Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Which VPNs are compatible with DNSFilter?

Bailey Taylor Community Manager DNSFilter Staff
  • Edited
Community Regular

Our users have found these VPNs compatible with DNSFilter:

  • Guardian VPN
  • Cato Networks VPN
  • Twingate
  • Perimeter 81
  • Cloudflare WARP
  • Forticlient VPN
  • Opera (VPN, Turbo, Mini)
  • WireGuard VPN
  • OpenVPN
  • Azure VPN
  • Palo Alto VPN
  • AnyConnect VPN
  • Entra GSA

Though other VPNs may work, their functionality will depend on how they are configured

Configure DNSFilter within Twingate 

✍️ If your network environment is utilizing our Roaming Client, skip all this and just update the registry UpstreamOrder to tls-tcp,tcp (add HKLM\Software\DNSFilter\Agent” /v UpstreamOrder /d “tcp-tls,tcp to the registry).

Follow these steps to add our servers as accessible resources if your environment is only deploying Network Sites.

  1. When Logged in to TwinGate Admin - on the Network Page, click Add Resource
  2. Choose the Applicable Remote Network
  3. Click the CIDR Tab/Button
  4. Label it however you want (I have used DNSFilter Server DNS 1 in the attached shot)
  5. Put 103.247.36.36 in the CIDR Address Field
  6. Click Add Port Restriction and put 53,853 in the box - this allows just DNS traffic to access these servers. (Optional)
  7. Repeat Steps 1-6 for DNS2 - 103.247.37.37

Perimeter 81

Since Perimeter 81 was acquired by Check Point, there may be updates or changes in the software and its functionality. However, many core concepts and settings related to DNSFilter and network configuration could still be applicable, especially if they haven't been fundamentally altered in the newer versions.

To ensure accuracy:

  • Check for Updates: Review the latest documentation from Check Point regarding Perimeter 81 to see if there have been significant changes that affect compatibility or settings
    🚨 Version 10.1.1.1438 and older of Perimeter 81 software causes DNS traffic errors. Update to the latest version of the software to resolve this issue.
  • Legacy Information: If the article references features or configurations that were specific to the older version, it’s best to validate those with the current version’s documentation to determine if they remain relevant

Cloudflare WARP

You can deploy the WARP client in different modes to control the types of traffic sent to Cloudflare Gateway.

To ensure Cloudflare WARP isn't bypassing DNS filtering, disable the WARP Mode that relies on WARP for DNS resolution. This will allow the Cloudflare WARP agent to protect traffic and allow access to Zero Trust resources, but not resolve DNS, allowing the Roaming Client to apply its policies and resolve DNS queries.

  1. From the Cloudflare Zero Trust app, navigate to Settings and select WARP Agent
  2. Select Mode
  3. Toggle to disabled

Refer to Cloudflare Zero Trust WARP modes documentation for more information.

Forticlient VPN

When utilizing the Forticlient VPN version 7.0.6.x, there are known issues when utilizing our Roaming Clients with it.

Update to version 7.0.9.x or newer of the software to resolve this issue. 

Forticlient has a static DNS setting that can interfere with the Roaming Client. Update the setting to resolve the conflict. 

Opera (VPN, Turbo, Mini)

VPN

Opera (desktop browser) has a built-in VPN which can bypass DNS-based content filtering. To stop this VPN from being able to connection, add to the following domain to your Block list:

  • api.sec-tunnel.com

Turbo/Mini Proxy

Opera Mini, Opera for Android, and Opera for desktop computers (with Turbo Mode) have proxies built in for caching and filter avoidance, which can bypass DNS-based content filtering.

To block Opera’s built-in proxy, which may circumvent DNSFilter policies, simply block Proxy and Filter Avoidance in the Threats tab when editing a policy, or add the following domains to your Block list:

  • opera-mini.net
  • sitecheck2.opera.com

Microsoft’s Universal Windows Platform (UWP)
UWP VPNs running with Windows 10 or older experience a "No such host is known” or similar error message when attempting to initiate a VPN session. See our troubleshooting guide for more detail and how to update your environment to resolve the issue. 

WireGuard VPN

Supports both spilt and full tunnel with configuration. Set the WireGuard configuration section to include DNS section to set it to our loopbac address:

[Interface]
PrivateKey - someKey // generated when you create a new peer
Address = someIP // IP address setup on the WireGuard server 
DNS = 127.0.0.2

OpenVPN

On the OpenVPN connect client go to settings -> advanced settings and allow DNS to be resolved on the loopback.  

Option 1 - Disable DNS Proxy service and set custom DNS 
servers to 

127.0.0.2 ( or 127.0.0.x, whichever is set in agent config ) as the first option. 
Original DNS server available through the tunnel as the second DNS server.  This allows for the tunnel DNS server to resolve traffic if the agent goes down for any reason. 

Option 2 - In the Connexa interface, the customer needs to add a custom option to push to VPN clients under 

Initial testing was successful with full and split tunnel VPN.

Settings->WPC->Advanced Configuration 

dhcp-option DNS 127.0.0.2 ( or 127.0.0.x, whichever is set in agent config)

See our AWS Access Server post for other OpenVPN options.

Azure VPN

Azure VPN works out of the box with Windows 11 but is not supported on Windows 10. 

Palo Alto VPN

Supports split-tunnel. If full tunnel VPN routing is required then we recommend ignoring the VPN adapter and setting a Site level policy to ensure secure filtering. 

Cisco AnyConnect

Supports full-tunnel routing while connections to our DNS1 and DNS2 IP’s are added to the ACL list to allow traffic to go out to our DNS servers.

It requires using terminal commands to set this configuration and may be specific to AnyConnect version.
 

0

Comments

0 comments

Please sign in to leave a comment.

New post

Featured posts