PfSense as OpenVPN client does not use received DNS client



  • I added an OpenVPN client config to the router which seems to connect successfully but even if the remote server is sending the DNS servers information they are not used by pfsense.

    I tried both approaches: use of DNS Forwarder and DNS Resolver but still the router itself seems unable to make use of VPN DNS servers.

    I mention that my intention is to use it as a split-DNS in the end, but at this moment I have nothing to split.

    
    openvpn[65150]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.33.36.1,route 10.0.0.0 255.0.0.0,dhcp-option DNS 10.38.5.26,dhcp-option DNS 10.11.5.19,dhcp-option DOMAIN example.com,ping 30,ping-exit 600,explicit-exit-notify 3,topology subnet,ifconfig 10.33.36.39 255.255.252.0,peer-id 37'
    
    

    This tells me that the DNS options were received but I DNS resolution doesn't work. I tried nslookup foo.example.com and fails but if I manually specify one of the mentioned DNS servers, it would work.

    What I am missing that prevents it from using the DNS servers?

    I mention that my main WAN gateway is using PPP and it does provide DNS servers.

    I even tried to manually configure the DNS servers to be used for the VPN interface using System / General Setup but the router does not allow me to save the settings, giving an error like:

    A gateway can not be assigned to DNS '10.11.5.19' server which is on a directly connected network.

    I mention that in the right side it of the DNS it was the VPN interface, as it was expected. So the current config is with no DNS servers configured n General Setup and with "Allow DNS server list to be overridden by DHCP/PPP on WAN" enabled. At least this config allows me to use WAN interface.



  • @ssbarnea I find funny that one year later I find myself asking the same issue and nobody replied. Mainly for the last year I used hardcoded DNS names in pfsense resolver in order to make it work.

    This has the bad habbit of breaking the intranet domain(s) when the VPN is is down, which can prove quite bad.

    In addition to this it can cause extra problems which prevent using DNS entries in VPN configuration if the VPN servers happen to be on the same domain and the intranet-enabled one.

    I is high likely that any company with host its VPN servers under something like vpn.example.com while theit VPN servers would return DOMAIN example.com

    This is normal because the internal DNS would be a superset of the public DNS.

    Still, when this happens it means that pfsense openvpn client cannot be configured with FQDN and you need to pass IP addresses, or it will fail to resolve.

    So, what is the correct way to make pfsense use the openvpn DNS servers when the VPN is up instead of always?


Log in to reply