After reboot of OPNsense Unbound is not working for OpenVPN clients only

[JasMan78]

Version
OPNsense 18.7.5_1-amd64
Installed on self-configured hardware (Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)) and as fresh Hyper-V VM installation for tests.

Issue appears
after each reboot of OPNsense

Issue
After rebooting OPNsense the DNS resolving for OpenVPN clients only is not working. LAN clients in three different VLANs are not affected. They can resolve internal and exteranl DNS names as well. So I guess Unbound is not completly hanging or stopped. After restarting the Unbound service DNS resolving for the OpenVPN clients works fine again.

After the restart of the service the DNS record for my OPNsense management interface (re1) contains of course the IP address of the management interface itself (192.168.1.1/24), but also the IP address of the virtual OpenVPN interface (192.168.15.1/24). Therefore when I try to access the WebGUI and my client gets the OpenVPN interface IP from Unbound I get timeouts and a lot of deny entrys in the firewall logs because this interface is not allowed for WebGUI access.

NSLOOKUP from Client VLAN (192.168.10.0/24) after restart of OPNsense, but before restart of Unbound service

C:\Users\XXX>nslookup
Standardserver:  JasWall.jasnet.home.arpa
Address:  192.168.10.1

> jaswall.mgmt.home.arpa
Server:  JasWall.jasnet.home.arpa
Address:  192.168.10.1

Name:    jaswall.mgmt.home.arpa
Addresses:  192.168.1.1

>

NSLOOKUP from Client VLAN (192.168.10.0/24) after restart of Unbound service

C:\Users\XXX>nslookup
Standardserver:  JasWall.jasnet.home.arpa
Address:  192.168.10.1

> jaswall.mgmt.home.arpa
Server:  JasWall.jasnet.home.arpa
Address:  192.168.10.1

Name:    jaswall.mgmt.home.arpa
Addresses:  192.168.1.1
          192.168.15.1

>

The fresh installed OPNsense VM is configured with the basic settings like WAN and LAN interface only. No additional plugins or services are running. But it shows the same behaviour as my productive OPNsense.

[fichtner]

Hi @JasMan78,

Labelling this support for now until we know what's going on.

Would you mind comparing /var/unbound/access_lists.conf when working and when not working?

Thanks,
Franco

[JasMan78]

@fichtner
access_lists.conf_notworking.txt
access_lists.conf_working.txt

[JasMan78]

Just for information: I've installed 18.7.6 today. It has the same (both) issue(s).

[JasMan78]

FYI: 18.7.7, still the same issues.

[JasMan78]

FYI: Same at 18.7.8

Something new about this issue?

[karl047]

the same issue with 18.7.8, please look at this thread on OPNsense Forum (on German):

https://forum.opnsense.org/index.php?topic=10404.0

Everything has well worked after the Installation of the new virtuall OpenVPN Interface of ExpressVPN without any issue, but after reboot, DNS resolver of OPNsense & Pi-hole has stopped working!

[fichtner]

Ok, so how about the always restart Unbound after VPN startup during boot sequence?

# opnsense-patch 35478a8

[karl047]

@fichtner: it didn't work...

[fichtner]

Too bad. I'm out of ideas for the moment.

[JasMan78]

@fichtner : The patch works for me. My OpenVPN clients can resolve DNS names right after a reboot of OPNsense without restarting Unbound first. It seems that @karl047 has another problem.

But also the issue with the DNS record of my OPNsense, which contains the IP address of the OPNsense management interface and the virtual OpenVPN interface, is immediately present after the reboot.

[fichtner]

@JasMan78 ok, let's close this ticket then and add the patch to 18.7.9.

@karl047 please open a separate ticket. your issue looks like a general VPN issue or possibly routing configuration related

[fichtner]

@JasMan78 meh, sorry, please explain your second sentence... I really can't keep up with "ok now but" as it makes working on tickets frustrating.

[JasMan78]

@fichtner : I'd noticed two problems with Unbound/OpenVPN and I thought the reason for both are the same main issue. Because the second problem occurs only after I've restarted the Unbound service manually to solve the first problem.
Now your patch solves the first problem by restarting Unbound automatically. But the restart still causes the second problem.

