Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help for config DNS Resolver with VPN Client

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfcode
      last edited by

      HI, All

      I need your help for setup DNS Resolver with my VPN Client. Its currently working partially: I got VPN IP but DNS is leaked.  I knew something was not setup properly.  One of the reason why I am using DNS Resolver is because of pfBlockerNG DNSBL functions. Here is what my pfSense-2.4.3 setup:

      1.  Interfaces:  WAN, LAN, WLAN, OPT.  Gateways:  WAN_DHCP (default),  PUREVPNWAN_VPNV4(I am using PureVPN, udp, tun, interface WAN,  port 53)

      2.  LAN and WLAN's gateway are set to use default gateway.

      3.  OPT's gateway is set to use PUREVPNWAN_VPNV4 gateway. I want all the devices behind OPT to use VPN only.

      4. DNS Resolver Network interfaces and Outgoing network interfaces were set to ALL, enable DNSSEC is ticked, the rest options were all unchecked.

      5. System->General, I have DNS Servers defined to use OpenDNS, none set to gateways. and the option "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" is checked.

      6. OPT firewall rule:  Protocal: IPv4, source: *, port: *, destination: *, port *, Gateway: PUREVPNWAN_VPNV4, Queue: none.
          Outbound NAT:  PUREVPNWAN_VPNV4, 127.0.0.0/8, PUREVPN_WAN address
                                  PUREVPNWAN_VPNV4,  192.168.2.0/8  PUREVPN_WAN address

      7. My laptop Win 10 internet network IPv4 properties were set to Obtain an IP address automatically, and Obtain DNS Server address automatically.

      What I want:

      1. All the devices behind OPT to use VPN DNS.  But currently its failed. having DNS leaked, showing my ISP by using DNSLeakTest.com

      2. Devices behind LAN and WLAN to use default DNS, which currently are working fine.

      for Help:

      How to let the devices behind OPT to use VPN DNS??  Sorry for my English, its not my native language.

      Thanks

      William

      Release: pfSense 2.4.3(amd64)
      M/B: Supermicro A1SRi-2558F
      HDD: Intel X25-M 160G
      RAM: 2x8Gb Kingston ECC ValueRAM
      AP: Netgear R7000 (XWRT), Unifi AC Pro

      1 Reply Last reply Reply Quote 0
      • T
        TheNarc
        last edited by

        There may be a better/easier way to do this, but here is the only way that I know how to do it:

        • In your DNS Resolver settings, select only your PureVPN interface in the "Outgoing Network Interfaces" list.  Be aware of the following caveats though.  In your VPN client configuration, in the "Server host or address" field, you'll want to put the IP of the server instead of its host name.  So if you have, for example, vpnserver1.purevpn.com in there now, you'll want to get the IP for it (Diagnostics > DNS Lookup) and use that instead.  Also, I have found that on a fresh start of pfSense, if the DNS resolver comes up before your VPN client connection, it will default to using all outgoing interfaces for queries even if you had specified just your VPN interface.  As a non-ideal workaround, I just manually restart the DNS resolver after a reboot of my pfSense machine, which is a rare enough occurrence that I can live with it.

        • I don't think you want the "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" option in System > General checked, but it may not hurt anything either.

        • Make DHCP static mappings for any clients on your network whose DNS queries you do not want to go through the VPN.  In the static mapping, you can specify up to 4 DNS servers.  This is where you'll want to put the OpenDNS server IPs.

        Like I said, I don't know if this will be a viable option for you or not, because if you have a big network you probably don't want to have to manually make a lot of DHCP static mappings.  But this is what I do to achieve the separation that you're looking for, and it works fine with the caveat of needing to manually restart the DNS resolver after a reboot.

        And I wouldn't worry about your English, it's probably better than most native speakers'  ;)

        1 Reply Last reply Reply Quote 0
        • P
          pfcode
          last edited by

          @TheNarc:

          There may be a better/easier way to do this, but here is the only way that I know how to do it:

          • In your DNS Resolver settings, select only your PureVPN interface in the "Outgoing Network Interfaces" list.  Be aware of the following caveats though.  In your VPN client configuration, in the "Server host or address" field, you'll want to put the IP of the server instead of its host name.  So if you have, for example, vpnserver1.purevpn.com in there now, you'll want to get the IP for it (Diagnostics > DNS Lookup) and use that instead.  Also, I have found that on a fresh start of pfSense, if the DNS resolver comes up before your VPN client connection, it will default to using all outgoing interfaces for queries even if you had specified just your VPN interface.  As a non-ideal workaround, I just manually restart the DNS resolver after a reboot of my pfSense machine, which is a rare enough occurrence that I can live with it.

          • I don't think you want the "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" option in System > General checked, but it may not hurt anything either.

          • Make DHCP static mappings for any clients on your network whose DNS queries you do not want to go through the VPN.  In the static mapping, you can specify up to 4 DNS servers.  This is where you'll want to put the OpenDNS server IPs.

          Like I said, I don't know if this will be a viable option for you or not, because if you have a big network you probably don't want to have to manually make a lot of DHCP static mappings.  But this is what I do to achieve the separation that you're looking for, and it works fine with the caveat of needing to manually restart the DNS resolver after a reboot.

