Core: After reboot of OPNsense Unbound is not working for OpenVPN clients only
Version
OPNsense 18.7.5_1-amd64
Installed on self-configured hardware (Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)) and as fresh Hyper-V VM installation for tests.
Issue appears
after each reboot of OPNsense
Issue
After rebooting OPNsense the DNS resolving for OpenVPN clients only is not working. LAN clients in three different VLANs are not affected. They can resolve internal and exteranl DNS names as well. So I guess Unbound is not completly hanging or stopped. After restarting the Unbound service DNS resolving for the OpenVPN clients works fine again.
After the restart of the service the DNS record for my OPNsense management interface (re1) contains of course the IP address of the management interface itself (192.168.1.1/24), but also the IP address of the virtual OpenVPN interface (192.168.15.1/24). Therefore when I try to access the WebGUI and my client gets the OpenVPN interface IP from Unbound I get timeouts and a lot of deny entrys in the firewall logs because this interface is not allowed for WebGUI access.
_NSLOOKUP from Client VLAN (192.168.10.0/24) after restart of OPNsense, but before restart of Unbound service_
````
C:Users\XXX>nslookup
Standardserver: JasWall.jasnet.home.arpa
Address: 192.168.10.1
jaswall.mgmt.home.arpa
Server: JasWall.jasnet.home.arpa
Address: 192.168.10.1
Name: jaswall.mgmt.home.arpa
Addresses: 192.168.1.1
>
````
_NSLOOKUP from Client VLAN (192.168.10.0/24) after restart of Unbound service_
````
C:Users\XXX>nslookup
Standardserver: JasWall.jasnet.home.arpa
Address: 192.168.10.1
jaswall.mgmt.home.arpa
Server: JasWall.jasnet.home.arpa
Address: 192.168.10.1
Name: jaswall.mgmt.home.arpa
Addresses: 192.168.1.1
192.168.15.1
>
````
The fresh installed OPNsense VM is configured with the basic settings like WAN and LAN interface only. No additional plugins or services are running. But it shows the same behaviour as my productive OPNsense.
JasMan78
All 24 comments
Hi @JasMan78,
Labelling this support for now until we know what's going on.
Would you mind comparing /var/unbound/access_lists.conf when working and when not working?
Thanks,
Franco
fichtner
on 22 Oct 2018
JasMan78
on 22 Oct 2018
Just for information: I've installed 18.7.6 today. It has the same (both) issue(s).
JasMan78
on 27 Oct 2018
FYI: 18.7.7, still the same issues.
JasMan78
on 9 Nov 2018
FYI: Same at 18.7.8
Something new about this issue?
JasMan78
on 25 Nov 2018
the same issue with 18.7.8, please look at this thread on OPNsense Forum (on German):
https://forum.opnsense.org/index.php?topic=10404.0
Everything has well worked after the Installation of the new virtuall OpenVPN Interface of ExpressVPN without any issue, but after reboot, DNS resolver of OPNsense & Pi-hole has stopped working!
karl047
on 25 Nov 2018
Ok, so how about the always restart Unbound after VPN startup during boot sequence?
# opnsense-patch 35478a8
@Fichtner: it didn't work...
karl047
on 30 Nov 2018
Too bad. I'm out of ideas for the moment.
fichtner
on 30 Nov 2018
@fichtner : The patch works for me. My OpenVPN clients can resolve DNS names right after a reboot of OPNsense without restarting Unbound first. It seems that @karl047 has another problem.
But also the issue with the DNS record of my OPNsense, which contains the IP address of the OPNsense management interface and the virtual OpenVPN interface, is immediately present after the reboot.
JasMan78
on 30 Nov 2018
@JasMan78 ok, let's close this ticket then and add the patch to 18.7.9.
@karl047 please open a separate ticket. your issue looks like a general VPN issue or possibly routing configuration related
fichtner
on 1 Dec 2018
@JasMan78 meh, sorry, please explain your second sentence... I really can't keep up with "ok now but" as it makes working on tickets frustrating.
fichtner
on 1 Dec 2018
@fichtner : I'd noticed two problems with Unbound/OpenVPN and I thought the reason for both are the same main issue. Because the second problem occurs only after I've restarted the Unbound service manually to solve the first problem.
