Idea: I would like to use unbound DNS installed on the same server as VPN solution, to block ads and similar unwanted sites with DNS for all VPN connections.
Currently unbound is set up for local requests.
How can I set up Strongswan/ipsec to use unbound as DNS server? Do I need to open up unbound to the internet, or can I somehow query the DNS locally from the VPN connection trough the server?
Thanks in advance!
PS: If you need any additional info about the setup, do not hesitate to ask.
One way to do this is to assign an IP address to the server from the subnet that you use for the virtual IPs of your clients. Then you assign that IP address as DNS server to your clients and exclude the IP from the IP address pool. Optionally, filter access to that IP address via Netfilter's policy matching module (see iptables-extensions man page) so that it's only accessible via VPN.
For instance, if your IP address pool is 192.168.8.0/24 (e.g. configured in rightsourceip in ipsec.conf or a "pool" section in swanctl.conf), you assign 192.168.8.1 to your server (on any interface, e.g. lo) and then change the pool to 192.168.8.2/24 (so the first address assigned to a client will be 192.168.8.2). To assign 192.168.8.1 as DNS server, configure it in rightdns in ipsec.conf or the pool section in swanctl.conf.
While you could also use the server's public IP address, and only allow access to UDP port 53 via VPN using the mentioned policy matching, this won't work with Apple clients as they don't send packets to the server's public IP via VPN (so you'd have to make the DNS server publicly available, or dynamically add firewall rules that allow access to it from the client's public/natted IP address).
