Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Unbound and OpenVPN problem
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound and OpenVPN problem (Read 34504 times)
jjstecchino
Newbie
Posts: 3
Karma: 0
Unbound and OpenVPN problem
«
on:
March 28, 2018, 09:26:46 pm »
First post here. First of all, congratulation for this great project. I have been a very long time user of pfSense and active on their forum. I stumbled upon OPNSense by chance and I liked it so much that I migrated my long time pfSense to OPNSense. It is a fantastic firewall.
Now here is the issue. I created an OpenVPN server and set it to pass my local domain and the LAN firewall IP as DNS server. OpenVPN connection worked flawlessly, however clients were not able to resolve DNS queries.
Unbound was set to respond on ALL interfaces but was not. NSLookup from clients showed the query was refused. If I select each one of the interfaces i.e. WAN, LAN, localhost and OpenVPN, unbound will respond to DNS queries as expected. It seems that selecting ALL doesn't make unbound listen to ALL interfaces but just LAN, WAN and localhost.
Also any plan to support NCP on OpenVPN? I really miss that from pfSense.
Thanks and congratulations again for this project. As time permit I would love to get familiar with the code and help as much as I am able to.
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Unbound and OpenVPN problem
«
Reply #1 on:
March 28, 2018, 09:34:44 pm »
Hi and welcome to OPNsense!
Make sure the OpenVPN subnet(s) are in the Access List as well under Services :Unbound DNS :Access Lists
«
Last Edit: March 28, 2018, 09:37:43 pm by elektroinside
»
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Unbound and OpenVPN problem
«
Reply #2 on:
March 28, 2018, 09:46:29 pm »
Unrelated, but you might find it useful.
For best OpenVPN performance, you could also follow this guide. Its main purpose is to speed up IDPS, but has a significant impact on OpenVPN as well. I found tons of posts on the internet as to how to optimize OpenVPN throughput, but dcol's post was the only one which really helped, without any other OpenVPN parameters.
https://forum.opnsense.org/index.php?topic=6590.0
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
jjstecchino
Newbie
Posts: 3
Karma: 0
Re: Unbound and OpenVPN problem
«
Reply #3 on:
March 28, 2018, 10:30:18 pm »
Thanks for the welcome and for the prompt answers. Great reading on the tunables.
Regarding the OpenVPN issue, yes my openvpn tunnel network was already automatically added to unbound ACL.
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Unbound and OpenVPN problem
«
Reply #4 on:
March 29, 2018, 06:41:04 am »
Ok, the next logical question is if you have added a firewall rule to allow access from the OpenVPN net/interface to the firewall's port 53 (or the entire firewall / lan subnet, aka "any to any" rule)
«
Last Edit: March 29, 2018, 06:47:04 am by elektroinside
»
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
jjstecchino
Newbie
Posts: 3
Karma: 0
Re: Unbound and OpenVPN problem
«
Reply #5 on:
March 31, 2018, 06:43:20 pm »
I have an OpenVPN pass all rule.
I believe the problem is that OPNSense adds an ACL entry in unbound just for the openvpn server i.e xx.xx.xx.1/32 but not for the tunnel network xx.xx.xx.0/24. Don't know if this is by design or a bug. If it is by design something should be stated in the OpenVPN setup doc page that an ACL entry should be added in unbound for the tunnel network.
I don't see the drawback to automatically add the entire tunnel network (xx.xx.xx.xx/24 or whatever net mask may be) instead of just the openvpn server (xx.xx.xx.1/32) to unbound ACL when an OpenVPN server is created/enable. I think this second option is more intuitive and lead to less head scratching.
Anyway adding the entire tunnel network to the unbound ACL solves the problem.
Logged
Baliste
Newbie
Posts: 47
Karma: 7
Re: Unbound and OpenVPN problem
«
Reply #6 on:
February 04, 2019, 12:44:18 pm »
Thanks.
I faced the same problem and I added the OpenVPN tunnel network to the unbound ACL, and it is working now.
Frédéric
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Unbound and OpenVPN problem