Now your patch solves the first problem by restarting Unbound automatically. But the restart still causes the second problem.
DNS for VPN clients is not working after rebooting OPNsense
->Solved by patch 35478a8Unbound DNS record of OPNsense contains the IP of the managment interface and the IP address of the virtual OpenVPN adapter after restarting the Unbound service
->Not solved by patch 35478a8.
Sorry for the confusion. Should I open an new issue for the second problem?
JasMan78
on 2 Dec 2018
@JasMan78 it's ok, now I understand. I thought we were moving sideways, sorry!
What did you set for active_interface under Unbound general options?
fichtner
on 3 Dec 2018
@fichtner
Localhost
OpenVPN server: RAS SSL VPN (WAN, 192.168.15.1/24)
LAN_Mgmt (re1, 192.168.1.1/24)
LAN_User (hn1_vlan10, 192.168.10.1/24)
LAN_Guests (hn1_vlan100, 192.168.100.1/24)
JasMan78
on 3 Dec 2018
That's a bit unlucky having OpenVPN high up the list...
fichtner
on 3 Dec 2018
Shouldn't the order be OpenVPN last?
fichtner
on 3 Dec 2018
Oh, I didn't know that the order is important. I wrote them down in a random order.
This is the real order of the interfaces
LAN_Guests (hn1_vlan100, 192.168.100.1/24)
LAN_Mgmt (re1, 192.168.1.1/24)
LAN_User (hn1_vlan10, 192.168.10.1/24)
Localhost
OpenVPN server: RAS SSL VPN (WAN, 192.168.15.1/24)
JasMan78
on 4 Dec 2018
@JasMan78 333dc0fc should fix your issue, but I'm not sure it won't cause others to complain as well when we include it in 19.1. I'll keep this ticket open for your feedback on the patch. 19.1 is about 1 month away.
EDIT: Updated hash, fatal unicode whitespace included :(
fichtner
on 28 Dec 2018
Sorry, it's 333dc0f actually
fichtner
on 28 Dec 2018
@fichtner I've installed the patch and it resolved the issue :-)
Now the DNS record contains the IP address of the management interface only.
I did a short test and as far as I can see everything is working fine. I will let you know if I found any new issue, which could have to do with this patch.
JasMan78
on 29 Dec 2018
Thanks! I don't expect any related breakage. :)
fichtner
on 30 Dec 2018
for every one which have problem with Unbound service on opnsense
1: vi /usr/local/etc/rc.syshook.d/start/50-dnsrestarter
2: copy the below code in vi and save it (ESC :wq!) enter
!/bin/sh
/usr/local/sbin/pluginctl dns restart
3: chmod 777 /usr/local/etc/rc.syshook.d/start/50-dnsrestarter
now it should be working after reboot
mubarizrahimi
on 19 Jul 2020
@fichtner : I'd noticed two problems with Unbound/OpenVPN and I thought the reason for both are the same main issue. Because the second problem occurs only after I've restarted the Unbound service manually to solve the first problem.
Now your patch solves the first problem by restarting Unbound automatically. But the restart still causes the second problem.
- DNS for VPN clients is not working after rebooting OPNsense
->Solved by patch 35478a8- Unbound DNS record of OPNsense contains the IP of the managment interface and the IP address of the virtual OpenVPN adapter after restarting the Unbound service
->Not solved by patch 35478a8.Sorry for the confusion. Should I open an new issue for the second problem?
for every one which have problem with Unbound service on opnsense
1: vi /usr/local/etc/rc.syshook.d/start/50-dnsrestarter
2: copy the below code in vi and save it (ESC :wq!) enter
!/bin/sh
/usr/local/sbin/pluginctl dns restart
3: chmod 777 /usr/local/etc/rc.syshook.d/start/50-dnsrestarter
now it should be working after reboot
mubarizrahimi
on 19 Jul 2020
Related issues
maurice-w
路
4Comments
Stephanowicz
路
6Comments
lordraiden
路
7Comments
nikaro
路
3Comments
Kimotu
路
4Comments