I set up a openvpn server and it works, but there is no DNS possible. To ping the ip addresses works fine to extern and local hosts. How to get up DNS?
It must be a problem with unbound because using nslookup shows me that the queries are refused.
What I am doing wrong?
Unbound is installed on the lede router, where also the openvpon server is installed. unbound works well, also on other interfaces. only on the openvpn interface the queries are refused
item 5 i already checked, it didn't help me.
So, if you want unbound to resolve dnsqueries through, openvpn have nothing to do here, it just need to be working, you need to make sure that:
clients on lede client router when do a dns querie point to internal vpn ip where unbound is located, check doing nslookup and/or doing ifconfig/ipconfig on the clients
client vpn lede router has proper iptables rules in order to allow forward dns queries to that ip.
server vpn lede router has proper iptables rules in order to allow input dns queries from vpn clients.
for those ones icmp ping isn't just enought you need to be able to reach 53 port on tcp and udp
the parallel unbound - dnsmasq AFAIK is to allow dhcp leases and let unbound ask to dnsmasq about those leases resolutions
Finally: Check again using nslookup while having unbound logging enabled and logread -f running in order to check if query is received successfully.
finally if you have everything working and you had plans to have other vpn clientes it will be useful to push dns config using vpn, usually doing:
push "redirect-gateway"
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"
What queries are refused using vpn interface? the local ones or the remote ones? may be you will need to use dnsmasq on the client as dns resolver, and forward requests to unbound just when vpn is up (using openvpn-up.script). enable logging of unbound and post here is there some error.
have you tried to use nslookup to query a domain to the unbound ip? doing that you don't need to enable unbound logging...
if your unbound if failing and you are pretty sure that is the root cause of problems then do a firstboot start with a clean system and try again to configure just unbound to see where is the configuration problem is there is any... If not check your hw specs, if you had a slow cpu, little ram and no enough storage may be is that the source of problems.
about:
push "dhcp-option DNS 10.0.0.1"
you should put that on your openvpn config file, and 10.0.0.1 should be the unbound IP from the VPN subnet. check OpenVPN if you need it, but please try the steps marked with asterisk that I previously described first in order to discard problem, read it again on my preovious message.
May be if you post your configuration files or describe in better way or with a draw www.draw.io
There is some science but not rocket one, may be you are just missing something, it is difficult to us to guess about.
You did not aswer if you couldn't or not query using nslookup... are you able to ping at least? are you able to telnet to dns tcp port or check somehow if it is opened on the other end of vpn?
if is closed probably your problem is that you need some iptables rules on one or another end.
Or you are completely sure that you can reach the unbound but it does not respond as you wish.
Sorry for reviving this old thread, but the issue is still actual and I believe it's a bug/glitch in dnsmasq that should be addressed.
I'm running OpenWrt 19.07.5 on a D-Link DIR-860L B1 (ramips/mt7621) and configured a custom Point-to-Point OpenVPN instance on it (shared static key). On the client (Android) I defined the name server manually as the OpenWRT VPN end (tunnel IP - 10.0.10.1) and noticed that dnsmasq, although listening on the tun0 interface and the DNS requests arriving at the router through the tunnel (verified with tcpdump), doesn't answer them.
Here are some relevant infos:
root@ow:~# ip r s | grep 10.0
10.0.10.2 dev tun0 scope link src 10.0.10.1
root@ow:~# ip a s | grep 10.0
inet 10.0.10.1 peer 10.0.10.2/32 scope global tun0
root@ow:~# netstat -an | grep 10.0
tcp 0 0 10.0.10.1:53 0.0.0.0:* LISTEN
udp 0 0 10.0.10.1:53 0.0.0.0:*
Once I edited /etc/config/dhcp and set: option localservice '0', & restarted the router, dnsmasq would answer the requests on the tun0 interface, but it would also listen on the wan interface.
I filtered the tcp/udp port 53 on the wan (using PPPoE) in the custom firewall with:
VPN (tun0 interface) looks treated as local, because dnsmasq starts listening on it, but it doesn't "serve" it until the option localservice is disabled (set on 0).