Local hostnames won't resolve over OpenVPN

sparkynerd · Jan 18, 2017, 11:27 PM

I am having a weird problem with OpenVPN - I cannot resolve local hostnames over VPN. I can resolve all hostnames when on my wifi. I have read and tried everything I can find, but can't seem to solve this. Where do I start troubleshooting? I can attach screenshots if necessary.

Thanks in advance!

viragomann · Jan 19, 2017, 8:41 PM

You must give us more infos.

What is the VPN client? pfSense? A mobile phone?
What is the server?
What is your local DNS?

sparkynerd · Jan 20, 2017, 12:20 AM

I knew you would need more info, just not sure what, so thanks for clarifying. I am running pfSense 2.3.2-RELEASE-p1 (amd64) on a Watchguard XTM5. I use the OpenVPN client on an iPad, an Android phone, and a few Windows 10 laptops. I'm not sure what you mean by "What is your local DNS." I have tried DNS Resolver and DNS Forwarder, at the advice of info found elsewhere. I had this working at one point on this same hardware, but I haven't had the need to use it in a while, and apparently something must have been changed. What other info do I need to provide?

OpenVPN client config (sensitive information removed)


dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote abcd.defg.com 1194 udp
lport 0
verify-x509-name "pfsense" name
auth-user-pass
pkcs12 pfSense-udp-1194-OpenVPN.p12
tls-auth pfSense-udp-1194-OpenVPN-tls.key 1
ns-cert-type server
comp-lzo adaptive

pfSense OpenVPN Server config


 <openvpn-server><vpnid>1</vpnid>
			<mode>server_tls_user</mode>
			<authmode>Local Database</authmode>
			<protocol>UDP</protocol>
			<dev_mode>tun</dev_mode>
			 <ipaddr><interface>wan</interface>
			<local_port>1194</local_port>

			<custom_options>push "route x.x.x.x 255.255.255.0"; push "route x.x.x.x 255.255.255.0";</custom_options>
			<tls>xxxxxxxxxxxxx</tls>
			<caref>xxxxxxxxxxxxx</caref>
			 <crlref><certref>xxxxxxxxxxxxx</certref>
			<dh_length>4096</dh_length>
			<cert_depth>1</cert_depth>
			 <strictusercn><crypto>AES-256-CBC</crypto>
			<digest>SHA512</digest>
			<engine>none</engine>
			<tunnel_network>x.x.x.x/24</tunnel_network>
			 <tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network><local_networkv6><maxclients>3</maxclients>
			<compression>adaptive</compression>
			 <passtos><client2client><dynamic_ip>yes</dynamic_ip>
			<pool_enable>yes</pool_enable>
			<topology>subnet</topology>
			 <serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
			 <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_server1>8.8.8.8</dns_server1>
			<dns_server2>8.8.4.4</dns_server2>
			 <dns_server3><dns_server4><netbios_enable>yes</netbios_enable>
			<netbios_ntype>0</netbios_ntype>
			 <netbios_scope><no_tun_ipv6><verbosity_level>1</verbosity_level></no_tun_ipv6></netbios_scope></dns_server4></dns_server3></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></client2client></passtos></local_networkv6></local_network></gwredir></remote_networkv6></remote_network></tunnel_networkv6></strictusercn></crlref></ipaddr></openvpn-server>

viragomann · Jan 20, 2017, 1:04 AM

Your VPN server pushes google DNS servers to the clients. But obviously your pfSense box provides DNS for the LAN. So delete the public DNS servers from the openVPN server settings and add your pfSenses LAN address there.

sparkynerd · Jan 20, 2017, 4:16 AM

Ok. Tried that, and rebooted firewall, still not working. I have 2 vlans on this firewall, so the LAN/Trunk port doesn't have an IP. I added the IP of each VLAN to the pushed DNS servers. Anything else I'm missing?

johnpoz · Jan 20, 2017, 12:32 PM

So your hiding your rfc1918 space??? Makes it so easy to help you and talk about which network is what, etc.. :rolleyes:

"I added the IP of each VLAN to the pushed DNS servers"

So these IPs you added to your client do they resolve your local names? Are your clients actually using them vs pointing to their local dns? Do a simple nslookup, dig, host whatever your fav dns query tool is on your clients.. If phone install an app that allows you to query and give you a response. For example the Hurricane electric APP..

