Unbound doesnot serve DNS to Openvpn client

utopinux · January 19, 2019, 7:50am

I was able to config OpenVPN server but the client did not have access to Internet if i put local DNS server( unbound) in the config; client will connect to the internet if I put one of DNS public server.
I also have wireguard server installed on the same router and the connected client doesnot have the above problem.
Openvpn

config openvpn 'vpnserver'
	option enabled '1'
	option dev 'tun0'
	option port '1194'
	option server '10.14.1.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lz4'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option dh '/etc/openvpn/dh.pem'
	option tls_crypt '/etc/openvpn/tc.pem'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/vpnserver.crt'
	option key '/etc/openvpn/vpnserver.key'
	list push 'route 192.168.100.0 255.255.255.0'
        list push 'redirect-gateway def1'
        list push 'dhcp-option DNS 192.168.100.1'
	list push 'compress lz4'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'
	option verb '5'
	option proto 'udp'

Please help!

vgaetera · January 19, 2019, 11:42am

head -n -0 /etc/resolv.conf /etc/unbound/*.conf | grep -Ev "^\s*(#|$)"
uci show unbound
netstat -lnptu | grep unbound
nslookup example.org

utopinux · January 19, 2019, 11:49am

root@WWWHP:~# head -n -0 /etc/resolv.conf /etc/unbound/*.conf | grep -Ev "^\s*(
|$)"
==> /etc/resolv.conf <==
nameserver 127.0.0.1
nameserver ::1
search lan.
==> /etc/unbound/unbound.conf <==
server:
        verbosity: 1
        username: "unbound"
        directory: "/var/lib/unbound"
        chroot: "/var/lib/unbound"
        pidfile: "/var/run/unbound.pid"
        num-threads: 1
        msg-cache-slabs: 1
        rrset-cache-slabs: 1
        infra-cache-slabs: 1
        key-cache-slabs: 1
        interface: 0.0.0.0
        interface: ::0
        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
        outgoing-num-tcp: 1
        incoming-num-tcp: 1
        outgoing-port-permit: "10240-65335"
        outgoing-range: 60
        num-queries-per-thread: 30
        msg-buffer-size: 8192
        infra-cache-numhosts: 200
        msg-cache-size: 100k
        rrset-cache-size: 100k
        key-cache-size: 100k
        neg-cache-size: 10k
        target-fetch-policy: "2 1 0 0 0 0"
        harden-large-queries: yes
        harden-short-bufsize: yes
python:
remote-control:
==> /etc/unbound/unbound_ext.conf <==
server:
  tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
  name: "."
  forward-addr: 185.228.168.10@853
  forward-addr: 185.228.169.11@853
  forward-addr: 2a0d:2a00:1::1@853
  forward-addr: 2a0d:2a00:2::1@853
  forward-ssl-upstream: yes
==> /etc/unbound/unbound_srv.conf <==
root@WWWHP:~# uci show unbound
unbound.@unbound[0]=unbound
unbound.@unbound[0].edns_size='1280'
unbound.@unbound[0].hide_binddata='1'
unbound.@unbound[0].listen_port='53'
unbound.@unbound[0].manual_conf='0'
unbound.@unbound[0].root_age='9'
unbound.@unbound[0].ttl_min='120'
unbound.@unbound[0].dhcp_link='dnsmasq'
unbound.@unbound[0].recursion='aggressive'
unbound.@unbound[0].prefetch_root='0'
unbound.@unbound[0].resource='default'
unbound.@unbound[0].extended_stats='0'
unbound.@unbound[0].enabled='1'
unbound.@unbound[0].protocol='mixed'
unbound.@unbound[0].query_minimize='1'
unbound.@unbound[0].validator='0'
unbound.@unbound[0].query_min_strict='1'
unbound.@unbound[0].extended_luci='1'
unbound.@unbound[0].dns64='0'
unbound.@unbound[0].unbound_control='0'
unbound.@unbound[0].localservice='1'
unbound.@unbound[0].rebind_localhost='1'
unbound.@unbound[0].rebind_protection='1'
unbound.@unbound[0].trigger_interface='lan' 'wan'
root@WWWHP:~# netstat -lnptu | grep unbound
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     30573/unbound
tcp        0      0 :::53                   :::*                    LISTEN     30573/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                          30573/unbound
udp        0      0 :::53                   :::*                               30573/unbound
root@WWWHP:~# nslookup openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
root@WWWHP:~#

vgaetera · January 19, 2019, 1:25pm

uci set unbound.@unbound[0].manual_conf="1"
uci commit unbound
service unbound restart

utopinux · January 19, 2019, 2:03pm

Client connected. I can connect to 192.168.100.1 but not the internet.

vgaetera · January 19, 2019, 2:37pm

I've stopped dnsmasq, installed unbound and applied your configs but it resulted in the same problem:

However the option mentioned above solves the issue.

utopinux · January 19, 2019, 2:55pm

The thing is wireguard clients connected normally to unbound. So i think the issue is with openvpn config.

