Local hostnames won't resolve over OpenVPN

sparkynerd

Ok. Tried that, and rebooted firewall, still not working. I have 2 vlans on this firewall, so the LAN/Trunk port doesn't have an IP. I added the IP of each VLAN to the pushed DNS servers. Anything else I'm missing?

johnpoz

So your hiding your rfc1918 space???  Makes it so easy to help you and talk about which network is what, etc.. :rolleyes:

"I added the IP of each VLAN to the pushed DNS servers"

So these IPs you added to your client do they resolve your local names?  Are your clients actually using them vs pointing to their local dns?  Do a simple nslookup, dig, host whatever your fav dns query tool is on your clients.. If phone install an app that allows you to query and give you a response.  For example the Hurricane electric APP..

sparkynerd

I have 2 VLANs: 192.168.10.0/24 and 172.26.1.0/24. These subnets both resolve local hostnames. When nslookup is run over VPN, it is trying to use 192.168.10.1, but the DNS query times out.

viragomann

What are your firewall rules on OpenVPN interface. Are the client allowed to access the DNS 192.168.10.1 on port 53 TCP/UDP?
Is the DNS listening on 192.168.10.1??

johnpoz

If your running the resolver does your ACL allow your vpn tunnel network, ie the IP the vpn client gets to use the resolver?

"it is trying to use 192.168.10.1, but the DNS query times out. "

Maybe your vpn connection is just really bad on latency?  Can you ping 192.168.10.1 ?  When you do a traceroute to it does it go through the tunnel?

sparkynerd

Update -

I fixed the DNS query timeout in NSLOOKUP. Somehow, I had 'ALL" and some of the other interfaces checked in Services>DNS Forwarder>General DNS Forwarder Options>Interfaces. I changed this to have only the 'ALL" option.

• My firewall rules on the OpenVPN interface are set to 'pass all IPv4 traffic'. I don't specifically pass port 53 in WAN or OpenVPN firewall rules. Do I need to do this with * set in the OpenVPN rules? Does port 53 TCP/UDP need a pass rule in the WAN interface?

• DNS Forwarder is set to listen on 'ALL' interfaces.

• I have the 192, 172, and OpenVPN networks set to 'Pass' on the DNS Resolver Access List. Does this have any effect if DNS Forwarder is used?

• I can ping 192.168.10.1 and 172.26.0.1 over VPN, and latency is averaging 100ms. A network scan shows all devices on both subnets.

• 'Redirect Gateway' option is set in OpenVPN. Shouldn't TRACERT show traffic flowing through the WAN IP of my pfsense box? It only shows client OpenVPN IP as first hop.

sparkynerd

Any ideas? Has anyone setup OpenVPN from scratch and is able to resolve local hostnames?

pmaez

I had this happen when I updated to 2.3.3. The following fixed it for me:

I checked the box "Provide a default domain name to clients" under Advanced Client Settings for my OpenVPN server, filled in my local domain and now everything appears to work.

begleysm

THIS IFORMATION IS NOT APPLICABLE FOR THOSE RUNNING PFSENSE BUT MIGHT BE USEFUL FOR THOSE WITHOUT IT

Your /etc/resolv.conf file defines where your computer should look to resolve hostnames into IP addresses. The basic problem is that /etc/resolv.conf doesn't get updated when you run openvpn by default.

Here's what you need to do to fix the problem.

1.) Append the following onto your server.conf file on your OpenVPN server machine (typically located at /etc/openvpn/server.conf) to have the server to the client where to look to convert hostnames to IP addresses.

push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN mylocaldomain.lan"

2.) Install resolvconf on your client machine and link the standard resolv.conf to resolvconf's version with the following commands to have a function capable of modifying resolv.conf

sudo apt install resolvconf
sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf

3.) Append the following to the bottom of your client.ovpn file to run resolvconf whenver the OpenVPN server is connected to or disconnected from.

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

4.) Whenever you run openvpn you'll have to do so with the -script-security 2 flag to allow openvpn to run resolvconf. Here is an example call

sudo openvpn --script-security 2 --config /path/to/client.ovpn

You can read a more detailed version of the above instructions with some example code of my (working) OpenVPN server here: https://steamforge.net/wiki/index.php/How_to_configure_OpenVPN_to_resolve_local_DNS_%26_hostnames

Derelict

No.

Almost none of that is necessary in pfSense.

Just add the dns default domain and dns servers to the OpenVPN server config. DON'T directly edit the openvpn files. They will be overwritten by reboots and upgrades. If you MUST put something custom in the config, use the custom options in the server config.

begleysm

I didn't zero in on the fact that he was using pfSense nor am I too familiar with it. I'll have to get smarter on that.