          And I wouldn't worry about your English, it's probably better than most native speakers'  ;)

          Thank you, much appreciated.  Only one drawback for setting PureVPN interface in the "Outgoing Network Interfaces" list is that once VPN is down, then VPN and/or non-VPN Users can't get internet access since no more DNS.  Meanwhile, I'm very confused about what "Network interfaces" and "Outgoing Network Interfaces" are about in DNS Resolver.

          Release: pfSense 2.4.3(amd64)
          M/B: Supermicro A1SRi-2558F
          HDD: Intel X25-M 160G
          RAM: 2x8Gb Kingston ECC ValueRAM
          AP: Netgear R7000 (XWRT), Unifi AC Pro

          1 Reply Last reply Reply Quote 0
          • T
            TheNarc
            last edited by

            You're correct that if you set PureVPN as the only outgoing interface in the "Outgoing Network Interfaces" list that VPN users will lose DNS if the VPN goes down, but isn't that what you would want?  Non-VPN users would not lose DNS in this case, because if you assign them OpenDNS servers via DHCP static mappings, they won't be using the resolver at all, so they wouldn't be impacted by the VPN going down.

            With respect to "Network Interfaces" versus "Outgoing Network Interfaces," it's just specifying which interfaces(s) the resolver will listen on for DNS queries (the "Network Interfaces" list) and which interfaces it will use to contact root servers in order to resolve those queries ("Outgoing Network Interfaces").  In most setups, you'll have only your LAN interface(s) and localhost selected as listening interfaces and only your WAN interfaces(s) selected as outgoing interfaces.  But of course, in your case with a VPN client connection in use, you can force all DNS resolution to go through the VPN by instead selecting only your VPN interface(s) as outgoing interfaces.

            1 Reply Last reply Reply Quote 0
            • P
              pfcode
              last edited by

              @TheNarc:

              You're correct that if you set PureVPN as the only outgoing interface in the "Outgoing Network Interfaces" list that VPN users will lose DNS if the VPN goes down, but isn't that what you would want?  Non-VPN users would not lose DNS in this case, because if you assign them OpenDNS servers via DHCP static mappings, they won't be using the resolver at all, so they wouldn't be impacted by the VPN going down.

              With respect to "Network Interfaces" versus "Outgoing Network Interfaces," it's just specifying which interfaces(s) the resolver will listen on for DNS queries (the "Network Interfaces" list) and which interfaces it will use to contact root servers in order to resolve those queries ("Outgoing Network Interfaces").  In most setups, you'll have only your LAN interface(s) and localhost selected as listening interfaces and only your WAN interfaces(s) selected as outgoing interfaces.  But of course, in your case with a VPN client connection in use, you can force all DNS resolution to go through the VPN by instead selecting only your VPN interface(s) as outgoing interfaces.

              The issue is that I'm using pfBlockerNG that requires DNS Resolver.  Thanks for the clarification for "Network Interfaces" and "Outgoing Network Interfaces".

              Release: pfSense 2.4.3(amd64)
              M/B: Supermicro A1SRi-2558F
              HDD: Intel X25-M 160G
              RAM: 2x8Gb Kingston ECC ValueRAM
              AP: Netgear R7000 (XWRT), Unifi AC Pro

              1 Reply Last reply Reply Quote 0
              • T
                TheNarc
                last edited by

                That's a good point.  If you're using the DNSBL functionality of pfBlockerNG, and you want both VPN and non-VPN hosts to benefit from that, then both VPN and non-VPN hosts must use the resolver.  But I'm not aware, then, of any way to say "non-VPN hosts use the resolver via non-VPN interfaces and VPN hosts use the resolver via VPN interfaces."  Does PureVPN allow you to have multiple concurrent connections?  Because you could set up a few client connections and allow the resolver to use any of those client connections.  Then all of your VPN client connections would have to go down before you lose DNS, so it would be safer to take the approach of "whether a host uses VPN or not for normal traffic, just make all hosts do DNS via the VPN."  This wouldn't suffice for mission critical systems requiring uptime arbitrarily close to 100%, but for a home network I expect it would be fine.

                1 Reply Last reply Reply Quote 1
                • P
                  pfcode
                  last edited by

                  @TheNarc:

                  That's a good point.  If you're using the DNSBL functionality of pfBlockerNG, and you want both VPN and non-VPN hosts to benefit from that, then both VPN and non-VPN hosts must use the resolver.  But I'm not aware, then, of any way to say "non-VPN hosts use the resolver via non-VPN interfaces and VPN hosts use the resolver via VPN interfaces."  Does PureVPN allow you to have multiple concurrent connections?  Because you could set up a few client connections and allow the resolver to use any of those client connections.  Then all of your VPN client connections would have to go down before you lose DNS, so it would be safer to take the approach of "whether a host uses VPN or not for normal traffic, just make all hosts do DNS via the VPN."  This wouldn't suffice for mission critical systems requiring uptime arbitrarily close to 100%, but for a home network I expect it would be fine.

                  Yes, PureVPN does allow multiple concurrent connections.

                  Release: pfSense 2.4.3(amd64)
                  M/B: Supermicro A1SRi-2558F
                  HDD: Intel X25-M 160G
                  RAM: 2x8Gb Kingston ECC ValueRAM
                  AP: Netgear R7000 (XWRT), Unifi AC Pro

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.