Unbound doesnot serve DNS to Openvpn client

I was able to config OpenVPN server but the client did not have access to Internet if i put local DNS server( unbound) in the config; client will connect to the internet if I put one of DNS public server.
I also have wireguard server installed on the same router and the connected client doesnot have the above problem.
Openvpn

config openvpn 'vpnserver'
	option enabled '1'
	option dev 'tun0'
	option port '1194'
	option server '10.14.1.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lz4'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option dh '/etc/openvpn/dh.pem'
	option tls_crypt '/etc/openvpn/tc.pem'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/vpnserver.crt'
	option key '/etc/openvpn/vpnserver.key'
	list push 'route 192.168.100.0 255.255.255.0'
        list push 'redirect-gateway def1'
        list push 'dhcp-option DNS 192.168.100.1'
	list push 'compress lz4'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'
	option verb '5'
	option proto 'udp'

Please help!

head -n -0 /etc/resolv.conf /etc/unbound/*.conf | grep -Ev "^\s*(#|$)"
uci show unbound
netstat -lnptu | grep unbound
nslookup openwrt.org
root@WWWHP:~# head -n -0 /etc/resolv.conf /etc/unbound/*.conf | grep -Ev "^\s*(
|$)"
==> /etc/resolv.conf <==
nameserver 127.0.0.1
nameserver ::1
search lan.
==> /etc/unbound/unbound.conf <==
server:
        verbosity: 1
        username: "unbound"
        directory: "/var/lib/unbound"
        chroot: "/var/lib/unbound"
        pidfile: "/var/run/unbound.pid"
        num-threads: 1
        msg-cache-slabs: 1
        rrset-cache-slabs: 1
        infra-cache-slabs: 1
        key-cache-slabs: 1
        interface: 0.0.0.0
        interface: ::0
        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
        outgoing-num-tcp: 1
        incoming-num-tcp: 1
        outgoing-port-permit: "10240-65335"
        outgoing-range: 60
        num-queries-per-thread: 30
        msg-buffer-size: 8192
        infra-cache-numhosts: 200
        msg-cache-size: 100k
        rrset-cache-size: 100k
        key-cache-size: 100k
        neg-cache-size: 10k
        target-fetch-policy: "2 1 0 0 0 0"
        harden-large-queries: yes
        harden-short-bufsize: yes
python:
remote-control:
==> /etc/unbound/unbound_ext.conf <==
server:
  tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
  name: "."
  forward-addr: 185.228.168.10@853
  forward-addr: 185.228.169.11@853
  forward-addr: 2a0d:2a00:1::1@853
  forward-addr: 2a0d:2a00:2::1@853
  forward-ssl-upstream: yes
==> /etc/unbound/unbound_srv.conf <==
root@WWWHP:~# uci show unbound
unbound.@unbound[0]=unbound
unbound.@unbound[0].edns_size='1280'
unbound.@unbound[0].hide_binddata='1'
unbound.@unbound[0].listen_port='53'
unbound.@unbound[0].manual_conf='0'
unbound.@unbound[0].root_age='9'
unbound.@unbound[0].ttl_min='120'
unbound.@unbound[0].dhcp_link='dnsmasq'
unbound.@unbound[0].recursion='aggressive'
unbound.@unbound[0].prefetch_root='0'
unbound.@unbound[0].resource='default'
unbound.@unbound[0].extended_stats='0'
unbound.@unbound[0].enabled='1'
unbound.@unbound[0].protocol='mixed'
unbound.@unbound[0].query_minimize='1'
unbound.@unbound[0].validator='0'
unbound.@unbound[0].query_min_strict='1'
unbound.@unbound[0].extended_luci='1'
unbound.@unbound[0].dns64='0'
unbound.@unbound[0].unbound_control='0'
unbound.@unbound[0].localservice='1'
unbound.@unbound[0].rebind_localhost='1'
unbound.@unbound[0].rebind_protection='1'
unbound.@unbound[0].trigger_interface='lan' 'wan'
root@WWWHP:~# netstat -lnptu | grep unbound
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     30573/unbound
tcp        0      0 :::53                   :::*                    LISTEN     30573/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                          30573/unbound
udp        0      0 :::53                   :::*                               30573/unbound
root@WWWHP:~# nslookup openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
root@WWWHP:~#
uci set unbound.@unbound[0].manual_conf="1"
uci commit unbound
service unbound restart

Client connected. I can connect to 192.168.100.1 but not the internet.

