DNS Behind VPN vs not
-
I'm having an issue with my DNS and i'm at my wits end
I have a OpenVPN setup through PIA which has it's own gateway and i have my normal WAN that has it's own gateway..
What happens is i have set certain ip's as aliases to always be behind the VPN and then the rest of my traffic is set to go through the normal WAN connection
When the VPN is active i have a good ip and DNS no leaks
but then when i'm on a non VPN IP i get my DHCP IP from my ISP but i keep getting the VPN's DNS
I'm sure i didn't describe this well as i'm fairly new to networking and pfSense So if i didn't describe something well or you need more information please let me know
-
Why would you think your dns would change?? where are you pointing your client for dns has little to do with how you route your traffic through pfsense be it out your wan or out a vpn tunnel.
What dns are you using in pfsense? Resolver/Forwarder? Either will cache traffic, if your using forwarder it will ask whatever ns you have setup to ask. If you have the resolver it will walk the roots down to the authoritative dns.
-
I don't understand why when it's specified that when you're under a certain gateway you use certain DNS Servers….
I currently have it set so that i have 10 reserved aliases that get access to the VPN which is what i want and when they're using the PIA gateway they are supposed to use 209.222.18.218, 209.222.18.222
when an ip isn't one of the reserved ips for the VPN i have traffic flowing through the WAN which is supposed to use it's gateway which is set to use 10.0.0.1 or 8.8.8.8
What ends up happening is under the VPN i have no leaks
When not under the VPN i have a DNS leak and it's still pulling from the VPN's DNS
When i shut the PIA interface off i got back to my ISP IP and DNS perfect no leaks
I'm trying to figure out why i can't be on and off the VPN with no leaks for both situations and when i'm not on the VPN why it wouldn't pull my normal dns from my ISP..
and like i said i'm pretty green and pretty new i'm trying to learn want to learn, i've spent a week now trying numerous different things and scouring forums videos and just overall making snapshots of pfSense and breaking it then reloading...I wouldn't be posting unless i really can't find a solution...So either there is a solution here and i'm not seeing it or i'm worrying about something that just doesn't matter if that's my answer then great.
-
"I don't understand why when it's specified that when you're under a certain gateway you use certain DNS Servers…."
Where does it say that???
What is your clients pointing to for dns?? What does pfsense point to for dns? There is no setting for dns on a gateway in pfsense.
Are you talking how you can set a gateway to get to a specific dns?? See attached
You do understand if you have the forwarder picked it will ask all the dns servers, and use the quickest response..
-
I am also relatively new to this and trying to figure out how to do exactly the same thing.
My setup is essentially the same: I have PIA OpenVPN set up, for use by a pool of IP addresses 192.168.1.10 - 192.168.1.40, and I would like the devices that have these IP addresses on my network to use PIA's DNS servers or OpenDNS DNS servers. I set up this pool of IP addresses in Services: DHCP server: Additional Pools, and specified several of OpenDNS DNS server addresses.
For the remainder of the IP address space on my LAN, I would like the devices to use my ISP DNS servers, which I have set under Services:DHCP server (main tab).DNS server on my client (the Mac that I am testing from) is set to the router's address.
Unfortunately, what I am finding is that the clients at all IP addresses are using the DNS server from the DNS tunnel (I guess this is pushed by PIA to me, but I am not sure where this is set).
Is there a way to accomplish what I am after?
(I would point out, FWIW, that when I had a similar setup with Tomato, it seemed to work fine, and the desired DNS servers were used according to the client IP address - not sure why I can't get it working with pfSense)
-
I am replying to my own message in case this lands up being an issue for anyone else. This problem appears to be solvable by implementing the suggestions in this post (https://forum.pfsense.org/index.php?topic=76015.msg474246#msg474246) to block unwanted access to DNS along with checking the box for route-nopull in the OpenVPN config settings.
When I do this, DNS seems to work as desired. Clients assigned to the VPN pool of IP addresses use the DNS servers that I would like them to use, and clients outside this pool of IP addresses use my ISP DNS servers.
