PfSense as OpenVPN client does not use received DNS client
ssbarnea last edited by
I added an OpenVPN client config to the router which seems to connect successfully but even if the remote server is sending the DNS servers information they are not used by pfsense.
I tried both approaches: use of DNS Forwarder and DNS Resolver but still the router itself seems unable to make use of VPN DNS servers.
I mention that my intention is to use it as a split-DNS in the end, but at this moment I have nothing to split.
openvpn: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.33.36.1,route 10.0.0.0 255.0.0.0,dhcp-option DNS 10.38.5.26,dhcp-option DNS 10.11.5.19,dhcp-option DOMAIN example.com,ping 30,ping-exit 600,explicit-exit-notify 3,topology subnet,ifconfig 10.33.36.39 255.255.252.0,peer-id 37'
This tells me that the DNS options were received but I DNS resolution doesn't work. I tried
nslookup foo.example.comand fails but if I manually specify one of the mentioned DNS servers, it would work.
What I am missing that prevents it from using the DNS servers?
I mention that my main WAN gateway is using PPP and it does provide DNS servers.
I even tried to manually configure the DNS servers to be used for the VPN interface using System / General Setup but the router does not allow me to save the settings, giving an error like:
A gateway can not be assigned to DNS '10.11.5.19' server which is on a directly connected network.
I mention that in the right side it of the DNS it was the VPN interface, as it was expected. So the current config is with no DNS servers configured n General Setup and with "Allow DNS server list to be overridden by DHCP/PPP on WAN" enabled. At least this config allows me to use WAN interface.
ssbarnea last edited by
@ssbarnea I find funny that one year later I find myself asking the same issue and nobody replied. Mainly for the last year I used hardcoded DNS names in pfsense resolver in order to make it work.
This has the bad habbit of breaking the intranet domain(s) when the VPN is is down, which can prove quite bad.
In addition to this it can cause extra problems which prevent using DNS entries in VPN configuration if the VPN servers happen to be on the same domain and the intranet-enabled one.
I is high likely that any company with host its VPN servers under something like vpn.example.com while theit VPN servers would return DOMAIN example.com
This is normal because the internal DNS would be a superset of the public DNS.
Still, when this happens it means that pfsense openvpn client cannot be configured with FQDN and you need to pass IP addresses, or it will fail to resolve.
So, what is the correct way to make pfsense use the openvpn DNS servers when the VPN is up instead of always?
Register connected OpenVPN clients in the DNS Resolver If this option is set, then the common name (CN) of connected OpenVPN clients will be registered in the DNS Resolver, so that their name can be resolved. This only works for OpenVPN servers (Remote Access SSL/TLS) operating in "tun" mode. The domain in System: General Setup should also be set to the proper value.
@ssbarnea I have the same question with a twist. I created 9 OpenVPN clients to different geographical regions and they are in a gateway group for load balancing and failover.
Each region sends down different DNS addresses.
I also have two networks. All users connecting to LAN go via OpenVPN while users connecting to OPT1 network bypass VPN.
How do I make users on the LAN to only use OpenVPN provided DNS servers, preferably on the OpenVPN client they are currently using. Currently it appears that those clients use all DNS servers configured in General Setup.