1. DNS for VPN clients is not working after rebooting OPNsense
   ->Solved by patch 35478a8

2. Unbound DNS record of OPNsense contains the IP of the managment interface and the IP address of the virtual OpenVPN adapter after restarting the Unbound service
   ->Not solved by patch 35478a8.

Sorry for the confusion. Should I open an new issue for the second problem?

[fichtner]

@JasMan78 it's ok, now I understand. I thought we were moving sideways, sorry!

What did you set for active_interface under Unbound general options?

[JasMan78]

@fichtner
Localhost
OpenVPN server: RAS SSL VPN (WAN, 192.168.15.1/24)
LAN_Mgmt (re1, 192.168.1.1/24)
LAN_User (hn1_vlan10, 192.168.10.1/24)
LAN_Guests (hn1_vlan100, 192.168.100.1/24)

[fichtner]

That's a bit unlucky having OpenVPN high up the list...

[fichtner]

Shouldn't the order be OpenVPN last?

[JasMan78]

Oh, I didn't know that the order is important. I wrote them down in a random order.
This is the real order of the interfaces

LAN_Guests (hn1_vlan100, 192.168.100.1/24)
LAN_Mgmt (re1, 192.168.1.1/24)
LAN_User (hn1_vlan10, 192.168.10.1/24)
Localhost
OpenVPN server: RAS SSL VPN (WAN, 192.168.15.1/24)

[fichtner]

@JasMan78 333dc0f should fix your issue, but I'm not sure it won't cause others to complain as well when we include it in 19.1. I'll keep this ticket open for your feedback on the patch. 19.1 is about 1 month away.

EDIT: Updated hash, fatal unicode whitespace included :(

[fichtner]

Sorry, it's 333dc0f actually

[JasMan78]

@fichtner I've installed the patch and it resolved the issue :-)
Now the DNS record contains the IP address of the management interface only.
I did a short test and as far as I can see everything is working fine. I will let you know if I found any new issue, which could have to do with this patch.

[fichtner]

Thanks! I don't expect any related breakage. :)

[mubarizrahimi]

for every one which have problem with Unbound service on opnsense

1: vi /usr/local/etc/rc.syshook.d/start/50-dnsrestarter
2: copy the below code in vi and save it (ESC :wq!) enter
#!/bin/sh
/usr/local/sbin/pluginctl dns restart
3: chmod 777 /usr/local/etc/rc.syshook.d/start/50-dnsrestarter

now it should be working after reboot

[mubarizrahimi]

@fichtner : I'd noticed two problems with Unbound/OpenVPN and I thought the reason for both are the same main issue. Because the second problem occurs only after I've restarted the Unbound service manually to solve the first problem.
Now your patch solves the first problem by restarting Unbound automatically. But the restart still causes the second problem.

1. DNS for VPN clients is not working after rebooting OPNsense
   ->Solved by patch 35478a8
2. Unbound DNS record of OPNsense contains the IP of the managment interface and the IP address of the virtual OpenVPN adapter after restarting the Unbound service
   ->Not solved by patch 35478a8.

Sorry for the confusion. Should I open an new issue for the second problem?

for every one which have problem with Unbound service on opnsense

1: vi /usr/local/etc/rc.syshook.d/start/50-dnsrestarter
2: copy the below code in vi and save it (ESC :wq!) enter
#!/bin/sh
/usr/local/sbin/pluginctl dns restart
3: chmod 777 /usr/local/etc/rc.syshook.d/start/50-dnsrestarter

now it should be working after reboot

[Rourke101]

This is a common thing for me. Every time I update the firmare, the Unbound service is stopped, so after the update I have to login back to press the "Play" button from the Dashboard. This always happend to me, even when I have recently updated to "OPNsense 22.7_4-amd64".

[AdSchellevis]

@Rourke101 just make sure not to bind in or outbound interfaces manually, 9 out of 10 people having issues of unbound not being able to start, try to bind it manually to a non static interface like openvpn (same as #6028 (comment)).