You are not logged in.
I have an Arch Linux router PC that has 2 interfaces named wan and lan, and is running Strongswan in a remote access configuration. I was running Bind on the router for many years with this same configuration with no issues. I am trying to switch to Unbound. My problem is that the remote clients are unable to resolve queries to Unbound. If I stop Unbound and start Bind, they resolve with no problem. Everything else about the VPN is working perfectly, VPN clients can access both internal LAN machines and the internet. I can even SSH into the router from the VPN with no problem. The LAN IP subnet is 172.16.16.0/26 and the VPN subnet is 172.16.16.64/29. The router has a LAN IP of 172.16.16.1 (the IP that I am pushing as the VPN client's DNS address) and a dynamic DHCP-provided WAN IP.
Here is unbound.conf
server:
verbosity: 4
interface: 0.0.0.0
interface: ::0
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: no
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
trust-anchor-file: /etc/unbound/trusted-key.key
remote-control:
control-enable: yes
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1Here is nftables.conf:
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip daddr 192.168.220.0/22 accept
ip daddr 192.168.192.0/23 accept
ipsec out ip saddr 172.16.16.64/29 accept
oifname "wan" masquerade
}
}
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ip protocol icmp icmp type echo-request limit rate 2/second accept
ip protocol icmp icmp type echo-request drop
ct state established,related accept
iifname "lan" accept
iifname "lo" accept
udp dport dhcpv6-client accept
ip6 nexthdr ipv6-icmp accept
ip protocol icmp accept
ip protocol esp accept
udp dport 500 accept
udp dport 4500 accept
ipsec in ip saddr 172.16.16.64/29 accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname "lan" accept
ip6 nexthdr ipv6-icmp accept
ip saddr 192.168.220.0/22 accept
udp dport 4500 accept
udp dport 500 accept
ipsec in ip saddr 172.16.16.64/29 accept
ip protocol esp accept
}
}Here is swanctl.conf:
connections {
RA {
local_addrs = %any
local {
auth = pubkey
certs = ECHO.crt
id = %any
}
remote {
auth = pubkey
id = %any
}
children {
net {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
version = 2
proposals = aes256-sha256-modp2048
pools = pool
send_cert = always
reauth_time = 0
rekey_time = 0
dpd_delay = 60s
dpd_timeout = 300s
}
}
pools {
pool {
addrs = 172.16.16.64/29
dns = 172.16.16.1
}
}Last edited by t_wrex (2021-05-20 04:33:17)
Offline
I switched back to bind. Everything works perfectly with no other changes.
Last edited by t_wrex (2021-05-20 04:33:29)
Offline