OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: brando56894 on May 14, 2018, 06:24:20 pm
-
I have two VPN servers setup: one in my apartment and one in my parent's house, both are running OPNsense.
Each network has it's own domain names and it's own DNS server (unbound), and they are able to resolve IPs for their respective networks. I initially had an issue where both networks were using 192.168.1.0/24 but I changed my parent's network to 192.168.2.0/24, and now have no issues connecting, but can't resolve FQDNs across subnets.
It looks like unbound is blocking recursion even though I'm specifically allowing it and have all the networks in an ACL, so I'm not sure what else could be blocking it.
Here's the unbound config for my apartment's network (192.168.1.0/24)
##########################
# Unbound Configuration
##########################
##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
use-syslog: yes
port: 53
verbosity: 3
hide-identity: no
hide-version: no
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 4096
outgoing-range: 8192
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 4m
rrset-cache-size: 8m
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
# DNS Rebinding
# Access lists
include: /var/unbound/access_lists.conf
# Static host entries
include: /var/unbound/host_entries.conf
# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf
# Domain overrides
include: /var/unbound/domainoverrides.conf
ACLs
access-control: 127.0.0.1/32 allow
access-control: ::1 allow
access-control: 192.168.1.0/24 allow
access-control: 71.172.17.0/24 allow
#Internal
access-control: 10.0.8.0/32 allow_snoop
access-control: 192.168.2.0/24 allow_snoop
No domain overrides set.
Here's an example of me trying to resolve a FQDN from my apartment's network, while VPN'd in from my parent's network.
[bran@laptop ~]$ ip a
2: wlp59s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:28:f8:54:ad:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.203/24 brd 192.168.2.255 scope global dynamic noprefixroute wlp59s0
valid_lft 3297sec preferred_lft 3297sec
inet6 fe80::f4b1:b20f:2d80:1117/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.0.8.6 peer 10.0.8.5/32 brd 10.0.8.6 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::c6a2:c488:c3f0:7fcb/64 scope link stable-privacy
valid_lft forever preferred_lft forever
[bran@laptop ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search brandongolway.us golway
nameserver 192.168.1.1
nameserver 192.168.2.1
[bran@laptop ~]$ dig @192.168.1.1 opnsense.brandongolway.us
; <<>> DiG 9.12.1 <<>> @192.168.1.1 opnsense.brandongolway.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60507
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 27 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 14 12:20:40 EDT 2018
;; MSG SIZE rcvd: 12
What's the issue?
-
To get the flow right I wanted to repeat back what I thought I read.
You are in your parents house (192.168.2.x) and you open up a VPN connection from your laptop back to your house (192.168.1.x) and you are trying than run that dig command and producing the error below?
You are expecting results more like this:
dig @192.168.1.1 opnsense.brandongolway.us
; <<>> DiG 9.10.6 <<>> @192.168.1.1 opnsense.brandongolway.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16266
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;opnsense.brandongolway.us. IN A
;; AUTHORITY SECTION:
brandongolway.us. 3600 IN SOA ns1.he.net. hostmaster.he.net. 2018051200 10800 1800 604800 86400
;; Query time: 69 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 14 13:17:10 EDT 2018
;; MSG SIZE rcvd: 111
Did I state that right?
-
Everything except for the expected response from dig, this is what it should return. I get this response when I SSH into my server (192.168.1.7) while connected via the VPN at my parents house.
; <<>> DiG 9.12.1 <<>> opnsense.brandongolway.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8619
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;opnsense.brandongolway.us. IN A
;; ANSWER SECTION:
opnsense.brandongolway.us. 3600 IN A 192.168.1.1
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 14 13:33:44 EDT 2018
;; MSG SIZE rcvd: 86
I get this response when just connected via the VPN
; <<>> DiG 9.12.1 <<>> opnsense.brandongolway.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10872
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 22 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 14 14:10:52 EDT 2018
;; MSG SIZE rcvd: 12
-
I don't use allow_snoop on mine and just allow, but I tested with both and either produces the same results for me.
access-control: 10.0.8.0/32 allow_snoop
Should that be a /24 so you are allowing the VPN subnet you have configured?