I've stopped dnsmasq, installed unbound and applied your configs but it resulted in the same problem:

However the option mentioned above solves the issue.

The thing is wireguard clients connected normally to unbound. So i think the issue is with openvpn config.

Sorry. I havent been trolling the forums. It helps to mention the maintainer.

Unbound UCI will make Unbound only respond on connected subnets found in OpenWrt network tools (/lib/network). If OpenVPN creates non-standard network interfaces, then Unbound will see those as outside network attacks. Disable option 'local_service' to be more permisive.

1 Like

@EricLuehrsen thanks, had the same problem and your suggestion fixed my problem.

On second thought, now that the problem is clear, I opted to manually add a few lines in /etc/unbound/unbound_srv.conf and it works nicely without having to disable "localservice".

I just have unbound.conf and not unbound_srv.conf and which were the lines you added??

@alex26052005 I have added the following lines:

access-control: 10.x.x.x/24 allow
access-control: 2001:470:...../64 allow
access-control: ULA...../64 allow

(you should substitute the real addresses of the vpn interface, both IPV4 and IPV6, in the example above and remember that IPV6 might have multiple prefixes on the same interface, both publica and ULA)

If you have only one config file for unbound, perhaps because you're using manual config, just put them there along with the other ACL lines)

Hi all

I have the same problem, but I cannot solve it neither with disabling local_service nor adding access-control (which is already set to 0.0.0.0 and ::0 by default)

I have VPN in a dedicated firewall zone, forwarding in the openvpn config DNS to 8.8.8.8 works, but if I switch to my local resolver (ubound 192.168.182.1) does not.

Of course before enabling ubound, with dnsmasq everything worked correctly

Can anyone help il troubleshoot the issue?

this is what I get from the log:

`Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: server stats for th                                                                                                             read 0: requestlist max 4 avg 0.349593 exceeded 0 jostled 0
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: average recursion p                                                                                                             rocessing time 0.092009 sec
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: histogram of recurs                                                                                                             ion processing times
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: [25%]=0.0435814 med                                                                                                             ian[50%]=0.0570163 [75%]=0.100645
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: lower(secs) upper(s                                                                                                             ecs) recursions
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.000000    0.00                                                                                                             0001 6
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.032768    0.06                                                                                                             5536 75
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.065536    0.13                                                                                                             1072 21
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.131072    0.26                                                                                                             2144 17
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.262144    0.52                                                                                                             4288 2
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info:    0.524288    1.00                                                                                                             0000 2
Sat Jun 13 09:52:55 2020 daemon.notice unbound: [11572:0] notice: init module 0:                                                                                                              iterator
Sat Jun 13 09:52:56 2020 daemon.info unbound: [11572:0] info: start of service (                                                                                                             unbound 1.10.1).
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN                                                                                                                   11572/unbound
tcp        0      0 :::53                   :::*                    LISTEN                                                                                                                   11572/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                                                                                                                                        11572/unbound
udp        0      0 :::53                   :::*                                                                                                                                             11572/unbound
`

I see that the queries are correctly received and resolved by unbound:

Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 login.kataweb.it. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 tltbdxnudzutr. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 android.googleapis.com. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 192.168.182.149 info.cspserver.net. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 andr.eu.ec.api.amazonvideo.com. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 www.google.com. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 semanticlocation-pa.googleapis.com. A IN
Sat Jun 13 12:00:48 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 www.repubblica.it. A IN

But for some reason the replies never reach the VPN client. Is it possible a firewall issue? Strange that with dnsmasq there is no issue with the same setup (port 53 and running on openwrt router)

Unbound has a quirk and it may reply to any address on the device. It has an option to correct this. This may or may not be your specific problem, but it is a likely problem. See recent fix for master and OpenWrt 19.07 package net/unbound.

1 Like

Thank you very much, this solved the issue!