Unbound with OpenVPN RoadWarriors

phospher

I have unbound installed on 2.0 of the Sun Jan 16 22:00:36 EST 2011  build. I've enabled it on the selected interfaces, added my extra subnets to the "permit" ACL section but I'm not able to get my OpenVPN clients to resolve dns. I've also permitted my OpenVPN subnet to the unbound ACL but the VPN clients still cannot resolve domain names.

Anyone else have this working? Any insight?

Thanks

jlepthien

Check the clients which dns servers get assigned. Did you enter your pfSense box as a dns server for the client net? Also are the rules applied correctly? What do the logs say? Anything got blocked? You need to give a lot more info otherwise we can't tell you much….

phospher

The dns server I've set in OpenVPN is 172.25.0.1 which is part of the subnet that I have assigned to the vpn clients 172.25.0.0/24.  Nothing is getting blocked in the firewall logs.

jlepthien

And Unbound is also listening on that OpenVPN interfaces with that IP?
Check /usr/local/etc/unbound/unbound.conf and have a look at the "# Interface IP(s) to bind to" section in order to verify this…

johnpoz

I just tested this with snap

2.0-BETA5 (i386)
built on Tue Jan 18 03:34:33 EST 2011

The current acl in unbound was just set to my local network of 192.168.1.0/24

When I tried to query ubound from roadwarrior client got
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60436
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 31 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Fri Jan 21 16:03:11 2011
;; MSG SIZE  rcvd: 12

So then I edited the ACL to also include my openvpn network 10.0.200.0/24 restarted unbound just to be sure.

now works just fine.
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pfsense.local.lan.             IN      A

;; ANSWER SECTION:
pfsense.local.lan.      3600    IN      A       192.168.1.253

;; Query time: 46 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Fri Jan 21 16:04:43 2011
;; MSG SIZE  rcvd: 51

Roadwarriors get handed 192.168.1.253 as their dns..

Ethernet adapter ovpn:

Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V9
        Physical Address. . . . . . . . . : 00-FF-79-1A-85-63
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.200.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 10.0.200.5
        DNS Servers . . . . . . . . . . . : 192.168.1.253
        Lease Obtained. . . . . . . . . . : Friday, January 21, 2011 1:15:37 PM
        Lease Expires . . . . . . . . . . : Saturday, January 21, 2012 1:15:37 PM