Unbound with OpenVPN RoadWarriors
-
I have unbound installed on 2.0 of the Sun Jan 16 22:00:36 EST 2011 build. I've enabled it on the selected interfaces, added my extra subnets to the "permit" ACL section but I'm not able to get my OpenVPN clients to resolve dns. I've also permitted my OpenVPN subnet to the unbound ACL but the VPN clients still cannot resolve domain names.
Anyone else have this working? Any insight?
Thanks
-
Check the clients which dns servers get assigned. Did you enter your pfSense box as a dns server for the client net? Also are the rules applied correctly? What do the logs say? Anything got blocked? You need to give a lot more info otherwise we can't tell you much….
-
The dns server I've set in OpenVPN is 172.25.0.1 which is part of the subnet that I have assigned to the vpn clients 172.25.0.0/24. Nothing is getting blocked in the firewall logs.
-
And Unbound is also listening on that OpenVPN interfaces with that IP?
Check /usr/local/etc/unbound/unbound.conf and have a look at the "# Interface IP(s) to bind to" section in order to verify this… -
I just tested this with snap
2.0-BETA5 (i386)
built on Tue Jan 18 03:34:33 EST 2011The current acl in unbound was just set to my local network of 192.168.1.0/24
When I tried to query ubound from roadwarrior client got
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60436
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available;; Query time: 31 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Fri Jan 21 16:03:11 2011
;; MSG SIZE rcvd: 12So then I edited the ACL to also include my openvpn network 10.0.200.0/24 restarted unbound just to be sure.
now works just fine.
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 3600 IN A 192.168.1.253;; Query time: 46 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Fri Jan 21 16:04:43 2011
;; MSG SIZE rcvd: 51Roadwarriors get handed 192.168.1.253 as their dns..
Ethernet adapter ovpn:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-79-1A-85-63
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.200.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.200.5
DNS Servers . . . . . . . . . . . : 192.168.1.253
Lease Obtained. . . . . . . . . . : Friday, January 21, 2011 1:15:37 PM
Lease Expires . . . . . . . . . . : Saturday, January 21, 2012 1:15:37 PM