Unbound with OpenVPN RoadWarriors



  • I have unbound installed on 2.0 of the Sun Jan 16 22:00:36 EST 2011  build. I've enabled it on the selected interfaces, added my extra subnets to the "permit" ACL section but I'm not able to get my OpenVPN clients to resolve dns. I've also permitted my OpenVPN subnet to the unbound ACL but the VPN clients still cannot resolve domain names.

    Anyone else have this working? Any insight?

    Thanks



  • Check the clients which dns servers get assigned. Did you enter your pfSense box as a dns server for the client net? Also are the rules applied correctly? What do the logs say? Anything got blocked? You need to give a lot more info otherwise we can't tell you much….



  • The dns server I've set in OpenVPN is 172.25.0.1 which is part of the subnet that I have assigned to the vpn clients 172.25.0.0/24.  Nothing is getting blocked in the firewall logs.



  • And Unbound is also listening on that OpenVPN interfaces with that IP?
    Check /usr/local/etc/unbound/unbound.conf and have a look at the "# Interface IP(s) to bind to" section in order to verify this…


  • Rebel Alliance Global Moderator

    I just tested this with snap

    2.0-BETA5 (i386)
    built on Tue Jan 18 03:34:33 EST 2011

    The current acl in unbound was just set to my local network of 192.168.1.0/24

    When I tried to query ubound from roadwarrior client got
    ; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 pfsense.local.lan
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60436
    ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; Query time: 31 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Fri Jan 21 16:03:11 2011
    ;; MSG SIZE  rcvd: 12

    So then I edited the ACL to also include my openvpn network 10.0.200.0/24 restarted unbound just to be sure.

    now works just fine.
    ; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 pfsense.local.lan
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46473
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;pfsense.local.lan.             IN      A

    ;; ANSWER SECTION:
    pfsense.local.lan.      3600    IN      A       192.168.1.253

    ;; Query time: 46 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Fri Jan 21 16:04:43 2011
    ;; MSG SIZE  rcvd: 51

    Roadwarriors get handed 192.168.1.253 as their dns..

    Ethernet adapter ovpn:

    Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : TAP-Win32 Adapter V9
            Physical Address. . . . . . . . . : 00-FF-79-1A-85-63
            Dhcp Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            IP Address. . . . . . . . . . . . : 10.0.200.6
            Subnet Mask . . . . . . . . . . . : 255.255.255.252
            Default Gateway . . . . . . . . . :
            DHCP Server . . . . . . . . . . . : 10.0.200.5
            DNS Servers . . . . . . . . . . . : 192.168.1.253
            Lease Obtained. . . . . . . . . . : Friday, January 21, 2011 1:15:37 PM
            Lease Expires . . . . . . . . . . : Saturday, January 21, 2012 1:15:37 PM


Locked