Using DNS from VPN Provider (ExpressVPN)
-
Hello, I'm using policy-based routing with ExpressVPN and have mostly everything working with 2.5.2. When I go to https://www.expressvpn.com/dns-leak-test , it shows that my IP is using ExpressVPN's but my DNS is using what I've set up in System > General Setup -> DNS Server Settings (Quad 9).
I'd like to use ExpressVPN's DNS servers for all traffic that's policy routed through ExpressVPN. I've checked the "Pull DNS" checkbox in my OpenVPN client settings. All of the LAN clients are using DHCP to configure their DNS settings and they point to the pfSense box (192.168.1.1) - I'm using DNS Resolver (unbound) within pfSense, not the forwarder. I also have the "DNS Query Forwarding" checkbox checked in my DNS Resolver settings.
I thought about manually port forwarding all outbound DNS requests that go through ExpressVPN to ExpressVPN's DNS servers. However, the problem is their DNS servers change when the VPN client reconnects, sometimes drastically in terms of the network topology if you switch the location the client connects to.
How can I get my DNS Resolver to forward DNS requests to ExpressVPN's dynamically-provided DNS server provided through the OpenVPN client via DHCP?
-
services> DHCP server.
I use static mappings and Alias's to complete this.
static mappings so I can add the DNS server down below the page.
Alias to make Natting work under firewall> NAT > outgoingworks perfect
-
@bcruze Wouldn't you have to know the address of your VPN's DNS server to accomplish this? ExpressVPN's DNS server isn't static. I'd need to obtain it via DHCP through the OpenVPN client, then have my DNS Resolver forward DNS queries to use the ExpressVPN DNS server. For some reason I can't find a way to get this to work. I thought the "Pull DNS" checkbox would do that.
-
@mikeyno
I checked their site for dns servers which they don’t list. Pretty sadYou can use the default gateway of the tunnel :
I think it’s diagnostics - command prompt - type ifconfig and your interface default gateway will be listed
But as you stated if you reconnect it may change! I don’t know why express doesn’t post them? Maybe open a ticket and see what they say?
-
@bcruze I tried that before, and I definitely found the DNS server. However, it assumes the DNS server will remain the same. If I restart the OpenVPN client, I get a new IP, and a new DNS server. I thought the "Pull DNS" option within the OpenVPN client was supposed to allow one to accomplish what I'd like. It seems like this is a bug with the "Pull DNS" option.
-
Step 11
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
Same issue though, unless you just want to use quad9
-
@bcruze said in Using DNS from VPN Provider (ExpressVPN):
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
I tried that, and I am using Quad9. Granted Quad9 is better than my ISP's DNS servers, but there doesn't seem to be anyway to use ExpressVPN's DNS servers with traffic going through ExpressVPN. The "Pull DNS" should do this, but it isn't. I think I should file a bug report.
-
I guess that is what this site is for, assuming you do not have support. At https://go.netgate.com/support/home
https://redmine.pfsense.org/
-
@bcruze Thanks for trying to help me out
-
@mikeyno
The only way to get the clients to use the ExpressVPN, I can think of, is to use it generally for all requests, not only for the policy routed clients.So you can set the DNS resolver to direct DNS requests out to the VPN by only selecting the VPN interface at "Outgoing Network Interfaces".
However, if the VPN fails, there might be no DNS resolution possible at all.Even better solution might be to use the DNS Resolver in forwarder mode.
So you can create a gateway group, add the VPN gw (tier 1) and the WAN gw (tier 2) to it. Then configure your DNS servers in General settings to use this gateway group.
This way request should be routed to the VPN, if it is available otherwise to the WAN gateway. -
@viragomann I do have my DNS resolver in forwarding mode. However isn't the "Pull DNS" option supposed to set the DNS resolver's upstream DNS server to forward to that provided by the VPN?
I've also created a bug report here: https://redmine.pfsense.org/issues/12552?next_issue_id=12551
-
@mikeyno said in Using DNS from VPN Provider (ExpressVPN):
However isn't the "Pull DNS" option supposed to set the DNS resolver's upstream DNS server to forward to that provided by the VPN?
Obviously not.
There is an option in the general settings "DNS Server Override". However, es the hint text implies, this is only intended to WAN.Allow DNS server list to be overridden by DHCP/PPP on WAN
If this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients. -
@viragomann The help text implies that "Pull DNS" should cause pfSense to use DNS servers assigned by the OpenVPN server. I did try checking the "DNS Server Override" box, but all this does is force the DNS queries to go through my ISPs DNS (Comcast), rather than the DNS I configured in General Settings (Quad 9).
-
@mikeyno said in Using DNS from VPN Provider (ExpressVPN):
The help text implies that "Pull DNS" should cause pfSense to use DNS servers assigned by the OpenVPN server.
Agree. So there might something be wrong.