OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Oxygen61 on March 25, 2018, 09:40:02 pm

Title: [SOLVED] My NAT settings won't work anymore (OpenVPN DNS-Leak)
Post by: Oxygen61 on March 25, 2018, 09:40:02 pm
Hi guys,

yesterday i updated to 18.1.5 and checked if i leak any DNS-Queries.
I use Unbound DNS (Port 53) for Subnets, which i want to tunnel through my OpenVPN Gateways.
I additionally use DNSmasq (Port 1053) for 1 specific subnet, which i want to use the DNS Servers configured in System: Settings: General

For Unbound the Outgoing Network Interfaces are the VPN interfaces. Since the VPN Gateways used for the VPN Interfaces are not static IPs and changes whenever the connection fails, i made things work by using NAT to only allow connections out, if they fit the NAT rules.

Here are the rules which worked before updating:
Interface           Source        Source Port     Destination   Destination Port    NAT Address     NAT Port   StaticPort
VPN_**   <alias for VPNsubnets>     *   <alias for !RFC1918>     *             Interface address   *            NO   
WAN       <alias for VPNsubnets>     *   <alias for !RFC1918>     *             NO NAT                 *            NO   
WAN       <alias for WANsubnets>     *   <alias for !RFC1918>     *             Interface address     *            NO   

There should be no way for my VPN-Subnets to leak anything, but dnsleaktest.com shows me otherwise...
in (System: Settings: General) there are 2 DNS-Servers for this 1 specific subnet, which i want to leak DNS-Queries, but it doesn't matter which gateway i choose.. no change whatsoever. :(
Additionally i checked this: [X] Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

As i said it worked before..... did anything regarding NAT settings changed updating to 18.1.5?
btw. iam not using IPv6

Thanks alot guys! :(

Best regards,
Oxy
Title: Re: [18.1.5] My NAT settings won't work anymore (OpenVPN DNS-Leak)
Post by: Oxygen61 on March 25, 2018, 11:55:22 pm
I did a revert back to version 18.1.4 and even load some backups from where it worked.... and it still does not work anymore.... i just don't understand how a solution which worked perfectly just stopped completely.

# opnsense-revert -r 18.1.4 opnsense
# opnsense-update -kr 18.1
# /usr/local/etc/rc.reboot
Title: Re: [18.1.5] My NAT settings won't work anymore (OpenVPN DNS-Leak)
Post by: Oxygen61 on March 26, 2018, 12:02:14 am
Unbound DNS forwarding was active.... what the f* :D
Don't want to promise to much to myself but it seems like i found the issue.

See you all in 5 minutes with (hopefully) good feedback :D
Title: Re: [18.1.5] My NAT settings won't work anymore (OpenVPN DNS-Leak)
Post by: Oxygen61 on March 26, 2018, 12:27:42 am
I had some last problems with the update back to 18.1.5. but I was able to update via SSH CLI and it worked perfectly.

Sorry guys for all the mess. 18.1.5 is a gift for the community and I should really stop using the Unbound DNS in forwarding mode. :D
Title: Re: [SOLVED] My NAT settings won't work anymore (OpenVPN DNS-Leak)
Post by: elektroinside on March 26, 2018, 07:32:16 am
Thank you for your feedback, glad to hear it worked out!