sparkynerd · Jan 21, 2017, 12:29 AM

I have 2 VLANs: 192.168.10.0/24 and 172.26.1.0/24. These subnets both resolve local hostnames. When nslookup is run over VPN, it is trying to use 192.168.10.1, but the DNS query times out.

viragomann · Jan 21, 2017, 9:55 AM

What are your firewall rules on OpenVPN interface. Are the client allowed to access the DNS 192.168.10.1 on port 53 TCP/UDP?
Is the DNS listening on 192.168.10.1??

johnpoz · Jan 21, 2017, 11:56 AM

If your running the resolver does your ACL allow your vpn tunnel network, ie the IP the vpn client gets to use the resolver?

"it is trying to use 192.168.10.1, but the DNS query times out. "

Maybe your vpn connection is just really bad on latency? Can you ping 192.168.10.1 ? When you do a traceroute to it does it go through the tunnel?

sparkynerd · Jan 21, 2017, 7:31 PM

Update -

I fixed the DNS query timeout in NSLOOKUP. Somehow, I had 'ALL" and some of the other interfaces checked in Services>DNS Forwarder>General DNS Forwarder Options>Interfaces. I changed this to have only the 'ALL" option.

My firewall rules on the OpenVPN interface are set to 'pass all IPv4 traffic'. I don't specifically pass port 53 in WAN or OpenVPN firewall rules. Do I need to do this with * set in the OpenVPN rules? Does port 53 TCP/UDP need a pass rule in the WAN interface?
DNS Forwarder is set to listen on 'ALL' interfaces.
I have the 192, 172, and OpenVPN networks set to 'Pass' on the DNS Resolver Access List. Does this have any effect if DNS Forwarder is used?
I can ping 192.168.10.1 and 172.26.0.1 over VPN, and latency is averaging 100ms. A network scan shows all devices on both subnets.
'Redirect Gateway' option is set in OpenVPN. Shouldn't TRACERT show traffic flowing through the WAN IP of my pfsense box? It only shows client OpenVPN IP as first hop.

sparkynerd · Jan 25, 2017, 11:37 PM

Any ideas? Has anyone setup OpenVPN from scratch and is able to resolve local hostnames?

pmaez · Mar 9, 2017, 2:48 AM

I had this happen when I updated to 2.3.3. The following fixed it for me:

I checked the box "Provide a default domain name to clients" under Advanced Client Settings for my OpenVPN server, filled in my local domain and now everything appears to work.

begleysm · Jul 9, 2019, 11:44 PM

THIS IFORMATION IS NOT APPLICABLE FOR THOSE RUNNING PFSENSE BUT MIGHT BE USEFUL FOR THOSE WITHOUT IT

Your /etc/resolv.conf file defines where your computer should look to resolve hostnames into IP addresses. The basic problem is that /etc/resolv.conf doesn't get updated when you run openvpn by default.

Here's what you need to do to fix the problem.

1.) Append the following onto your server.conf file on your OpenVPN server machine (typically located at /etc/openvpn/server.conf) to have the server to the client where to look to convert hostnames to IP addresses.

push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN mylocaldomain.lan"

2.) Install resolvconf on your client machine and link the standard resolv.conf to resolvconf's version with the following commands to have a function capable of modifying resolv.conf

sudo apt install resolvconf
sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf

3.) Append the following to the bottom of your client.ovpn file to run resolvconf whenver the OpenVPN server is connected to or disconnected from.

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

4.) Whenever you run openvpn you'll have to do so with the -script-security 2 flag to allow openvpn to run resolvconf. Here is an example call

sudo openvpn --script-security 2 --config /path/to/client.ovpn

You can read a more detailed version of the above instructions with some example code of my (working) OpenVPN server here: https://steamforge.net/wiki/index.php/How_to_configure_OpenVPN_to_resolve_local_DNS_%26_hostnames

Derelict · Jul 12, 2019, 6:43 AM

No.

Almost none of that is necessary in pfSense.

Just add the dns default domain and dns servers to the OpenVPN server config. DON'T directly edit the openvpn files. They will be overwritten by reboots and upgrades. If you MUST put something custom in the config, use the custom options in the server config.

begleysm · Jul 12, 2019, 11:54 AM

I didn't zero in on the fact that he was using pfSense nor am I too familiar with it. I'll have to get smarter on that.