-
The "Don't pull routes" option shouldn't (normally) have any impact on DNS queries.
Looking at that old post, another option would be to put all VPN clients behind a separate interface (ex: OPT1). That would give you some physical isolation between clients and would make managing the DNS assignments via the DHCP servers easy; the LAN side uses the LAN IP and the VPN client side uses Google / OpenDNS IPs. However, spreading clients across separate subnets on a home network is going to break things that normally "just work" (ex: AirPrint, media server auto-discovery, etc.).
The (new) DNS Resolver makes it easier to control the gateway being used for outgoing queries. It's simply a matter of choosing the correct interface in the DNS Resolver section of the GUI.
As of now, I would:
-
Pick an IP range for VPN clients.
-
Add a firewall (LAN) rule that blocks VPN clients from the LAN IP.
-
Add a firewall (LAN) rule that routes VPN clients over the VPN.
-
Configure Services – DNS Resolver -- Outgoing Network Interfaces to use the WAN.
-
Use static DHCP with DNS overrides to assign devices into the IP range for VPN clients.
I wouldn't bother with the port forward I showed in that old post. If you're already setting up a static DHCP assignment then adding a couple DNS overrides only takes a few seconds. If you forget, the rule to block VPN clients from the pfSense LAN IP should be enough to prevent DNS leaks.
-
-
This is very helpful. One wrinkle though is that I would like the VPN clients (i.e. those devices on my network with an IP address in the pool I have reserved for VPN use) to be able to access devices on the LAN, and vice versa. Does that change your recommendations at all?
-
Then you want to keep them all on the LAN interface. You can create a network alias for a small range of IPs. Make sure it doesn't overlap with your DHCP range. I use a network alias named vpnclients with a value of 192.168.0.128/27. Then you can use static DHCP to assign VPN clients IPs in the 192.168.0.129 - 192.168.0.158 range and use the alias to create rules that apply to all of them.
That assumes you're using a whole /24 for your LAN. Ex: 192.168.0.0/24.
-
What would the rule(s) be to force the "vpnclients" pool to use the desired (i.e. non-ISP) DNS server?
-
What would the rule(s) be to force the "vpnclients" pool to use the desired (i.e. non-ISP) DNS server?
I've been doing this in the static DHCP mappings for each client. When you add a static mapping there's a section where you can assign alternate DNS for that client. I'll try to attach a screenshot.
-
I am trying to set a general rule, because I have a pool of IP addresses on my LAN ("vpnclients" alias) that are sent through the PIA connection. While some of the addresses are static, not all are, and some devices may only join temporarily, which does not afford me the ability to set static DNS servers like you have.
-
Re-reading your #4 post, putting OpenDNS IPs in the DNS section for your vpnclients pool is the same thing as I'm doing. It's just for the whole pool rather than each device.
Did you switch to the DNS Resolver (Unbound) or are you still using the DNS Forwarder (dnsmasq)?
-
I am using DNS resolver.
Following your lead in the other thread, I added a Firewall: NAT: Port forward rule
IF:MAIN
Proto:TCP/UDP
Src addr: VPN_IPs (alias for pool of IP's on my LAN allowed to proceed through PIA gateway)
Src ports *
Dest addr: MAIN address (this is the name of my LAN)
Dest ports 53 (DNS)
NAT IP: OpenDNS (alias set for the OpenDNS DNS server IP addresses)
NAT ports: 53 (DNS)Under Firewall: Rules: OpenVPN, I have
Proto:IPV4
Source: VPN_IPs (alias for pool of IP's on my LAN allowed to proceed through PIA gateway)
Port: *
Destination: *
Port: *
Gateway: PIAVPN_VPNV4Under Firewall: Rules: Main (this is the name for my LAN), I have:
Proto:IPV4 TCP/UDP
Source: VPN_IPs (alias for pool of IP's on my LAN allowed to proceed through PIA gateway)
Port: *
Destination: OpenDNS (alias set for the OpenDNS DNS server IP addresses)
Port: 53 (DNS)
Gateway: PIAVPN_VPNV4When I try disabling these rules, the VPN_IPs pool of addresses lands up using my ISP DNS instead of the OpenDNS DNS servers (even though these are set as the DNS servers in the tab for that pool under DHCP server). When I re-enable the rules, any device with an address in the VPN_IPs pool uses the OpenDNS DNS servers (desired behavior).
Is there another way to accomplish this that does not rely on these rules?
-
Is that a typo or do you actually have your main rule on the OpenVPN interface? That should be on the LAN (or Main in your case). Are you certain you're actually routing vpnclients traffic via PIA?
I don't use that NAT rule anymore. It seemed to work, but assigning alternate DNS to vpnclients seemed easier, so I started doing that instead.
How are you creating your DHCP pools? How do you assign your vpnclients into one pool and everything else into the other (ie: which is the default pool where unknown clients end up)? Can you post screenshots of your DHCP config?
If you'd like I can make a mini-howto for the way I do things (using 2.2.6). Let me know if it would be useful and I might have time to look at it a bit later today.
-
@ryan29:
Is that a typo or do you actually have your main rule on the OpenVPN interface? That should be on the LAN (or Main in your case). Are you certain you're actually routing vpnclients traffic via PIA?
Which of the 3 rules are you referring to? VPNclients traffic does route via PIA (at least when I check the external IP address), but I definitely be concerned if I have made an error.
@ryan29:
How are you creating your DHCP pools? How do you assign your vpnclients into one pool and everything else into the other (ie: which is the default pool where unknown clients end up)? Can you post screenshots of your DHCP config?
If you'd like I can make a mini-howto for the way I do things (using 2.2.6). Let me know if it would be useful and I might have time to look at it a bit later today.
See attached screenshots. Do you see any issues with the way it is set up?
I don't want to put you out, but a step by step how-to would be really helpful for rookies like me!
-
I don't mind doing up a small howto. I'm documented a couple configs for myself anyway, so it's just a matter of reformatting it to post in the forum.
For your DHCP, what I was wondering is how you're assigning clients into the correct pool. For example, let's say you have two clients:
my-work-machine - should access the internet normally via the WAN my-home-machine - should access the internet via the VPN
How are you making sure my-home-machine is being assigned an IP address from your VPN IP addresses DHCP pool?
I also see you have 3 LANs set up (LAN, GUEST, MAIN). Is MAIN the only one you're trying to get working with the VPN?
-
All clients seem to get assigned into the MAIN pool by default (.120 - .189) unless I assign them a static ip address in the VPNclients pool (.20 - .40). I am not sure I specifically set this as an option anywhere, but I suspect it is a side effect of setting a subpool of addresses from the MAIN tab.
Yes, MAIN is the only LAN I am trying to get working with the VPN (it is in fact working right now, but only with the rules I outlined a few posts ago). The "LAN" LAN is not currently in use - I left it for admin access to the router - the only interface to it is via the physical LAN port on the device.
-
How are you assigning static IPs? It shouldn't be possible to use pfSense's static DHCP mappings to assign an IP within the DHCP range of an interface.
-
I am setting the static IP's in 1 of 2 ways (both seem to work):
1. I have set a list of static IPs at the bottom of the "MAIN" tab (it was cut off in my screenshot). I have set some static IPs in the VPNclients range (.20 - .40) here, and some addresses for specific devices on my LAN (MAIN) that need a static IP (I have used the .190-.199 range for this).
2. On client devices themselves, I am able to change network settings from "DHCP" to "DHCP with static address" and manually assign the device an IP address in the VPNclients range (.20 - .40). This seems to work also - when I check external IP address, I get a PIA address, and when I check for DNS server leaks, I see only the OpenDNS servers and not my ISP DNS servers.
Is there some other way I am supposed to be doing this?