Unbound is not binded to OpenVPN interface

[JasMan78]

Describe the bug
Unbound is not binded to OpenVPN interface. Therefore OpenVPN clients are not able to resolve DNS names.

To Reproduce
Steps to reproduce the behavior:

1. Set up at least one OpenVPN server
2. Add IP of OpenVPN interface (10.0.11.1) as DNS resolver for VPN clients in the settings
3. Set up Unbound to listen on OpenVPN interface
4. Connect with client and try to resolve any internal or external DNS name

Expected behavior
VPN client should be able to resolve internal and external DNS names with Unbound.
Worked with OPNsense 18.7.1_3-amd64.

Relevant log files
/var/unbound/access_lists.conf

access-control: 127.0.0.1/8 allow
access-control: ::1/64 allow
access-control: 10.0.15.1/24 allow #Guest VLAN
access-control: fe80::feaa:14ff:fee2:bff1/64 allow
access-control: 10.0.1.1/24 allow #Managment VLAN
access-control: fe80::feaa:14ff:fee2:bff1/64 allow
access-control: 10.0.10.1/24 allow #Client VLAN
access-control: fe80::feaa:14ff:fee2:bff1/64 allow
access-control: 10.0.11.1/24 allow #OpenVPN
access-control: fe80::feaa:14ff:fee2:bff3/64 allow
#IPsec
access-control: 192.168.0.200/32 allow

/var/unbound/unbound.conf

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /root.hints
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-referral-path: no
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 512
outgoing-range: 1024
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 4m
rrset-cache-size: 8m
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8

auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: yes

# Interface IP(s) to bind to
interface: 10.0.15.1
interface: fe80::feaa:14ff:fee2:bff1%re1_vlan15
interface: 10.0.1.1
interface: fe80::feaa:14ff:fee2:bff1%re1
interface: 10.0.10.1
interface: fe80::feaa:14ff:fee2:bff1%hn1_vlan10
interface: 127.0.0.1
interface: ::1
interface: fe80::1%lo0

# Outgoing interfaces to be used
outgoing-interface: 10.0.224.2


# DNS Rebinding
# For DNS Rebinding prevention
#
# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
#
# IPv4 Addresses
#
private-address: 0.0.0.0/8       # Broadcast address
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8     # Loopback Localhost
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24    # IANA IPv4 special purpose net
private-address: 192.0.2.0/24    # Documentation network TEST-NET
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15   # Used for testing inter-network communications
private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
#
# IPv6 Addresses
#
private-address: ::1/128         # Loopback Localhost
private-address: 2001:db8::/32   # Documentation network IPv6
private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
private-address: fe80::/10       # Link-local address (LLA)
# Set private domains in case authoritative name server returns a Private IP address
private-domain: "rncdn7.com"
domain-insecure: "rncdn7.com"


# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf



# Forwarding
forward-zone:
    name: "."
        forward-addr: 9.9.9.9
        forward-addr: 149.112.112.112


remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem

Additional context
As you can see access_lists.conf contains the VPN interface 10.0.11.0/24, but not unbound.conf under the binded interfaces . The sockets list shows the same (no socket for 10.0.11.1:53).
I've added a second VPN server to verify that's not an problem with my main OpenVPN server.
I've also reproduced the issue in a VM with OPNsense 19.1.4.

Environment
OPNsense 19.1.4-amd64
Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)
OnBoard Realtek
2 x Realtek GbE OnBoard LAN chips (10/100/1000 Mbit)

[fichtner]

And "Network Interfaces" under Unbound has your OpenVPN selected?

[JasMan78]

Yes. The VPN interface is selected.

[fichtner]

Try a74ae3a:

# opnsense-patch a74ae3a
# pluginctl dns

[JasMan78]

Works! 👍
Thank you very much!

[fichtner]

small oversight in the explicit network interface listening. thanks for reporting. should be in 19.1.5 I think.

did you also notice the ACL subnet for OpenVPN servers is now correct automatically? ;)

[JasMan78]

Yes, I have seen it and I rejoiced :-)

[fichtner]

Okay, it's queued up for 19.1.5 although that will be 1-2 weeks from now.

[fichtner]

You applied the patch and removed it with the second invoke ;)

[Taomyn]

That's what I thought and why I removed my message, but I just did it again just the once this time and it still isn't working.

Enter an option: 8

root@bart:~ # opnsense-patch a74ae3a
Found local copy of a74ae3a, skipping fetch.
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From a74ae3ab4fbb28091e252f2cfd1c54281a881d1e Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Sat, 16 Mar 2019 14:30:53 +0100
|Subject: [PATCH] interfaces: take all unknown arguments as real interfaces;
| closes #3342
|
|---
| src/etc/inc/interfaces.inc | 7 +++----
| 1 file changed, 3 insertions(+), 4 deletions(-)
|
|diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
|index 5184e51c52..0f12daff04 100644
|--- a/src/etc/inc/interfaces.inc
|+++ b/src/etc/inc/interfaces.inc
--------------------------
Patching file etc/inc/interfaces.inc using Plan A...
Hunk #1 succeeded at 4580 (offset 10 lines).
Hunk #2 succeeded at 4587 (offset 10 lines).
done
All patches have been applied successfully.  Have a nice day.
root@bart:~ # pluginctl dns
Starting Unbound DNS...done.
root@bart:~ #

[fichtner]

Need proof with ifconfig and /var/unbound/access_lists.conf output and make sure you don't have os-cache plugin active...

