Messages

That did it!  Thanks Franco!

Hmmm, I'm definitely not seeing it.  Can anyone else confirm that they can see it?  Thanks.

Is iperf gone as a plugin in 18.7?  I can't see it.

I upgraded my Opnsense box from an old fanless mini PC to a spare full-size PC I now have.  Everything is working fine except that this machine has both a CPU and case fan and these seem to be stuck on max speed.  Can I control the fan speeds and how would I do that?

I've been trying to use the traffic shaper to prioritize one local client's traffic to and from the WAN above all others, but I'm struggling.

I've just deleted all my traffic shaper rules again as I don't know if any of it was remotely right.  Could someone please show me how the traffic shaper could be configured to simply prioritize a single client's traffic above all others?

I had similar issues with unbound and OpenVPN.  I know it may not be ideal but I ended up turning off unbound and using dnsmasq and this seems to have fixed the issue.  To me it definitely looks like a bug in unbound so I'm hoping it gets fixed.

@Maurice.  I don't think that's completely accurate about it showing your ISP name, although I may be wrong.  When sending traffic through the VPN and running unbound with unbound set to forward to say Google's 8.8.8.8 then when I run a leak test I don't see my ISP anywhere.  As I would expect, I see the VPN public IP, and I see Google's DNS servers.  This is still a leak because it means my DNS requests went over my WAN connection.  My ISP could have looked at them or hijacked them without me knowing.

As far as your second bullet, this is pretty much spot on and is what I was trying to achieve.  However, unbound doesn't seem to want to forward requests through the VPN.  Whenever I tried setting unbound to use the VPN tunnel it failed.  However, dnsmasq with exactly the same set up does seem to work and does forward its requests over the VPN tunnel without complaint.  So at least for me, the solution has been to turn off unbound and switch back to using dnsmasq.

I don't know if the issue with unbound not using the VPN for forwarding is a bug, planned behavior, or a configuration issue.  If it is planned then the general settings should be changed so that anything but the WAN gateway is not an option when using unbound.

Hmmmm, well here's an interesting finding.  If I use DNSMasq instead of Unbound then I can use the VPN gateway and of course then the leak is gone.  So this definitely seems like a problem with Unbound to me.

@bigops Well, every leak tester shows a leak.  Another way to look at this problem would be to forget about the leak and just ask...

Why does DNS forwarding from the opnSense box work over the WAN connection but not over the VPN connection?

If in General->Settings->System I put in a DNS server and select the gateway as WAN then it works.  However, if I select the VPN gateway then it does not work.  The VPN is definitely connected and working as all other traffic is going over the VPN, so why won't the DNS requests go through the VPN gateway?

crt333, in Systems->General also make sure the two DNS options...

Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

...are unchecked.  I think that should fix it so that it doesn't use your ISPs servers.

No, in this case the clients are behaving as expected.  I want the clients to ask the OPNsense box for DNS resolution as there are a lot of local devices and I use their local names frequently.  However, when unbound on the OPNsense box can't resolve a client (because it's not local) it must forward the request.  At this point I want unbound to forward the request over the VPN connection.

However, the issue is that I can't get unbound to forward requests over the VPN.  Unbound only seems to want to forward requests over the WAN gateway.  If I set the gateway for the DNS servers in System->Settings->General to anything other than the WAN gateway then it fails.

Yes, if I set the clients to use DNS servers other than the OPNsense box either manually or by setting them in what's handed out by DHCP then there are no leaks on the clients.  However, obviously they can't then resolve other local devices.  So what I'm after is that clients do query the OPNsense box, which does answer for local devices it knows about, but that the OPNsense box forwards queries through the VPN for those it can't answer.  For whatever reason, I'm stuck with unbound forwarding queries through the WAN gateway instead.

The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem.  I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.

I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here.  However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.

I seem to have the same problem.  I want to be able to use the Opnsense unbound so that I can reference local clients, but any requests for anything else I want to go to Google's DNS servers through the VPN connection.

I get the same behaviour though, which is...

* With unbound off all requests go through the VPN, no leak
* With unbound on local requests are resolved but everything else seems to go to through the WAN port, so there is a leak

I am finding it impossible to make unbound use the VPN connection when using its forwarding servers.

By the way crt333, if you set DNS servers in the System->General page then it will use those, but it will go through the WAN port nonetheless.  This is a bit better as it avoids sending DNS requests directly to your IP.  However, since those requests are still going through the WAN gateway in theory they could easily sniff them or even capture them and reply with fake results.

That page also has an option to select which gateway to use for the DNS requests but whenever I set it to use the VPN connection there it just stops working.