NETGATE 2100 OPENVPN DNS QUESTION
-
Hey guys I'm sure this is a stupid question. I'm self-taught here so don't beat me up too much. I setup an open vpn to connect to my small business from my laptop and so forth. All that works I can connect and ping what devices I need to. The issue I'm having is I can ping by ip address but not by name. I had maybe once or twice it actually pinged by name. I'm assuming I'm having a DNS issue. The openvpn tunnel address are 10.0.30.0/24 my inside office lan is 192.168.1.0/24 my netgate is 192.168.1.1. Ive read for hours and tried all kinds of things others with the same issue with no difference. Can anyone offer any suggestions or help?? Thanks in advance
-
@turbogn87
Basically the client might reside in another domain and so you would have to attach the domain to the hostname (FQDN).But you can try to provide a DNS domain to the client by checking "DNS Default Domain" and entering the domain in the OpenVPN server settings.
Also you have to provide the local DNS server to the clients, of course, and allow the access to it. -
This is my VPN tunnel network :
My DNS VPN settings :
I accept all traffic coming from my remote OpenVPN client :
The resolver listens to all interfaces- and this includes the OpenVPN interface :
Let's check :
[24.11-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep 'unbound' unbound unbound 69172 3 udp6 *:53 *:* unbound unbound 69172 4 tcp6 *:53 *:* unbound unbound 69172 5 udp4 *:53 *:* unbound unbound 69172 6 tcp4 *:53 *:* .......
So, its listing on all interfaces using TCP and UDP, on port 53.
I connect my OpenVPN client, I checked the OpenVPN client log, where I can see :
...
[Dec 03, 2024, 09:34:11] NIP: adding DNS 192.168.3.1
...
so the connection uses 192.168.3.1 as its DNS.I use an app on my OpenVPN client device (a phone) to 'test' the DNS access :
I told the app the use "192.168.3.1" as the DNS (normally, it would use 192.168.3.1 anyway) :and I got an answer.
Was it from pfSense, the resolver ? Let's check :As I use pfBLockerng, I have access to the logged DNS requests the resolver receives :
Here is my OpenVPN client device, 192.168.3.2 asking for the www.google.com :
-
@Gertjan Thank you for all the suggestions, most of those I have tried and yea didn't change anything. I'm not sure what's up or what I'm doing wrong lol. I noticed when I did a nslookup on my laptop when i was connected google.com goes back to 10.0.30.1 which is my netgate so DNS seems to be somewhat working if I'm understanding it correctly
-
@turbogn87 said in NETGATE 2100 OPENVPN DNS QUESTION:
when I did a nslookup on my laptop when i was connected google.com goes back to 10.0.30.1 which is my netgate so DNS seems to be somewhat working if I'm understanding it correctly
Exact.
When you connect your laptop the next time, fire up a dos 'cmd' box.
Typeipconfig /all
Serveurs DNS. . . . . . . . . . . . . : 2a01:cb24:907:a7ec:92ec:77ff:fe29:392c 192.168.3.1 2a01:cb24:907:a7ec:92ec:77ff:fe29:392c
Btw : "2a01:cb24:907:a7ec:92ec:77ff:fe29:392c" is the IPv6 of my VPN, I use a dual stack.
You'll see your actual connection, and what its DNS is.
If it says "10.0.30.1" then your know your system (laptop) will forward to that IP for all DNS questions.*Be ware : this doesn't mean that all your application (like web browsers) uses that IP for DNS.
Most browser will use their own "8.8.8.8" (or DoH tricks) and others because they want your DNS requests for "commercial reasons" -
@Gertjan Yeaaaa on my IPCONFIG/all under my vpn connection my DNS server is 10.0.30.1 but for some reason I cant ping my host names in my network. Example my server name is MDSERVER I can not ping by name but the IP address will ping and get a reply or under file explorer it will show the shares under the ip but not the name EHHHHHH. Not sure what I'm doing wrong. I'm sure I'm missing something
-
Ok, DNS is set to 10.0.30.1, that's tyh first IP in your tunnel VPN network.
Check that unbound (see above) is actually listing on the OpenVPN interface.
@turbogn87 said in NETGATE 2100 OPENVPN DNS QUESTION:
but for some reason I cant ping my host names in my network. Example my server name is MDSERVER I can not ping by name but the IP address will ping
'ping' will work out of the box, if you give it an IP.
If you give ping a 'hostname' like www.google.com then it will resolve that host name first.
Typicality, it should use the system DNS = your 10.0.30.1.Test :
On my phone, I execute a DNS test for www.google.fr.On my pfSense, I packet captured (under Diagnostics) (using port 53, interface VPN, protocol UDP, and full details).
This is what has been captured : the DNS requests for www.googe.fr. so I know it went through the tunnel and arrived at the VPN server interface :18:15:49.562031 AF IPv4 (2), length 62: (tos 0x0, ttl 64, id 50079, offset 0, flags [none], proto UDP (17), length 58) 192.168.3.2.55681 > 192.168.3.1.53: [udp sum ok] 35350+ A? www.googe.fr. (30) 18:15:49.804182 AF IPv4 (2), length 92: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 88) 192.168.3.1.53 > 192.168.3.2.55681: [udp sum ok] 35350 q: A? www.googe.fr. 2/0/0 www.googe.fr. CNAME googe.fr., googe.fr. A 81.169.254.196 (60)
-
@Gertjan Ok, where do I go to find the unbound?? I not sure where to find that in pfsense? Again thank you for you time!!
-
@turbogn87 said in NETGATE 2100 OPENVPN DNS QUESTION:
Ok, where do I go to find the unbound?? I not sure where to find that in pfsense?
unbound is also known as what pfSense calls the resolver (as it is a dns resolver):
Here you can see it running :
Its just one of the many process running on your pfSense.
This is the process that 'listens' ( as shown in my previous post) on all interfaces (did you check that ?) on DNS port '53'.
It should also listen on your VPN tunnel IP, typically 10.0.30.1.