Domain overrides with openvpn
I have an ipsec tunnel between my office and a remote office.
Both offices use a different domain for now.
I've setup a domain override in my dns fw options for my lan.
ex: seconddomain.com > 192.168.2.4 which is the dns of the remote office.
How do i get users that connect to my openvpn to be able to reach the network on the remote office?
Provide them your internal DNS server.
But ensure that it also can resolve public names.
They already have my internal dns server's address and it doesn't work.
lan ip: 192.168.17.0/24
vpn ip: 192.168.16.0/24
remote office ip: 192.168.2.0/24
I've added the remote office's ip range in the openvpn server settings. I can ping an ip over there, but i cant reach a web app with the fqdn.
So the clients obviously can't resolve it. Consider that they have to use the FQDN, not only the host name, also the domain part.
For me the domain override doesn't work either.
I have set up a Site-to-Site OpenVPN tunnel between two sites as described in the documentation. Currently only the LAN networks are tunneled, i.e. a single network on both sites. The OpenVPN server firewall rule allows all traffic and the tunnel is working as expected, clients can communicate between the sites by IP without any issues.
Both sites have their own local domain, e.g.
siteA(VPN server) and
siteB(VPN client). For testing I added a domain override on
siteAin the Domain Overrides section under Services -> DNS Resover. It contains the the
siteBdomain name and the DNS server IP of
siteB's LAN interface, i.e. the DNS server that the clients on
siteBget assigned via DHCP which is the pfsense box itself. No dedicated port was specified and the SSL/TLS DNS is unchecked, i.e. default DNS on port 53.
siteB's DNS server works, resolving it's FQDN, i.e.
host.siteB, unfortunately not. What am I missing here?
EDIT: Both sites are running pfsense 2.4.5-RELEASE-p1.
I was able to solve the issue by adding the VPN tunnel subnet/network to a DNS resolver ACL in
siteA's settings under DNS Resolver -> Acces Lists. By additionally adding a domain override in
siteB's resolver settings and adding the very same ACL there,
siteAFQDN requests are now properly resolved from within
bingo600 last edited by bingo600
Unbound ACL's ?
Ohh a bit to late ...