I have a strange issue with my current setup. It is a Raspberry Pi 3 with Raspbian Strech Lite, OpenVPN and Unbound installed. Unbound is used as DNS resolver with DNSSEC and DNS over TLS via Cloudflare. When I enter the IP of the RPi3 as DNS for my Windows PCs, this works totally fine.#+
However, if I connect my Smartphone (S7, Note 9) via OpenVPN with the RPi and push a route to the RPi as DNS to these clients, this is not working. From the phones, I can ping the RPi with its local address 192.168.178.20 as well as with the VPN IP 10.8.0.1 and also vice versa, I can ping the phones from the RPi with their VPN IP 10.8.0.2. I can also access websites from my local LAN via direct IP, i. e. 192.168.178.1 for my Fritz!Box router. However, I have no DNS resolution. If I enter an URL like google.com in the Smartphone browser, I can see an incoming request in Unbound on the RPi, and I can see that it is resolved, but the answer seems to never arrive at the Smartphone, so the site cannot be opened.
Does anyone have an idea why everything is working fine over VPN, but not the DNS resolution? This is driving me crazy. Short remark: I'm not so deep into Linux, setting up my RPi and all the services took quite some time and required me to read through several tutorials, so maybe I ask dump questions
Server config looks like this:
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.178.20"
client-to-client
keepalive 10 120
sndbuf 0
rcvbuf 0
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA512
auth-nocache
comp-lzo
max-clients 3
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3Code: Select all
include: "/etc/unbound/unbound.conf.d/*.conf"
server:
logfile: "/var/log/unbound.log"
use-syslog: no
verbosity: 1
interface: 0.0.0.0
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.8.0.0/24 allow
access-control: 192.168.178.0/24 allow
root-hints: "/etc/unbound/root.hints"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
num-threads: 2
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 50m
msg-cache-size: 25m
so-rcvbuf: 1m
private-address: 10.8.0.0/24
private-address: 192.168.178.0/24
unwanted-reply-threshold: 10000
do-not-query-localhost: no
val-clean-additional: yes
private-domain: "my."
local-zone: "home." static
remote-control:
control-enable: no
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4