Hostname Resolution over OpenVPN

cyclocamp · May 15, 2018, 10:27 AM

I apologise if I have missed the answer to this question on another topic - I have been trying to fix this for a long time.

My setup:

I have a pfSense box (Site A) in my apartment, with devices and VM's connected to it. The connected devices use a pi-hole for DHCP and DNS (DNS resolver does not work for some unknown reason - it is incredibly slow/unresponsive).

My apartment does not provide public IPs, so for remote access I have Site A pfSense connected as an OpenVPN client to a Vultr pfSense openVPN server instance (Site B) and the LAN of site A is routed over VPN.

In this setup, I can connect my laptop from a remote location to the vultr pfSense (Site B) openVPN server and can access my home devices by typing their LAN IP address.

Problem:
From any remotely connected client, I want to be able to resolve my home (Site A) devices by their hostname. Ideally I would like to be able to push the pi-hole DNS server to clients, so it provides ad-blocking as well.

Can anyone advise on what I need to do?
Thank you

Derelict · May 15, 2018, 10:47 AM

Have you tried setting it as the DNS server that gets pushed to the OpenVPN clients in the OpenVPN server configuration?

cyclocamp · May 15, 2018, 11:00 AM

Thanks for your reply.

I have tried specifying the LAN IP address of my pi-hole in Site B's OpenVPN Server DNS settings.
When I remotely connect my laptop as a client to the server, the server pushes the LAN IP of the home DNS server, but it does not resolve when I try to visit a website or try nslookup.
Strangely I can type in the LAN IP address of clients on my home LAN in the browser and access them, but nslookup does not respond even to LAN IP addresses.

Derelict · May 15, 2018, 11:04 AM

maybe the DNS server does not have a route back to the OpenVPN client's tunnel address?

You should be able to troubleshoot this using dig commands targeted at the DNS server in question.

A lot of this has to do with how the client, not pfSense, is configured too.

cyclocamp · May 15, 2018, 12:28 PM

Sorry could you clarify how to do this?

As in

'dig apple.com @_DNS Server LAN IP_ +trace' from my remote laptop?

cyclocamp · May 15, 2018, 1:08 PM

I think I may have solved it. Thank you for your suggestion on using dig.

Using dig and ping, I tried to access the DNS server on my home LAN.

I checked the home LAN pfSense (Site A) firewall logs and it was blocking traffic from the OpenVPN interface to LAN interface that was ICMP type? Does this explain why I could contact the server if I typed its IP address into google chrome, but could not ping the server from command line?

EDIT: Yes making a rule to pass ANY traffic from ovpn interface to LAN of ANY kind solved the problem! Thank you!

Derelict · May 15, 2018, 8:05 PM

From the client:

dig @dns_server_ip_address something.com

Does that work? If not find out why not.