Domain overrides with openvpn

  • Hello,

    I have an ipsec tunnel between my office and a remote office.
    Both offices use a different domain for now.
    I've setup a domain override in my dns fw options for my lan.
    ex: > which is the dns of the remote office.
    How do i get users that connect to my openvpn to be able to reach the network on the remote office?


  • Provide them your internal DNS server.
    But ensure that it also can resolve public names.

  • They already have my internal dns server's address and it doesn't work.

    lan ip:
    vpn ip:
    remote office ip:

    I've added the remote office's ip range in the openvpn server settings. I can ping an ip over there, but i cant reach a web app with the fqdn.

  • So the clients obviously can't resolve it. Consider that they have to use the FQDN, not only the host name, also the domain part.

  • For me the domain override doesn't work either.

    I have set up a Site-to-Site OpenVPN tunnel between two sites as described in the documentation. Currently only the LAN networks are tunneled, i.e. a single network on both sites. The OpenVPN server firewall rule allows all traffic and the tunnel is working as expected, clients can communicate between the sites by IP without any issues.

    Both sites have their own local domain, e.g. siteA (VPN server) and siteB (VPN client). For testing I added a domain override on siteA in the Domain Overrides section under Services -> DNS Resover. It contains the the siteB domain name and the DNS server IP of siteB's LAN interface, i.e. the DNS server that the clients on siteB get assigned via DHCP which is the pfsense box itself. No dedicated port was specified and the SSL/TLS DNS is unchecked, i.e. default DNS on port 53.

    Pinging siteB's DNS server works, resolving it's FQDN, i.e. host.siteB, unfortunately not. What am I missing here?

    EDIT: Both sites are running pfsense 2.4.5-RELEASE-p1.

  • I was able to solve the issue by adding the VPN tunnel subnet/network to a DNS resolver ACL in siteA's settings under DNS Resolver -> Acces Lists. By additionally adding a domain override in siteB's resolver settings and adding the very same ACL there, siteA FQDN requests are now properly resolved from within siteB too.

  • Unbound ACL's ?

    Ohh a bit to late ...