Tunnel Unbound through OpenVPN client, if available
-
Hi,
I need a smart tip, because I can't figure out the problem or maybe I'm stuck on some cache and don't see the problem.
Task:
Unbound runs on pfsense (2.4.5-RELEASE-p1) as resolver for the local network. Additionally there is an OpenVPN client (interface: OPT2). The goal is that Unbound sends its traffic through OPT2 if it is connected. If OPT2 is down, Unbound should go out via WAN.Background:
Per firewall rules, some local devices are already sent through OPT2 based on their IP address, so they correctly use the VPN. However, if they trigger DNS requests, Unbound will send them directly over WAN. This is not desired.The optimal solution would be that only DNS requests from devices that go through the VPN are also sent through the VPN, but it would also be sufficient if all DNS requests go through the VPN - if it is available. I don't think it is possible to separate these devices on/through Unbound, unless they use different DNS resolvers (e.g. second resolver in an extra VM for VPN devices).
Since the VPN tunnel does not guarantee high availability, DNS queries should also go out over WAN in case of emergency, if OPT2 is down. The devices themselves are intercepted by floating rules so that they do not go out over the WAN in the event of a VPN failure.
DNS resolution is unlikely to fail completely, however, as that would affect many more devices, which would not be good. In addition, I have to run Unbound as a resolver, because for LAN some domains or subdomains have to be resolved differently, so that the traffic stays in the LAN and is not resolved by the subdomains in the public DNS (traffic would then first come out through WAN and then come in again, this should be avoided). As far as I know, a switch to forwarding is therefore out of the question.
Generally I don't want to send port 53 from LAN->WAN through OPT2, because I can't exclude that a device doesn't even need to use another DNS like 8.8.8.8. Therefore, only Unbound itself should be redirected.
Current status:
Currently I can't get Unbound to route through the OpenVPN client. Only WAN is set as "Outgoing Network Interfaces" for Unbound. I cannot select OPT2 here, because the resolver does not work in case of VPN failure.I already tried with firewall rules to send here 127.0.0.1:53 somehow through OPT2, but then the DNS resolution fails immediately (tested with Diagnostics - DNS Lookup in pfsense). So now I'm wondering if what I have in mind will work at all with pfsense and the built-in Unbound.
If I let a Linux client, which goes through the VPN, request a domain through the VPN with "dig @8.8.8.8 google.com", then I get a valid answer here. So I would rule out that the VPN client is blocking/preventing port 53 or similar.
However, I'm slowly just left with question marks over my head and don't know what I'm doing wrong or if this is even possible.
For any advice and your invested time I am very grateful!
Emergency solution:
If no solution can be found, I am inclined to set up my own resolver in a mini-VM or container, which I can then send through the VPN similar to the other devices based on its IP. pfsense would then use this resolver as a forwarder. However, I would like to avoid this additional VM/container if possible.