OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: douglasg14b on April 26, 2018, 08:36:39 pm
-
This is an odd one, please read the details.
I'm switching over from PFSense and replicating my setup on Opnsense. I have Unbound setup as the DNS resolver for my network. I setup my OpenVPN client, and as long as the client is active DNS queries from network clients fail.
Here is what works and what doesn't while the VPN is active and routing rules are active (IPv4 catch-all for LAN to the VPN gateway):
- DNS Query from Opnsense - Works
- DNS Query from network client - Fails
- Pinging DNS servers (ie 1.1.1.1) from network clients - Works
- Tracerouting DNS servers (ie 1.1.1.1) from network clients - Works
When pinging from a network client, the VPN packets iterate. when performing a DNS query from a network client, they do not.
While the VPN is active Dig reports that the DNS server (Opnsense IP) is unreachable, that the connection timed out. There are no logs from Unbound during this time. As soon as I disable the VPN client, DNS queries work fine. Even if the routing rule is disabled and the VPN client is online, DNS queries time out.
Things I've tried:
- Setting the Outbound interfaces on Unbound to just WAN or just the active VPN Gateway, or both, or any
- Setting the listening interface to just LAN & localhost
The VPN NAT is setup, it has an active interface, and pings successfully go out and return from it. But Unbound just stops working entirely while it's active, yet DNS queries form Opnsense keep working.
What's going on, how can I fix this or further diagnose the issue?
-
Try adding your VPN network in the unbound access lists as allowed to query, maybe this helps.
-
Hi Evil Sense, I'm not sure what I would use as the address range? I am fairly new to this, please forgive me if this is obvious.
I'm using a consumer VPN that is setup to connect to a hostname (ie. us.myvpn.com) that picks a different IP each time it starts up.
-
Well after rethinking your situation, I think the issue lies within Unbound's configuration, since the LAN client is able to query if the openvpn client is disabled..
Would you mind taking a screenshot of your current Unbound configuration?
-
Hi, here is my general configuration
(https://i.imgur.com/scNlviK.png)
-
Should be okay in my opinion, did you tried it with forwarding? Unbound would then forward the query's to the dns servers entered in System > Settings > General.
Otherwise I hope some other ideas for further tries are getting together :)
Sadly I don't run Unbound in querying mode together with a openvpn client connection.
-
Nope, that didn't work.
I really have no idea what might be going on, as this exact same configuration works just fine on PFsense. I really want to use Opnsense, but need to sort out what's going on here. I don't have any other ideas, this is above me, hopefully some others have ideas I can try.
-
I'm having a hard time trying to understand the full config.
When you say OpenVPN client, you mean you have the OPNSense router configured to something like PIA / ExpressVPN and you are routing all traffic through that and you want to still use the OPNSense resolver?
It might be your access list as well:
https://imgur.com/dLmUHgH
Does something like that work or does it just time out?
malice:~$ nslookup
> google.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.13.238
-
I'm honestly not sure what to say.
It's working just fine right now, I have made no changes between my previous reply and now. I left and came back a few hours later. I suppose I'll see if it continues to function.
-
Well, after restarting Opnsense today, it stopped working again.
As long as a VPN client is active DNS for all network clients stops functioning
@Animosity Yes, configured to use something like PIA to route traffic through it. However, I have the firewall rules disabled for that so no traffic goes through them. I only have the WAN catch-all active.
nslookup shows: ";; connection timed out; no servers could be reached"
What IP range did you use for your access rule? I'm not sure what to put there.
**Edit:** Just noticed this is only affecting linux (Ubuntu) clients for some reason. Phones, and windows devices work fine. When the VPN client is active, they stop using the router (opnsense) as their dns server, if I specify the server (ie. 192.168.1.1) in the nslookup it works, else it times out.
-
I had similar issues with unbound and OpenVPN. I know it may not be ideal but I ended up turning off unbound and using dnsmasq and this seems to have fixed the issue. To me it definitely looks like a bug in unbound so I'm hoping it gets fixed.
-
What's your config look like though with the PIA setup?
I basically instead of tunneling my entire network through my VPN, I only do a few hosts so I have a rule like this:
https://i.imgur.com/PRJRnTj.png
If you have LAN hosts my internal IP range is 192.168.1.0/24 so all my DNS points to my internal LAN interface, 192.168.1.1 which is my LAN address on OPNSense.
You most likely need one internal rule above your for local traffic to your internal IP (my case 192.168.1.1) for TCP/UDP 53 so your internal traffic is allowed to hit your network. If you allow everything through the PIA, you can't hit your internal firewall.
https://i.imgur.com/jtACH3o.png