Messages

Hey everybody, first and foremost fantastic smooth migration I've been waiting for to get some development done.

One of the things that I'm doing is building my own version of the dn42 network: https://wiki.dn42.us/Home

Where I am presently, is building layer 2 with tinc. I'm using the Plugin and GUI and switch mode. I can ICMP/ping and tcp/ssh around to the other nodes, but the OPNsense nodes give this error:

Error while writing to Generic BSD tap device /dev/tinc0: Address family not supported by protocol family

I've added very permissive rules allowing any and allowing specific protocols between the Interface and Gateway networks but nothing seems to be helping. Any troubleshooting recommendations? Let me know what info you need from me, aside from the tap vs. tun interface this is a pretty standard tinc configuration.

Cheers,
M.

Two OPNsense devices running currently, one on LibreSSL and one on OpenSSL, both with DNS-over-TLS (see config above) and aside from the first glitch mentioned earlier all since then as been running smoothly.

Edit: Same error as in reply #16 to 9.9.9.9 on the LibreSSL system. No errors on OpenSSL yet.
Edit 2: Here's the last entries before Unbound (LibreSSL) crashed:
Edit 3: Removed output.

Unbound Debug

8<---->8

Packet Capture (short)

8<--->8

A few weeks back I was having the same cipher-drop issue, since then I've upgraded a few times and seeing this topic start I decided to give DNS over TLS another try. So far this morning it started out great and then I ran into a similar issue as others, the specific error is:

unbound: notice: ssl handshake failed 149.112.112.112 port 853

unbound: [pid:0] error ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available


I'm running:

OPNsense 18.7.a_186-amd64
FreeBSD 11.1-RELEASE-p8
LibreSSL 2.6.4
Unbound 1.6.8_2

My unbound custom options follows Calomel's Unbound DNS (https://www.calomel.org/unbound_dns.html) pretty closely:


server:
    hide-trustanchor: yes
    harden-large-queries: yes
    minimal-responses: yes
    harden-algo-downgrade: yes
    qname-minimisation-strict: yes
    ignore-cd-flag: yes
    use-caps-for-id: yes

    ssl-upstream: yes

private-domain: "example.com"
private-domain: "lab.example.com"

domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no
local-zone: "onion." nodefault

forward-zone:
    name: "onion"
    forward-addr: 127.0.0.1@9053

# forward-zone:
#  name: "."
# forward-addr:9.9.9.9 #quad9 non-encrypted
# forward-addr:149.112.112.112 #quad9 non-encrypted secondary

#include: /var/unbound/ad-blacklist.conf 

forward-zone:
name: "."
    forward-addr: 9.9.9.9@853         # quad9.net primary
    forward-addr: 149.112.112.112@853 # quad9.net secondary
    forward-addr: 145.100.185.18@853 # Surfnet dnsovertls3.sinodun.com
    forward-addr: 145.100.185.17@853 # Surfnet dnsovertls2.sinodun.com

Edit: Currently trying OpenSSL flavor, will report, currently capturing tcp/853.
Edit 2: After >1hr of testing on OpenSSL and LibreSSL, this error hasn't replicated. Still capturing tcp/853 and will post if err.