I need some help. I have set up a VPN at home using TailScale for all of my devices.
Due to the necessity of having an SSL Certificate to be able to run Vaultwarden on my local server I have used the Unbound DNS Overrides function to give the server the correct Hostname.domain.uk etc matching my SSL Cert.
When my phone is connected directly to the local network everything works fine pointing to hostname.domain.uk:30032 works great no issues.
However If I take my phone off the network (cellular Data) hostname.domain.uk:30032 does not resolve to the Tailnet IP address.
I can still ping the Tailnet IP just fine, access SMB shares on the Tailnet, and I can reach web GUI's by using the Tailnet IP's. I can reach the internet via the OPNSense exit node just fine. For some reason the DNS is not acting on the overrides function of Unbound DNS.
This causes Vaultwarden to refuse to connect outside my local network because the SSL Cert is only valid for my domain not IP address.
I would just like to say I am very new to this so please don't hold it against me if I am overlooking something simple.
Many thanks in advance.
Open your Tailscale admin console, click the DNS tab, Add nameserver, Custom, enter the Tailscale IP address of your firewall, toggle 'Restrict to domain' and enter your domain.uk DNS domain.
BTW, if you install a reverse proxy on your server (Traefik, Caddy, NPM, etc.) you can configure it so your clients will not have to add the 30032 port.
Thank you for your reply.
I followed you instructions but it still does not work.
I have discovered that I am unable to reach OPNSense web GUI using the TailScale IP from my browser!
This might be why I am not able to filter traffic through Unbound DNS if nothing is able to connect.
What could be responsible for this? The only thing I have changed from default is the Override to give my server a DNS name.
Many thanks
Pinging my OPNSense Tailnet IP results in 100% paccket loss
Pinging my TrueNAS Tailnet IP results in 0% packet loss.
Something that might be related at around 8pm last Saturday my OPNSense firewall stopped responding to ICMP echo requests from Think Broadband to my WAN2 connection. WAN1 was not effected. It may have been when I updated OPNSense to the latest build.
ICMP echo requests from Think Broadband are now working again without me doing anything, very strange!
Still can't ping OPNsense or access the Web GUI via Tailnet.
Try testing with a client that thas more and better tools - e.g. a laptop tethered to your phone or connected to a phone hotspot.
Can you resolve names from Unbound? What about your domain name?
Also consider setting a floating rule to allow ICMP everywhere while you are testing
Thanks, I added a Floating rule for IPv4 TCP In and I now get
LibreWolf detected a potential security threat and did not continue to 100.93.210.79. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
Changing the protocal to ICMP and I can ping the TailNet IP
Ignoring the warning and I get the OPNSense log in screen. Progress! :-)
The SSL certificate is one issued by OPNsense which does not appear to be valid for TailNet IP. Would this effect a DNS lookup?
How do I find the interface rule that is blocking OPNsense from connecting?
Thank you so much for your advice!
OK I have tested the setup with the TailNet IP in the DNS management page overriding the default 100.100.100.100 for the OPNsense TailNet IP and I can now reach my server from my phone with a valid SSL certificate so no warnings :-)
What do I do with the floating rule? I am guessing I have opened up my network to the whole Internet?
Many thanks
Edit: I forgot to add the local IP address for my LAN DNS and got locked out of the WWW lol. Anyway I took TS down added the required 192.168.1.1 and TS up and it has started to work without the need of the floating rule!
Problem solved :-)
I spent quite a while getting this to work as well and wrote a guide here (https://forum.opnsense.org/index.php?topic=46938.0).
For anyone strill struggling to get it to work they could check it out.