the latest version of the software to resolve this issue.
• Legacy Information: If the article references features or configurations that were specific to the older version, it’s best to validate those with the current version’s documentation to determine if they remain relevant

Cloudflare WARP

You can deploy the WARP client in different modes to control the types of traffic sent to Cloudflare Gateway.

To ensure Cloudflare WARP isn't bypassing DNS filtering, disable the WARP Mode that relies on WARP for DNS resolution. This will allow the Cloudflare WARP agent to protect traffic and allow access to Zero Trust resources, but not resolve DNS, allowing the Roaming Client to apply its policies and resolve DNS queries.

1. From the Cloudflare Zero Trust app, navigate to Settings and select WARP Agent
2. Select Mode
3. Toggle to disabled

Refer to Cloudflare Zero Trust WARP modes documentation for more information.

Forticlient VPN

When utilizing the Forticlient VPN version 7.0.6.x, there are known issues when utilizing our Roaming Clients with it.

Update to version 7.0.9.x or newer of the software to resolve this issue. 

Forticlient has a static DNS setting that can interfere with the Windows Roaming Client. Update the setting to resolve the conflict. 

Opera (VPN, Turbo, Mini)

VPN

Opera (desktop browser) has a built-in VPN which can bypass DNS-based content filtering. To stop this VPN from being able to connection, add to the following domain to your Block list:

• api.sec-tunnel.com

Turbo/Mini Proxy

Opera Mini, Opera for Android, and Opera for desktop computers (with Turbo Mode) have proxies built in for caching and filter avoidance, which can bypass DNS-based content filtering.

To block Opera’s built-in proxy, which may circumvent DNSFilter policies, simply block Proxy and Filter Avoidance in the Threats tab when editing a policy, or add the following domains to your Block list:

• opera-mini.net
• sitecheck2.opera.com

Microsoft’s Universal Windows Platform (UWP)
UWP VPNs running with Windows 10 or older experience a "No such host is known” or similar error message when attempting to initiate a VPN session. See our troubleshooting guide for more detail and how to update your environment to resolve the issue.