Dynamic DNS gets cached IP as VPN client IP



  • So I have a issue that I just cant figure out, and maybe it cant even be resolved IDK
    I'm not sure if the issue belong in this thread or if it belongs in NAT, OpenVPN, or Packages....

    I have a VPN server running of pfSense for my phone to connect to when I'm away, and I have Dynamic DNS setup with *.ddns.net ....DDNS updates my hostname @ *.ddns.net with no issues and I am able to connect to my Home VPN server on pfSense with ease....Until I turn on a VPN client...

    In addition to having an OpenVPN server setup on pfSense, I have also configured pfSense to connect to my paid TorGuard service as a VPN client so that all traffic is routed through that VPN, including any traffic on my Home VPN server.
    The issue is when I have the TorGuard VPN client active, DDNS cached IP is updated as the TorGuard VPN Public IP rather than my actual IP provided by my ISP and then I cannot connect to my Home VPN because the phone is trying to connect to the TorGuard VPN IP rather my actual external IP from ISP...if I disable the VPN client; then DDNS cached IP updated as my actual IP like I want..
    Is there anyway to configure the Dynamic DNS to not grab the TorGuard VPN client IP? or force DDNS to use a specific gateway? (pf sense is behind another router; Internet>Modem>LinkSys_Router(192.168..)>pfSense(172.16..)>Home_VPN(10.0..)

    Any help would be greatly appreciated


  • Netgate

    Yes. There are several settings in the dynamic DNS setup that deal with what interface and address to use for an update. Post your DYNDNS config.



  • @derelict said in Dynamic DNS gets cached IP as VPN client IP:

    Yes. There are several settings in the dynamic DNS setup that deal with what interface and address to use for an update. Post your DYNDNS config.

    Note: I have it disabled at the moment so that the wrong IP is not sent0_1528769085421_dns.png



  • for reference to some firewall rules...I followed this guide in setting up my Paid TorGuard VPN service
    pfSense TorGuard Setup



  • I should also note that pfsense (172.16..) resides behind another router (192.168..)

    I can post screen shots of firewall rules if needed


  • Netgate

    Are you accepting a default route from the VPN service?



  • I have a rule on my lan_bridge to send all traffic to the TorGuard gateway ...when Torguard is VPN client is enabled, all traffic routes through the VPN service and when the VPN service has been disabled traffic routes directly to the WAN as expected...

    The only other thing I configured for the VPN service was the NAT rules as defined in the guide I posted above

    If that's not what you mean, please explain


  • Netgate

    Do you have Don't pull routes checked in your VPN client config?



  • No...I have that option Unchecked

    @derelict said in Dynamic DNS gets cached IP as VPN client IP:

    Do you have Don't pull routes checked in your VPN client config?

    0_1528824804968_vpn1.png


  • Netgate

    Right. That means they are giving you a default route. That likely means your dyndns request is going that way too.

    If you are policy routing traffic out the VPN by setting gateways on inside interface rules, try checking that box and seeing if dyndns now does the right thing.



  • Okay, I have CHECKED that option

    0_1528830136019_fixed ip.png

    However, after Checking that box, I now have a DNS leak

    0_1528830210281_leak.png

    If I leave the box UNCHECKED, this is the DNS test result

    0_1528830703252_No_leak.png



  • Here are some related settings
    0_1528831085547_dns_setup.png

    LAN Rules related to TorGuard
    0_1528831141206_Lan rules.png



  • forgot to post the (unbound) DNS Resolver settings
    0_1528832591911_resolver settings.png


  • Netgate

    Set your VPN clients to use outside DNS servers instead of the DNS resolver on the local firewall.



  • @derelict You'll have to excuse my ignorance LBVS
    How do I do that?

    I thought I was accomplishing that in the General System Settings by providing a DNS server tagged to the TorGuard VPN gateway


  • Netgate

    Nope. Set them in the DHCP server most likely, else static on the hosts.

    The DHCP server will automatically give hosts the interface address if DNS servers are not specified.



  • So your saying I should setup the TorGuard Interface as DHCP? as I have it set to none at the moment and it just sets a Virtual IP
    0_1528833441467_torguard interface.png

    0_1528833622836_openvpn.png


  • Netgate

    No. It's about what the CLIENTS that are routed over TorGuard are, themselves, configured to use as DNS servers. The DHCP configuration would be on that interface. If you only want to change certain hosts, use DHCP static mappings.



