What's the difference between OpenVPN and OPT4 interface?
-
@lohphat Every interface has to have at least one rule to let traffic flow. The OpenVPN wizard will create it for you but if you manually assign an interface then you have to create it yourself.
-
@kom The problem is the wizard creates an interface (OpenVPN) which is NOT in the assigned interface list it only shows up in the rules menu.
Unbound doesn't see this interface. At all.
You have to create the new interface OPT4 manually for DNS to see it to work (ovpns1); now there are two interfaces. The one the wizard created (OpenVPN) is not in the assigned interface list.
-
@lohphat https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html
I'm not 100% on why they are created separately, but it seems to be a difference between whether or not you are looking to initiate and route traffic out the VPN tunnel. When you create the OpenVPN server, you use the OpenVPN interface in the firewall rules to allow inbound traffic from the VPN clients. The new OpenVPN interface you are then able to assign and create in the Interfaces > Assignments > Interface Assignments window is for when you are trying to route traffic initiating from your pfSense out the VPN tunnel. For example, if you are connecting your pfSense as a client to say a NordVPN server and you want to policy route traffic to it, you would create the client config and then assign the interface and configure your Outbound NAT accordingly. You would otherwise use that interface in a peer-to-peer configuration to ensure traffic can flow bidirectionally over the tunnel.
As far as I understand, the OpenVPN interface you assign is strictly to create an outbound gateway from your pfSense, and the firewall interface it assigns is strictly for inbound traffic from the OpenVPN tunnel.
-
@eric-lts Unless I create the ovpns1 interface then I can't get unbound to answer DNS queries on the client /24 because the OpenVPN pseudo interface doesn't show up in the interface list of the DNS Resolver page.
Only creating the OPT4/ovpns1 interface allows unbound to service attached clients.
-
@lohphat So the OpenVPN client isn't able to reach your unbound server on your pfSense? I'm assuming you're providing a DNS server list to your VPN clients under the Advanced Client Settings on your OpenVPN server? What servers do you have listed there?
You otherwise have rules set to allow traffic on the OpenVPN interface at least for port 53 (if you haven't changed that from the default in unbound)?
-
@lohphat
The OpenVPN tab is basically an interface group, implicitly added be pfSense, when configuring an OpenVPN instance. It includes all OpenVPN servers and clients you're running.For some special purposes interface groups cannot be used.
Consider that firewall rules on interface group tabs are probed at first. So if a group rule applies to an incoming packet, the rules on the interface tab you,ve assigned to the instance will be ignored.
-
@eric-lts Correct. e.g. if the client net is 192.168.23.0/24 and local DNS is desired (so the pfBlockerNG-devel can filter DNS), I have to add the assigned interface for the DNS quieries to function. I tried sending them to 192.168.0.1 but that wouldn't work for some reason. If I used external DNS like 1.1.1.1 and 9.9.9.9 those would work.
-
@viragomann Ok that I understand, but then why doesn't unbound enumerate it to respond to queries?
-
@lohphat
Did you add the tunnel network to unbound ACLs? -
@viragomann I didn't try that. Since adding the OPT4 /ovpns1 assigned interface fixed it for me I stopped trying. I'll go back to the config and try when it's idle.
