OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • Wireguard restart causes unbound to stop resolving names on FW only.
« previous next »
  • Print
Pages: [1]

Author Topic: Wireguard restart causes unbound to stop resolving names on FW only.  (Read 1602 times)

RadOD

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Wireguard restart causes unbound to stop resolving names on FW only.
« on: July 01, 2021, 03:29:12 am »
Unbound is stops working when I try to add WG1, a FQDN based connection.  As you can see, I can ping google.com by name.  Then I restart wireguard.  WG0 comes up but WG1 fails because of DNS.  Immediately afterward I can no longer resolve DNS:

Code: [Select]
root@owlhouse:/usr # ping google.com
PING google.com (172.217.5.14): 56 data bytes
64 bytes from 172.217.5.14: icmp_seq=0 ttl=119 time=15.542 ms
64 bytes from 172.217.5.14: icmp_seq=1 ttl=119 time=15.475 ms
64 bytes from 172.217.5.14: icmp_seq=2 ttl=119 time=15.842 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.475/15.620/15.842/0.160 ms
root@owlhouse:/usr # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
wg-quick: `wg1' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.12.1/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 192.168.12.12/32 -interface wg0
[#] route -q -n add -inet 192.168.12.11/32 -interface wg0
[#] route -q -n add -inet 192.168.12.10/32 -interface wg0
[+] Backgrounding route monitor
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
Name does not resolve: `vaaa.bbb.ccc:51820'
Configuration parsing error
[#] rm -f /var/run/wireguard/wg1.sock
root@owlhouse:/usr # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@owlhouse:/usr #
I can see no errors in syslog. And DNS is working for everything else on the LAN - just not on the FW itself.  Is this an unbound problem or a wireguard problem?

Unbound:
Code: [Select]
<unbound>
    <enable>1</enable>
    <custom_options>#server:
#tls-cert-bundle: "/etc/ssl/cert.pem"

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853</custom_options>
    <dnssec>1</dnssec>
    <noreglladdr6>1</noreglladdr6>
    <acls>
      <aclname>VPN</aclname>
      <aclaction>allow</aclaction>
      <description/>
      <row>
        <acl_network>192.168.1.0</acl_network>
        <mask>24</mask>
        <description/>
      </row>
    </acls>
    <acls>
      <aclname>WGaccess</aclname>
      <aclaction>allow</aclaction>
      <description/>
      <row>
        <acl_network>192.168.12.0</acl_network>
        <mask>24</mask>
        <description/>
      </row>
      <row>
        <acl_network>10.11.14.0</acl_network>
        <mask>24</mask>
        <description/>
      </row>
    </acls>
  </unbound>
Logged

allebone

  • Sr. Member
  • ****
  • Posts: 402
  • Karma: 34
    • View Profile
Re: Wireguard restart causes unbound to stop resolving names on FW only.
« Reply #1 on: July 01, 2021, 05:06:10 am »
Show a traceroute to an address. Maybe its going out via the wg interface due to some rule you added or something.
Logged

Greelan

  • Hero Member
  • *****
  • Posts: 1028
  • Karma: 72
    • View Profile
Re: Wireguard restart causes unbound to stop resolving names on FW only.
« Reply #2 on: July 01, 2021, 05:42:26 am »
Do you have DNS set in the WireGuard conf? If so resolv.conf will be overwritten when WG is restarted which may be causing your issues
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • Wireguard restart causes unbound to stop resolving names on FW only.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2