DNS Resolver: OpenVPN client can't query the DNS Resolver
-
Yesterday I upgraded from 2.1.5 to 2.2 RC, everything works (Good job people).
But today I discovered that OpenVPN clients can't query the DNS resolver.
Disclaimer, I was already using Unbound as my DNS Resolver in 2.1.5 (configured access lists to allow my OpenVPN clients query access to the resolver)I can access the management interface just fine by IP from an OpenVPN client.
What am I missing?
-
Add an entry for their subnet(s) under the Access Lists tab and set them to Allow
-
These are my current settings
-
I have tried this this evening, connecting in on OpenVPN "Road Warrior" to the office that I upgraded today. I setup the same domain overrides for Unbound as were in dnsmasq and switched over to DNS Resolver (Unbound). Interface selections are both set to "All".
I added Allow ACLs to cover the OpenVPN tunnel subnets.
Turn Logging level to 2.
From home I try to ping names in the internal office network, the name does not resolve. But in the Resolver log on pfSense I see entries showing it is looking up the name I just asked for, like:Dec 11 23:01:52 unbound: [85549:1] info: query response was ANSWER Dec 11 23:01:52 unbound: [85549:1] info: reply from <aaa.bbb.ccc.org.>10.49.80.2#53 Dec 11 23:01:52 unbound: [85549:1] info: response for rt-01.aaa.bbb.ccc.org. A IN Dec 11 23:01:52 unbound: [85549:1] info: use stub aaa.bbb.ccc.org. NS IN Dec 11 23:01:52 unbound: [85549:1] info: resolving rt-01.aaa.bbb.ccc.org. A IN</aaa.bbb.ccc.org.>10.49.80.2 is the real internal DNS server that is specified in the Domain Override for aaa.bbb.ccc.org
So Unbound is getting the request from me, the Road Warrior user, and looking it up. But somehow I never get the answer back to my laptop across the OpenVPN link.
If I switch back to DNS Forwarder then it works.Time for sleep now - maybe someone will have an idea about what to specify next.
-
Changing Network Interfaces = ALL to LAN + localhost solved my issue.
# Interface IP(s) to bind to interface: 0.0.0.0 interface: ::0# Interface IP(s) to bind to interface: 10.8.1.1 interface: 127.0.0.1 interface: ::1Now vpn clients can use 10.8.1.1 as their dns resolver
-
Changing Network Interfaces = ALL to LAN + localhost solved my issue.
Now vpn clients can use 10.8.1.1 as their dns resolver
Is 10.8.1.1 your LAN IP? Looks like it, but just confirming.
-
The issue here is in how Unbound replies to requests in that circumstance. When you bind it to the LAN IP, or a specific list of IPs that doesn't include the OpenVPN tun interface IP, it replies back via the correct source. When you bind to everything, it replies back using the source IP closest to the destination in question, in the OpenVPN case, its tun IP. So you end up with something like this from dig:
;; reply from unexpected source: <tun ip="">#53, expected <lan ip="">#53
I just committed a fix for the circumstance where you're binding all interfaces. More info here:
https://redmine.pfsense.org/issues/4111</lan></tun>
