0

Idea: I would like to use unbound DNS installed on the same server as VPN solution, to block ads and similar unwanted sites with DNS for all VPN connections.

Currently unbound is set up for local requests.

How can I set up Strongswan/ipsec to use unbound as DNS server? Do I need to open up unbound to the internet, or can I somehow query the DNS locally from the VPN connection trough the server?

Thanks in advance!

PS: If you need any additional info about the setup, do not hesitate to ask.

Improve this question
2
  • Do you use split-tunneling? Or is all client traffic tunneled to the VPN server? What clients are you using?
    – ecdsa
    Commented Oct 1, 2018 at 9:37
  • All traffic is tunnelled via VPN servers when a client connects. Clients are iOS and macOS.
    – b4d
    Commented Oct 1, 2018 at 9:43

1 Answer 1

Reset to default
1

One way to do this is to assign an IP address to the server from the subnet that you use for the virtual IPs of your clients. Then you assign that IP address as DNS server to your clients and exclude the IP from the IP address pool. Optionally, filter access to that IP address via Netfilter's policy matching module (see iptables-extensions man page) so that it's only accessible via VPN.

For instance, if your IP address pool is 192.168.8.0/24 (e.g. configured in rightsourceip in ipsec.conf or a "pool" section in swanctl.conf), you assign 192.168.8.1 to your server (on any interface, e.g. lo) and then change the pool to 192.168.8.2/24 (so the first address assigned to a client will be 192.168.8.2). To assign 192.168.8.1 as DNS server, configure it in rightdns in ipsec.conf or the pool section in swanctl.conf.

While you could also use the server's public IP address, and only allow access to UDP port 53 via VPN using the mentioned policy matching, this won't work with Apple clients as they don't send packets to the server's public IP via VPN (so you'd have to make the DNS server publicly available, or dynamically add firewall rules that allow access to it from the client's public/natted IP address).

Improve this answer
6
  • Thanks for the answer, seems logical, I will try it out and report the findings.
    – b4d
    Commented Oct 2, 2018 at 5:34
  • I have done this, but the client still uses the second DNS entry in rightdns. If I try to force the VPN one "dig @192.168.8.1 something" it timeouts. I have assigned the IP to the loopback interface with: "ip addr add 192.168.8.1 dev lo". I believe the iptables are the problem, currently I accept all in the chain forward between 192.168.8.0/24 and everything else. Tried to replace the IP with 192.168.8.2/24, but iptables won't take the change. Any ideas what else can I do?
    – b4d
    Commented Oct 2, 2018 at 5:59
  • The INPUT chain is relevant in this case (the destination address is local), not FORWARD.
    – ecdsa
    Commented Oct 2, 2018 at 7:08
  • Hmm, shouldn't this rule catch it? ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Loopback */
    – b4d
    Commented Oct 2, 2018 at 7:30
  • Okay, it is working, using LOG in iptables, I have noticed that the packets get dropped. Adding a rule fixed all: ACCEPT udp -- * * 192.168.8.2/24 192.168.8.1 udp dpt:53 /* DNS unbound over VPN */ Do not forget to add interface to unbound.conf and allow access-control. Thanks ecdsa!
    – b4d
    Commented Oct 2, 2018 at 9:05

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .