OpenVPN works but no local DNS

john_galt

@johnpoz

John,

My name is Doug. It's in my messages. I give you the respect of using your name.

I did fix the loopback.

I really don't understand why you are taking this request for help and my stated lack of
knowledge so personally. I have no idea that I'm doing DNS over TLS over my own VPN.
All I wanted to do was VPN into my home network from my work location and be able
to access assets by name.

If you wish to help I will listen and respect you for it. If you wish to berate then please
don't help.

Doug

KOM

Check your DHCP server to see what it's pushing to clients for DNS.

john_galt

@KOM

KOM,

I will check when I get back to work Monday morning.

It's working now though since I made that change. I don't know why
and that bothers me. I will continue my research.

Thank you for your help.

johnpoz

If you do not understand what dns over tls is then why would you set it??

Fixing your issue does not come from just randomly clicking shit..

Come back when you have your client actually pointing to the IP for dns that is your pfsense box on your vpn connection which was pointed out to you back in the beginning of this thread.

Do a simple query from your client using your fav dns tool, nslookup, dig, host, etc..

Does it respond - yes or no?

You show an answer in your packet capture to your query to 53 - what was that query, what was the answer... download that packet capture in wireshark.

It's working now though since I made that change

You changed from ALL to manually selecting "all" that is not a fix that is not even different.. So how would that "fix" anything..

john_galt

@johnpoz

John I setup pfsense to use Quad9 DNS over TLS earlier this year. I can't find the URL for the instructions I used but will keep looking. In those instructions I was instructed to enable that feature.

I will come back when I can check over the VPN connection Monday.

In my initial request for help I posted a screen grab of the packet capture which you said showed the query being answered. I did that query using nslookup and explicitly setting the server to my pfsense IPv4 address. I did not get a name back using this method.

I will get wireshark and get that data but can't until Monday.

Thank you for your help.

Doug

Gertjan

Hi,

This is your tunnel :

so make the DNS 10.0.8.1 - change this :

also, check this :

This options seems very important to me. Read the comments.

IMHO these extra options are not needed :

john_galt

@Gertjan
@johnpoz
@KOM

I've made changes that you've pointed out that I should make which have yielded some success.
I have two client VPN profiles on the same client computer. One profile gives me local DNS queries and the other profile doesn't. I'm going to spend some time now reading up on what I'm doing rather
than, as @johnpoz put it "randomly clicking shit". Which was in fact what I was doing.

I have one question now though. If I make changes to the OpenVPN server and or on the OpenVPN Client Export page does that require exporting a new client config or are those changes pushed to the client on next connect?

I greatly appreciate your help and patience with me on this problem.

Doug

johnpoz

depends on what changes you made..

Here I am at work now... And using unbound on pfsense for my dns... So I can resolve stuff on my home network

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local.lan
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, May 14, 2019 10:01:25 AM
   Lease Expires . . . . . . . . . . : Wednesday, May 13, 2020 10:01:25 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.0.8.254
   DNS Servers . . . . . . . . . . . : 192.168.9.253
                                       192.168.9.253
   NetBIOS over Tcpip. . . . . . . . : Enabled

You can see my vpn interface told to use pfsense lan IP for dns

If I ask for say a box on my local network..

C:\Windows\System32>nslookup nas.local.lan
Server:  sg4860.local.lan
Address:  192.168.9.253

Name:    nas.local.lan
Address:  192.168.9.10

x2rl

I know its an old post but Im having the very same problem. When openvpn is on my phone it does not use the dns ive set on pfsense. Also just plan ignores pfblocker-dev

Mr. Waste

@x3rl
Ipv4 Tunnel Network is set as: 10.0.1.0/24
Dns Server 1 is set as: 10.0.0.1

Change the dns server to 10.0.1.1

I am doing more complex vpns. Having 2 vpns together to get the most out of the filtering.
Home Pfsense (Connecting) to Cloud Remote Pfsense (Actual VPN) to DNS Server VPN (Actual VPN through the Cloud VPN)
Home = Cloud = DNS

Hope this helps.

x2rl

@Mr-Waste did not work pal pfbocker was not working when setting that dns

Mr. Waste

This post is deleted!

Mr. Waste

@x3rl

Go to Firewall/pfBlockerNG/IP
IP Interface/Rules Configuration:

Inbound Firewall Rules:
Wan

Outbound Firewall Rules:
Lan
OpenVpn Server interface

Make sure you have that interface highlighted. This might be the problem.
Make sure you have the dns resolver on as well. Local DNS Resolver to up stream DNS Server/ like cloud flare or google.

Make sure everything else are all GREEN/ ON or it will not work. - (Resolver)
pfb_dnsbl is down something isn't right. Like with the first picture. - (The interfaces)

Mr. Waste

x2rl

My dns is set to 127.0.0.1 I have all the rules and everything is active.

Gertjan

Side note :
@Mr-Waste :

x2rl

@Gertjan pfsense does the resloving.

Jochim

@x3rl
Try resetting everything to the way it was in your screenshot, then change the option "DNS Default Domain" to just "localdomain". Next add the tunnel network (10.0.1.0/24 in your case) to the DNS Resolver access list by going to Services > DNS Resolver > Access Lists and adding a new entry for the tunnel network.

Hopefully that solves the issue.

Jochim

x2rl

@Jochim nope still does not use piholes adblocker via pfsense DNS.

renegade

Same here.
It seems the set DNS Server is only used for the set domain name.
In my case it‘s home and everything ending with .home is resolved and available in my OpenVPN Split Tunnel. But other name resolution seems to happen with any other DNS Server (unknown).

soutruth

Had same issue. Unticked: "Provide a DNS server list to clients. Addresses may be IPv4 or IPv6."

Fixed :)