  • You're talking about here?
    0_1528835117652_here.png

    If I do that, then when the TorGuard Service has been disabled/disconnected, won't the PC constantly use those specific DNS servers rather than Only use the TorGuard Servers when the service is enabled and default to using Unbound DNS Resolver when TorGuard is disconnected like it performed before the "Do Not Pull Routes" option was checked?


  • Netgate

    Yup.

    You can't have everything.

    The most straightforward option I can think of is to run a DNS server off the firewall. That way DNS queries get policy routed like all other traffic.

    Some people set the OpenVPN interface as the outgoing interface in DNS Resolver but, when you do that, all DNS can go south when the VPN is not connected.

    If you're concerned about DNS leaks, policy route, and choose to use a DNS resolver on the firewall, there are compromises. If you otherwise choose to accept a default route from a VPN provider, there are compromises.

    Maybe someone else has a better idea.



  • @teknikalcrysis said in Dynamic DNS gets cached IP as VPN client IP:

    Here are some related settings
    0_1528831085547_dns_setup.png

    LAN Rules related to TorGuard
    0_1528831141206_Lan rules.png

    Have you tried a pass rule for source This Firewall(self) destination ?.ddns.net gateway WAN_DHCP


  • Netgate

    It won't matter because the dyndns session doesn't arrive into LAN where it can be policy routed. It is sourced from the firewall itself.

    A dyndns client on the inside that updates that name and could be policy routed could perhaps solve the problem being seen when the VPN connection is active with def1 routes accepted.



  • @derelict said in Dynamic DNS gets cached IP as VPN client IP:

    It won't matter because the dyndns session doesn't arrive into LAN where it can be policy routed. It is sourced from the firewall itself.

    A dyndns client on the inside that updates that name and could be policy routed could perhaps solve the problem being seen when the VPN connection is active with def1 routes accepted.

    Oops. How about outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net gateway WAN_DHCP?

    It may be simpler just to run ddns client on the outside edge router if it has one.


  • Netgate

    Outbound NAT does not have anything to do with where traffic goes (routing). It only determines what NAT happens when traffic flows that way according to policy routing and the routing table.



  • @derelict said in Dynamic DNS gets cached IP as VPN client IP:

    Outbound NAT does not have anything to do with where traffic goes (routing). It only determines what NAT happens when traffic flows that way according to policy routing and the routing table.

    Oops again should be. How about outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address?



  • I have been trying a bit of everything...I was leaning on hope that there would be a way to create a rule somewhere that would route the dyndns traffic to a specific gateway like I have made with having my PC pushed trough the TorGuard VPN and simultaneously default traffic from the kids' tablets to bypass the TorGuard gateway and use the WAN directly...

    While having the "Do Not Pull Routes" option checked in the TorGuard VPN config, I tried to make use of both the DNS Forwarder (dnsmasq) and DNS Resolver (Unbound) at the same time by creating a Virtual IP of 10.1.10.1 having Unbound listen on port 53 and dnsmasq listen on 5305 and then NAT Port-forward traffic DNS to the Virtual IP
    0_1528862027103_test.png

    While this does make a change is the right direction by making use of the DNS server listed in General Setup
    0_1528862173667_dns.png

    RESULT: 0_1528862315153_result.png

    It tries to force all traffic to the DNS Forwarder (dnsmasq) even when the TorGuard VPN has been disabled/disconnected and it bypass the DNS Resolver (Unbound) all together
    And then thing I dont like about using (dnsmasq) is that the DNSBL in pfBlockerNG is then circumvented is it not?

    I DID try to use the static DNS setting in the DHCP mapping as suggested, but it forces the PC to consistently use those specified DNS servers even when TorGuard has been disconnected, and again by having DHCP specify those servers, isn't DNSBL in pfBlockerNG getting bypassed at that point?



  • @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

    @derelict said in Dynamic DNS gets cached IP as VPN client IP:

    Outbound NAT does not have anything to do with where traffic goes (routing). It only determines what NAT happens when traffic flows that way according to policy routing and the routing table.

    Oops again should be. How about outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address?

    This has already been listed via autorule
    0_1528864391104_mappings.png



  • Leave your original setup asis. Just put this at the top.

    outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address



  • This post is deleted!


