DNS Redirect over OpenVPN
-
So you want a remote vpn client that is say wanting to query 8.8.8.8 to be redirect to where exactly. Unbound running on pfsense?
-
@johnpoz Yes. The Pfsense server runs its own DNS. I want every connection to use the Pfsense server as the DNS.
-
@bob-dig I don't have anything to show other then my experimental rules. OpenVPN area comes with no rules. I based everything off of my LAN version of the DNS redirect which looks like this.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
-
Well couple things - you would need the redirect on the vpn interface.
And you would have to make sure you unbound acls allow for your vpn tunnel network.
-
@ryu945 I don't see why it shouldn't work. But sure clients can use whatever they want, if they have full control over their device.
-
@johnpoz said in DNS Redirect over OpenVPN:
Well couple things - you would need the redirect on the vpn interface.
And you would have to make sure you unbound acls allow for your vpn tunnel network.
I did a redirect on the OpenVPN interface with LAN address as set as the destination. I did what I think needs to be done on the ACLs. I can ping the Pfsense router. I can't seem to access any of the intranet websites on the network.
-
@ryu945 said in DNS Redirect over OpenVPN:
LAN address as set as the destination
You wouldn't really want that - you should redirect to loopback
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
What did you do on the ACLs - out of the box unbound is not going to answer query from the tunnel network, ie the IP some vpn client got..
If you query say 8.8.8.8 for some local resource name does it come back with your local IP - this would be the way to test your setup is working.
To validate unbound is allowing talking to your vpn client do a directed query to pfsense IP that unbound is listening on that you allow via your vpn rules, etc.
-
@johnpoz said in DNS Redirect over OpenVPN:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
I believe you mean 127.0.0.1 when you say loop back. That is what I have for the DNS redirect. I literally have that rule identical to the LAN rule I linked except it is on the OpenVPN Interface. When I said I had the DNS rule on LAN address, I meant that I have a rule after that that allows port 53 with destination targets of LAN address.
I tried nslookup and I got an interesting error message. I see it attempts 8.8.8.8 and 8.8.4.4 even if I specify to use other DNS servers in the OpenVPN app. It replies back saying it is getting unexpected DNS server 10.0.0.1 instead. This is on the OpenVPN subnet. Then it says it timed out. Could the OpenVPN android app in the Fdroid store be refusing to proceed with the connection because it is not getting the DNS server it asked for?
-
@ryu945 said in DNS Redirect over OpenVPN:
unexpected DNS server 10.0.0.1 instead
Help if you should show your rules and forwards. I could duplicate what your trying to do.. Try it a bit later and post results.
-
These are the rules I am experimenting with. First one is under OpenVPN area. Second one is under port forward. LAN Merge is my LAN.
http://imgur.com/qJUtqOBl.png
http://imgur.com/eQVyZGbl.png
-
@johnpoz @Bob-Dig I found something interesting. When I create an OpenVPN interface rule that says allow any source to any destination but destination port 443 or 80 must be used then it works. That is way to general of a rule so I am trying to lock it down and figure out what interface is allowing it to work. I tried VPN1 to LAN and LAN to VPN1 so far and it doesn't work.
edit: For some reason, no combination of source address/network to destination address/network I could find worked. What worked is instead of using the source and destination names, I used the subnets. I made a rule allow access from VPN subnet to LAN subnet on the OpenVPN interface and it worked. Do you have any idea what is going on? Normal rules using the interface name work. Why did I have to use subnet IPs instead?
-
@ryu945 said in DNS Redirect over OpenVPN:
Why did I have to use subnet IPs instead?
I have not idea what you actually did.. You can for sure use specific IPs in the rules for source and destination..
Maybe you had the wrong IPs in source or destination, maybe there was a state already if you were trying to to block something..
Order of rules matter! Top down, first rule to trigger wins, no other rules are evaluated, etc.