[fichtner]

You have your interfaces set to "all" ?

[Taomyn]

Set to "all" where?

I don't have os-cache installed/active

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:30:
        hwaddr 00:30:
        inet6 fe80::230:18ff:fec5:8cd1%igb0 prefixlen 64 scopeid 0x1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:30:
        hwaddr 00:30:
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::230:18ff:fec6:2554%em0 prefixlen 64 scopeid 0x2
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:30:
        hwaddr 00:30:
        inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::230:18ff:fec6:2557%em1 prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em2: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 00:30:
        hwaddr 00:30:
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
em3: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 00:30:
        hwaddr 00:30:
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::230:18ff:fec5:8cd1%ovpns1 prefixlen 64 scopeid 0xa
        inet 192.168.200.1 --> 192.168.200.2 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun openvpn
        Opened by PID 79922
igb0_vlan35: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600303<RXCSUM,TXCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:30:
        inet6 fe80::230:18ff:fec5:8cd1%igb0_vlan35 prefixlen 64 scopeid 0xb
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 35 vlanpcp: 0 parent interface: igb0
        groups: vlan
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
        inet6 fe80::230:18ff:fec5:8cd1%pppoe0 prefixlen 64 scopeid 0xc
        inet6 fe80::230:18ff:fec6:2554%pppoe0 prefixlen 64 scopeid 0xc
        inet 195.n.n.n --> 195.n.n.n netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

access-control: 127.0.0.1/8 allow
access-control: ::1/64 allow
access-control: 192.168.100.1/24 allow
access-control: fe80::230:18ff:fec6:2557/64 allow
access-control: 192.168.1.1/24 allow
access-control: fe80::230:18ff:fec6:2554/64 allow
access-control: 195.n.n.n/32 allow
access-control: fe80::230:18ff:fec5:8cd1/64 allow
access-control: fe80::230:18ff:fec6:2554/64 allow
#Star-One VPN
access-control: 192.168.200.1/24 allow

[fichtner]

Assumptions:

• Network Interfaces is set to "All (recommended)"
• OpenVPN server is not assigned as an interface

[fichtner]

Btw, this looks ok to me?

access-control: 192.168.200.1/24 allow

[Taomyn]

Yes that's my manual entry to get it working when "All (recommended" is set.

If I set the interfaces manually and choose them all I get:

root@bart:~ # cat /var/unbound/access_lists.conf
access-control: 127.0.0.1/8 allow
access-control: ::1/64 allow
access-control: 192.168.100.1/24 allow
access-control: fe80::230:18ff:fec6:2557/64 allow
access-control: 192.168.1.1/24 allow
access-control: fe80::230:18ff:fec6:2554/64 allow
access-control: 195.n.n.n/32 allow
access-control: fe80::230:18ff:fec5:8cd1/64 allow
access-control: fe80::230:18ff:fec6:2554/64 allow
access-control: 192.168.200.1/24 allow
access-control: fe80::230:18ff:fec5:8cd1/64 allow
#Star-One VPN
access-control: 192.168.200.1/24 allow
root@bart:~ #

[fichtner]

Okay, I know what to do... but not exactly how to approach it.

For reference, can you try to go to interfaces: assignments and assign your OpenVPN as a temporary interface? That should fix it too if the theory is correct.

[Taomyn]

I assigned it, it was named OPT2, I then set Unbound to "All" and it still didn't appear.

[fichtner]

There's a lot of fishy stuff in unbound_acls_subnets() but I can reproduce now, thanks.

[Taomyn]

Cool, let me know if you need anything more or for me to test another patch.

[fichtner]

With #3355 out of the way I should be able to fix this tomorrow. But we can't release this too quickly (as in 19.1.5) as it changes a few other spots along the way.

[fichtner]

@Taomyn works now but please don't try to patch this as there are a number of patches out there that are all required... when 19.1.5 please ask for a clean patch on top of that

[Taomyn]

Thanks @fichtner, won't do anything more until 19.1.5, but should I remove the previous patch or just leave it?

[fichtner]

keep it, doesn't matter in your case (no interfaces selected)

[JasMan78]

@fichtner: Since the patch I've no IDS/IPS logs anymore. Could this have to do with it?

[fichtner]

@JasMan78 rather unlikely, but revert + try doesn't hurt as an extra data point

[JasMan78]

@fichtner Oh, sorry. I didn't think about this easy way to check if the patch is the problem.
It was not the patch. I'd switched all my LAN subnet addresses at the same day, and the IDS/IPS settings had still the old subnet under "Home networks"

[Taomyn]

@fichtner I'm on 19.1.15 now, and I assume as my VPN subnet is not showing still that I still need a patch to fix this?

[fichtner]

Yes, hold on, I'll prepare the proper backport in a minute and post it here.

[fichtner]

# opnsense-patch 0ed70eb

(herewith queued up for 19.1.6 inclusion)

[Taomyn]

Thanks, applied and tested working for me.

[fichtner]

👍