No local DNS

madbrain

I setup OpenVPN with 2.6CE according to https://www.comparitech.com/blog/vpn-privacy/openvpn-server-pfsense/ .

The problem I have is no local DNS resolution works on my client.

This seems to be a relatively common issue, per for example this lengthy
thread : https://forum.netgate.com/topic/143173/openvpn-works-but-no-local-dns .

I couldn't figure out what I'm doing wrong. I'm a newbie with pfSense (about 1 month), so please be gentle. I'm sure I'm missing something in the configuration somehow.

As you can see in the screenshots, I'm specifying a DNS server in the Advanced client settings.
I have tried the IP of the OpenVPN interface, or the LAN interface, and using both of these result in no DNS resolution at all on my client.

If I don't set a DNS server, I can resolve Internet DNS names (subject of this thread) but not local ones.

My client is OpenVPN Connect on Android (Galaxy S22 Ultra). My client can ping the IP of the LAN and OpenVPN interfaces respectively, 192.168.100.1 and 192.168.101.1 .

One user in the discussion mentioned the guide had a firewall rule that allowed only TCP, but this is not the case for me, my outgoing rule allows "any" protocol.

I'm really stumped by this and would appreciate help from the experts.

Gertjan

Your very first image, very first line already shows an issue.

Compare :

with what you saw here :

@madbrain said in No local DNS:

https://www.comparitech.com/blog/vpn-privacy/openvpn-server-pfsense/

True, you could type anything here :

but, if you're not sure : use home.arpa.

@madbrain said in No local DNS:

I'm specifying a DNS server in the Advanced client settings

192.168.101.1 => ok - just to be sure, go to Services > DNS Resolver > General Settings and make sure that unbound actually listens to "all" interfaces :

Did you notice that there is no interface called "OpenVPN", but I have an interface called "OPENVPN".

Mainly because I used the official Netgate OpenVPN video (Youtube, the Netgate channel).
There are several OpenVPN server video's. I advise you to watch them all, even the older ones.

What I did : Interfaces > Interface Assignments and assigned the 'ovpncx' to a 'real' interface.

From now on, you an leave the OpenVPN firewall page empty (no rules).
I've added these on the OPENVPN rule page (like you) :

and now unbound/resolver can 'bind' to the interface 'OPENVPN' when it starts so it can actually listen for incoming requests.

Let's check :

My OpenVPN tunnel network is :

so :

[23.01-RELEASE][admin@pfSense.whatever.tld]/root: dig @192.168.3.1 google.com AAAA +short
2a00:1450:4007:818::200e

so my unbound listens on 192.168.3.1 port 53

madbrain

@Gertjan ,
Thanks for your response.

1. re: the "localdomain", is it actually a problem, if you can actually type anything in the domain name field ? I know home.arpa was the default and I changed it. I can resolve *.localdomain hostnames on my LAN clients just fine. Only the VPN client cannot.

2. Yes, it's listening on "all" interfaces, but I have far fewer than you, in particular, no Openvpn interface is listed as you mentioned.
   

3. I just added the openvpn interface, but it doesn't seem I can assign it to a "real" interface (did you mean "physical")
   

4. dig @192.168.100.1 worked for me , but not dig @192.168.101.1 . My LAN subnet is 192.168.100.0/24 . The VPN subnet is 192.168.101.0/24 .

5. re: videos, I generally much prefer to read a step by step guide vs a watching a video. Is a video the only option ? Is there one in particular that is current for 2.6 you would recommend ?

madbrain

I started my VPN setup over with the following video :
https://www.youtube.com/watch?v=jQHqPq7ftz4
I still can't get local DNS to work following those steps exactly.
I must be missing something, but no idea what it could be.

Should it be required to edit the DNS settings under "advanced client settings" for local DNS to work ?

By default, the video and tutorials I have found always leave those fields blank.

Gertjan

@madbrain said in No local DNS:

in particular, no Openvpn interface is listed as you mentioned.

So unbound can listen to the 192.168.3.0/24

My OPENVPN is not a physical interface.
I assigned it by choosing the "ovpns1" interface, you can find it, its listed.
This 'virtual' interface is the one created by your Open Server process.
Just chose a name, assign ovpns1 and done, no IP or network to enter.

When done, it will be listed among the unbound "Network interfaces" : you will have to include it, or use All, and restart unbound.
Then restest

dig @192.168.100.1 google.com

again.

madbrain

@gertjan The DNS resolver is already listening on "all" ? How do I restart it, short of rebooting pfSense ?

madbrain

@madbrain After creating the interface and rebooting pfSense, I still didn't have local DNS in my VPN client. Not only that, but my LAN clients could no longer reach Internet hosts. I had to delete the OpenVPN interface from the Interfaces menu, and then reboot again, and my access to the Internet got restored so that I could post here again to report. Seems like I'm running into a bug here.

A Former User

@madbrain I have openvpn working but today I tried to add ipv6 and I no longer have internet access....

madbrain

I just upgraded to pfSense + (free version, this is for home use) and the local DNS started working.