  • @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

    Leave your original setup asis. Just put this at the top.

    outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address

    It wont let me type anything but an IP in the destination box


  • Netgate

    @gjaltemba Outbound NAT has ZERO to do with how traffic flows. If it is routed out the OpenVPN or policy routed out another interface, Outbound NAT will not change anything. It only determines what NAT occurs when traffic flows out an interface as the routing mechanism has already decided it should.



  • @derelict said in Dynamic DNS gets cached IP as VPN client IP:

    @gjaltemba Outbound NAT has ZERO to do with how traffic flows. If it is routed out the OpenVPN or policy routed out another interface, Outbound NAT will not change anything. It only determines what NAT occurs when traffic flows our an interface as the routing mechanism has already decided it should.

    I still think there is a way...I feel I am close... I went back and UNCHECKED the "Do Not Pull Routes" option in the TorGuard OpenVPN Client settings and I just disabled the following NAT OUTBOUND Mappings
    0_1528865810010_disabled.png

    DynDNS Result is a SUCCESSFUL IP from ISP:0_1528866925178_dyndns.png

    However there is still a bit of a DNS leak:0_1528866442295_dnsresult.png

    Before disabling those Outbound NAT mappings were disabled DynDNS would report the IP of the TorGuard VPN and would only have the top DNS result in green, it never listed two servers like this before when the Do Not Pull Routes option was unchecked...with the exception of the config I just tried above with (dnsmasq)



  • @teknikalcrysis said in Dynamic DNS gets cached IP as VPN client IP:

    @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

    Leave your original setup asis. Just put this at the top.

    outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address

    It wont let me type anything but an IP in the destination box

    I am able to type an alias for ***.ddns.net in the destination of outbound nat. The outbound NAT should register your ISP ip on ddns with openvpn client running.

    To test, do a packet capture on WAN interface for traffic heading to ***.ddns.net. You see the pfSense WAN ip.



  • @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

    @teknikalcrysis said in Dynamic DNS gets cached IP as VPN client IP:

    @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

    Leave your original setup asis. Just put this at the top.

    outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address

    It wont let me type anything but an IP in the destination box

    I am able to type an alias for ***.ddns.net in the destination of outbound nat. The outbound NAT should register your ISP ip on ddns with openvpn client running.

    But then at some point that alias would be obsolete, as my IP is not static and while not frequent (unless I force an ISP IP change by spoofing the MAC on the first router that is connected to the modem directly and then rebooting the modem) is does change from time to time if my power is out to long or in a few other scenarios.. when that happens, the alias would then be configured with an incorrect destination



  • @teknikalcrysis The alias can be dns name. To test include dnsleaktest.com in the alias browse to dnsleaktest.com and you will see your ISP ip. Remove dnsleaktest.com from the alias and you will see your vpn ip.


  • Netgate

    @gjaltemba I say again. Outbound NAT has nothing to do with which way traffic routes.



  • @derelict I get it but what is your point. Quick test from here tells me outbound NAT gives the desired result. To test, the source has to include the browser client ip because the firewall does not have a browser.

    If for whatever reason outbound NAT does not work then there is always plan B. Setup a ddns client on the edge router outside pfSense.



  • This post is deleted!


  • This post is deleted!


  • I think I fixed it....after playing around with some settings and getting close and talking about Outbound NAT and me disabling those Outbound NAT rules I highlighted earlier and managed to get DynDNS to update properly but still had it pulling two dns servers (the VPN and Unbound Resolver) causing a leak when those Outbound NAT mapping were disabled...it gave me an idea to Map Outbound NAT on TorGuard Interface from Source:WAN NET to Destination:ANY and NAT:TorGuard Address on Static Port:53 to push DNS queries back to TorGuard and stop the leak

    NEW Outbound NAT Config:
    0_1528872331820_nat config.png

    Here is what happens when I DISABLED/DISCONNECT the TorGuard VPN
    0_1528873074909_proof.png

    DynDNS updates correctly obviously:
    0_1528873218491_dyndns.png

    And DNS result is as expected and desired:
    0_1528873262206_dnsresult.png

    Now here is what happens when I ENABLED one of the TorGuard VPN Client connections...(drum roll please!)
    0_1528873470602_proof_2.png
    0_1528899148680_connected.png

    DynDNS Result is STILL actual IP as desired!!!
    0_1528873656905_dyndns.png

    And NO DNS LEAK when TorGuard is Active!!!
    0_1528873827393_result_2.png

    and just for a second opinion...Confirmed NO LEAKS
    0_1528874051646_confirmed.png