OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • [SOLVED] DNS refuses clients in one subnet behind wireguard site-to-site tunnel
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] DNS refuses clients in one subnet behind wireguard site-to-site tunnel  (Read 1066 times)

chemlud

  • Hero Member
  • *****
  • Posts: 1910
  • Karma: 90
    • View Profile
[SOLVED] DNS refuses clients in one subnet behind wireguard site-to-site tunnel
« on: November 11, 2020, 08:13:53 pm »
Hi again!

Have an ISP with lousy DNS, so I use DNS from another OPNsense (Unbound, DNSSEC and DoT configured) at the end of an openVPN tunnel, working fine.

I switched this tunnel to Wireguard site-to-site and now I have one subnet on the lousy DNS-site, that resolves just fine via wireguard and the remote DNS on the OPNsense.

In a second subnet (added to the same wireguard End Point), I have two clients, a notebook and a raspberry pi, which both use the remote DNS server (I can check from resolv.conf, dnsmasq) and the requests reach the unbound in the remote OPNsense, as I can see in package capture.

HOWEVER, the unbound always replies with "REFUSED"

Code: [Select]
1 0.000000 aaa.bbb.ccc.3 xxx.yyy.zzz.1 DNS 82 Standard query 0x8e14 A conncheck.opensuse.org
Code: [Select]
2 0.024239 xxx.yyy.zzz.1 aaa.bbb.cc.3 DNS 54 Standard query response 0x8e14 Refused
...or this here, another example:

Code: [Select]
1 0.000000 aaa.bbb.ccc.2 xxx.yyy.zzz.1 DNS 95 Standard query 0x999d SRV _http._tcp.raspbian.raspberrypi.org
Code: [Select]
3 0.023408 xxx.yyy.zzz.1 aaa.bbb.ccc.2 DNS 54 Standard query response 0x999d Refused
to both clients, no matter what these two clients request.

Any idea what is going wrong here?
« Last Edit: November 21, 2020, 07:05:53 pm by chemlud »
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

Gauss23

  • Hero Member
  • *****
  • Posts: 735
  • Karma: 38
    • View Profile
    • BackendMedia
Re: DNS refuses clients in one subnet behind wireguard site-to-site tunnel
« Reply #1 on: November 11, 2020, 08:16:29 pm »
Services: Unbound DNS: Access Lists

Are all of your networks listed here?
Logged
„The S in IoT stands for Security!“ :)

System 1: ESXi, i3-9100F (2 Cores), 4GB RAM, 4x NIC
System 2: ESXi, Xeon E3-1220 V2 (2 Cores), 4GB RAM, 4x NIC
System 3: KVM, Xeon Skylake (2 Cores), 4GB RAM, 2x NIC
System 4: KVM, AMD EPYC 7702P (2 Cores), 8GB RAM, 1x NIC (Datacenter VPN Hub)

chemlud

  • Hero Member
  • *****
  • Posts: 1910
  • Karma: 90
    • View Profile
Re: DNS refuses clients in one subnet behind wireguard site-to-site tunnel
« Reply #2 on: November 11, 2020, 08:40:10 pm »
Good point!

There is at the lower end an entry with the domain name of the remote OPNsense and there is only the subnet listed that works just fine.

So I add the second subnet and it should work? :-D
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

chemlud

  • Hero Member
  • *****
  • Posts: 1910
  • Karma: 90
    • View Profile
Re: DNS refuses clients in one subnet behind wireguard site-to-site tunnel
« Reply #3 on: November 11, 2020, 08:51:00 pm »
Works! Very nice.

I added the second subnet to the wireguard config after the connection was up and running, so the second net was not automagically added to this Access List. Reboot didn't help...

Many thanks, made my day! :-D
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • [SOLVED] DNS refuses clients in one subnet behind wireguard site-to-site tunnel
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2