I was able to config OpenVPN server but the client did not have access to Internet if i put local DNS server( unbound) in the config; client will connect to the internet if I put one of DNS public server.
I also have wireguard server installed on the same router and the connected client doesnot have the above problem.
Openvpn
config openvpn 'vpnserver'
option enabled '1'
option dev 'tun0'
option port '1194'
option server '10.14.1.0 255.255.255.0'
option client_to_client '1'
option compress 'lz4'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option dh '/etc/openvpn/dh.pem'
option tls_crypt '/etc/openvpn/tc.pem'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/vpnserver.crt'
option key '/etc/openvpn/vpnserver.key'
list push 'route 192.168.100.0 255.255.255.0'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.100.1'
list push 'compress lz4'
list push 'persist-tun'
list push 'persist-key'
list push 'dhcp-option DOMAIN lan'
option verb '5'
option proto 'udp'
Sorry. I havent been trolling the forums. It helps to mention the maintainer.
Unbound UCI will make Unbound only respond on connected subnets found in OpenWrt network tools (/lib/network). If OpenVPN creates non-standard network interfaces, then Unbound will see those as outside network attacks. Disable option 'local_service' to be more permisive.
@EricLuehrsen thanks, had the same problem and your suggestion fixed my problem.
On second thought, now that the problem is clear, I opted to manually add a few lines in /etc/unbound/unbound_srv.conf and it works nicely without having to disable "localservice".
(you should substitute the real addresses of the vpn interface, both IPV4 and IPV6, in the example above and remember that IPV6 might have multiple prefixes on the same interface, both publica and ULA)
If you have only one config file for unbound, perhaps because you're using manual config, just put them there along with the other ACL lines)
I have the same problem, but I cannot solve it neither with disabling local_service nor adding access-control (which is already set to 0.0.0.0 and ::0 by default)
I have VPN in a dedicated firewall zone, forwarding in the openvpn config DNS to 8.8.8.8 works, but if I switch to my local resolver (ubound 192.168.182.1) does not.
Of course before enabling ubound, with dnsmasq everything worked correctly
Can anyone help il troubleshoot the issue?
this is what I get from the log:
`Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: server stats for th read 0: requestlist max 4 avg 0.349593 exceeded 0 jostled 0
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: average recursion p rocessing time 0.092009 sec
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: histogram of recurs ion processing times
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: [25%]=0.0435814 med ian[50%]=0.0570163 [75%]=0.100645
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: lower(secs) upper(s ecs) recursions
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: 0.000000 0.00 0001 6
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: 0.032768 0.06 5536 75
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: 0.065536 0.13 1072 21
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: 0.131072 0.26 2144 17
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: 0.262144 0.52 4288 2
Sat Jun 13 09:52:50 2020 daemon.info unbound: [8396:0] info: 0.524288 1.00 0000 2
Sat Jun 13 09:52:55 2020 daemon.notice unbound: [11572:0] notice: init module 0: iterator
Sat Jun 13 09:52:56 2020 daemon.info unbound: [11572:0] info: start of service ( unbound 1.10.1).
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11572/unbound
tcp 0 0 :::53 :::* LISTEN 11572/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 11572/unbound
udp 0 0 :::53 :::* 11572/unbound
`
I see that the queries are correctly received and resolved by unbound:
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 login.kataweb.it. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 tltbdxnudzutr. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 android.googleapis.com. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 192.168.182.149 info.cspserver.net. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 andr.eu.ec.api.amazonvideo.com. AAAA IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 www.google.com. A IN
Sat Jun 13 12:00:47 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 semanticlocation-pa.googleapis.com. A IN
Sat Jun 13 12:00:48 2020 daemon.info unbound: [20059:0] info: 10.8.0.6 www.repubblica.it. A IN
But for some reason the replies never reach the VPN client. Is it possible a firewall issue? Strange that with dnsmasq there is no issue with the same setup (port 53 and running on openwrt router)
Unbound has a quirk and it may reply to any address on the device. It has an option to correct this. This may or may not be your specific problem, but it is a likely problem. See recent fix for master and OpenWrt 19.07 package net/unbound.