EricLuehrsen · June 26, 2019, 11:47pm

Sorry. I havent been trolling the forums. It helps to mention the maintainer.

Unbound UCI will make Unbound only respond on connected subnets found in OpenWrt network tools (/lib/network). If OpenVPN creates non-standard network interfaces, then Unbound will see those as outside network attacks. Disable option 'local_service' to be more permisive.

aboaboit · May 23, 2020, 4:25pm

@EricLuehrsen thanks, had the same problem and your suggestion fixed my problem.

On second thought, now that the problem is clear, I opted to manually add a few lines in /etc/unbound/unbound_srv.conf and it works nicely without having to disable "localservice".

alex26052005 · May 28, 2020, 11:24am

I just have unbound.conf and not unbound_srv.conf and which were the lines you added??

aboaboit · May 28, 2020, 12:42pm

@alex26052005 I have added the following lines:

access-control: 10.x.x.x/24 allow
access-control: 2001:470:...../64 allow
access-control: ULA...../64 allow

(you should substitute the real addresses of the vpn interface, both IPV4 and IPV6, in the example above and remember that IPV6 might have multiple prefixes on the same interface, both publica and ULA)

If you have only one config file for unbound, perhaps because you're using manual config, just put them there along with the other ACL lines)

Menion · June 13, 2020, 7:57am

Hi all

I have the same problem, but I cannot solve it neither with disabling local_service nor adding access-control (which is already set to 0.0.0.0 and ::0 by default)

I have VPN in a dedicated firewall zone, forwarding in the openvpn config DNS to 8.8.8.8 works, but if I switch to my local resolver (ubound 192.168.182.1) does not.

Of course before enabling ubound, with dnsmasq everything worked correctly

Can anyone help il troubleshoot the issue?

this is what I get from the log:

`Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: server stats for th                                                                                                             read 0: requestlist max 4 avg 0.349593 exceeded 0 jostled 0
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: average recursion p                                                                                                             rocessing time 0.092009 sec
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: histogram of recurs                                                                                                             ion processing times
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: [25%]=0.0435814 med                                                                                                             ian[50%]=0.0570163 [75%]=0.100645
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: lower(secs) upper(s                                                                                                             ecs) recursions
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.000000    0.00                                                                                                             0001 6
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.032768    0.06                                                                                                             5536 75
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.065536    0.13                                                                                                             1072 21
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.131072    0.26                                                                                                             2144 17
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.262144    0.52                                                                                                             4288 2
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.524288    1.00                                                                                                             0000 2
Sat Jun 13 09:52:55 2020 daemon.notice unbound: [11572:0] notice: init module 0:                                                                                                              iterator
Sat Jun 13 09:52:56 2020 daemon.info unbound: [11572:0] info: start of service (                                                                                                             unbound 1.10.1).
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN                                                                                                                   11572/unbound
tcp        0      0 :::53                   :::*                    LISTEN                                                                                                                   11572/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                                                                                                                                        11572/unbound
udp        0      0 :::53                   :::*                                                                                                                                             11572/unbound
`

Menion · June 13, 2020, 10:03am

I see that the queries are correctly received and resolved by unbound:

Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 login.kataweb.it. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 tltbdxnudzutr. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 android.googleapis.com. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 192.168.182.149 info.cspserver.net. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 andr.eu.ec.api.amazonvideo.com. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 www.google.com. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 semanticlocation-pa.googleapis.com. A IN
Sat Jun 13 12:00:48 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 www.repubblica.it. A IN

But for some reason the replies never reach the VPN client. Is it possible a firewall issue? Strange that with dnsmasq there is no issue with the same setup (port 53 and running on openwrt router)

EricLuehrsen · June 13, 2020, 7:27pm

Unbound has a quirk and it may reply to any address on the device. It has an option to correct this. This may or may not be your specific problem, but it is a likely problem. See recent fix for master and OpenWrt 19.07 package net/unbound.

Menion · June 14, 2020, 5:56am

Thank you very much, this solved the issue!