Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
WG site-to-site VPNs, unbound domain overrides
« previous
next »
Print
Pages: [
1
]
Author
Topic: WG site-to-site VPNs, unbound domain overrides (Read 1660 times)
surly
Newbie
Posts: 21
Karma: 0
WG site-to-site VPNs, unbound domain overrides
«
on:
May 18, 2021, 02:38:40 pm »
[ though not necessarily about the VPN configuration itself, the config and workarounds required are because I'm using VPN and dealing with the quirks and requirements of VPN topology. I thought it worth asking here because others running VPNs would have the same issues ]
OPN system at home with Wireguard site-to-site to two other sites. The other sites are Edgerouter ER-X (vyos) and OpenWRT. I control all sites.
There's been a bunch of troubleshooting, trial and error, and log watching but things are almost there. The last hurdle was getting DNS for private namespace working over the tunnels.
I'll oversimplify with this example: My home and the hub site is "me.lan" on 10.0.0.0/24, one spoke is "sub.me.lan" on 10.0.1.0/24 and the other is "different.lan" on 10.0.2.0/24. Both spokes run dnsmasq, one in the router the other on a pihole. Each required a domain forward for me.lan to my firewall LAN interface and a corresponding permit rule. The key thing causing DNS not to work was requiring to specify the source interface on the spoke's instance of dnsmasq. Without specifying the internal interface as source it was querying from the WAN interface instead of over the tunnel and this didn't work.
In dnsmasq this was '/me.lan/10.0.0.1@10.0.1.1' and '/me.lan/10.0.0.1@10.0.2.1' respectively. This now works perfectly.
My last step is getting spoke site DNS working from hub site which is the OPNsense site running unbound in non-forwarding resolver mode with some blacklists, hardened DNSSEC etc...
In Services -> Unbound -> Overrides I have configured 'sub.me.lan -> 10.0.1.1' and 'different.lan -> 10.0.2.1' but it's not working and the first thing I want to look into is the same thing which fixed the spokes - ensuring that I'm sourcing the forwarded queries from an interface where routing, tunneling and permit rules will work accordingly. I have found unbound documentation indicating how to set a non-standard port for these forwarded queries but no way to specify a source interface or IP address.
I would like to stick with unbound at the hub site. I am thinking that I could alternatively add a dnsmasq instance on the hub fw on a non-standard port, configure unbound to forward to it and then dnsmasq to forward to the spokes using the same config as the spokes but if there's something simpler that I'm missing I'd like to do that before adding the layer of complexity just for a pet project.
«
Last Edit: May 18, 2021, 03:20:26 pm by surly
»
Logged
cherzberg
Newbie
Posts: 3
Karma: 0
Re: WG site-to-site VPNs, unbound domain overrides
«
Reply #1 on:
May 06, 2022, 06:52:30 pm »
Hi surly,
Did you still get it working then? I have the same problem.
Cheers
Christian
Logged
surly
Newbie
Posts: 21
Karma: 0
Re: WG site-to-site VPNs, unbound domain overrides
«
Reply #2 on:
May 07, 2022, 01:01:18 pm »
I do have this working (although the feature isn't used often - hub systems accessing spoke systems by name). The architecture has changed somewhat with an Adguard Home instance as the primary listener on the hub OPN port 53, forwarding to unbound running on hub OPN port 5553. Both servers are configured with the forward rule for the spoke sites.
What I cannot find is whether I did anything special . I've checked my diary and unbound config and don't see any fancy tricks like I had to do on dnsmasq at the spoke sites. I'll keep looking to see how I sorted this out, or if a patch fixed it, or if I found some silly mistake I had made somewhere.
Logged
surly
Newbie
Posts: 21
Karma: 0
Re: WG site-to-site VPNs, unbound domain overrides
«
Reply #3 on:
May 08, 2022, 02:26:51 pm »
I've checked - the vyatta / EdgeOS spoke site seems to be working fully. The openWRT spoke site isn't resolving DNS for leases at its site from the other sites. I'll poke around when I can. Might just be an ACL on the openWRT end not responding to the hub OPN queries.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
WG site-to-site VPNs, unbound domain overrides