Dynamic DNS gets cached IP as VPN client IP
-
So I have a issue that I just cant figure out, and maybe it cant even be resolved IDK
I'm not sure if the issue belong in this thread or if it belongs in NAT, OpenVPN, or Packages....I have a VPN server running of pfSense for my phone to connect to when I'm away, and I have Dynamic DNS setup with *.ddns.net ....DDNS updates my hostname @ *.ddns.net with no issues and I am able to connect to my Home VPN server on pfSense with ease....Until I turn on a VPN client...
In addition to having an OpenVPN server setup on pfSense, I have also configured pfSense to connect to my paid TorGuard service as a VPN client so that all traffic is routed through that VPN, including any traffic on my Home VPN server.
The issue is when I have the TorGuard VPN client active, DDNS cached IP is updated as the TorGuard VPN Public IP rather than my actual IP provided by my ISP and then I cannot connect to my Home VPN because the phone is trying to connect to the TorGuard VPN IP rather my actual external IP from ISP...if I disable the VPN client; then DDNS cached IP updated as my actual IP like I want..
Is there anyway to configure the Dynamic DNS to not grab the TorGuard VPN client IP? or force DDNS to use a specific gateway? (pf sense is behind another router; Internet>Modem>LinkSys_Router(192.168..)>pfSense(172.16..)>Home_VPN(10.0..)Any help would be greatly appreciated
-
Yes. There are several settings in the dynamic DNS setup that deal with what interface and address to use for an update. Post your DYNDNS config.
-
@derelict said in Dynamic DNS gets cached IP as VPN client IP:
Yes. There are several settings in the dynamic DNS setup that deal with what interface and address to use for an update. Post your DYNDNS config.
Note: I have it disabled at the moment so that the wrong IP is not sent
-
for reference to some firewall rules...I followed this guide in setting up my Paid TorGuard VPN service
pfSense TorGuard Setup -
I should also note that pfsense (172.16..) resides behind another router (192.168..)
I can post screen shots of firewall rules if needed
-
Are you accepting a default route from the VPN service?
-
I have a rule on my lan_bridge to send all traffic to the TorGuard gateway ...when Torguard is VPN client is enabled, all traffic routes through the VPN service and when the VPN service has been disabled traffic routes directly to the WAN as expected...
The only other thing I configured for the VPN service was the NAT rules as defined in the guide I posted above
If that's not what you mean, please explain
-
Do you have Don't pull routes checked in your VPN client config?
-
No...I have that option Unchecked
@derelict said in Dynamic DNS gets cached IP as VPN client IP:
Do you have Don't pull routes checked in your VPN client config?
-
Right. That means they are giving you a default route. That likely means your dyndns request is going that way too.
If you are policy routing traffic out the VPN by setting gateways on inside interface rules, try checking that box and seeing if dyndns now does the right thing.
-
Okay, I have CHECKED that option
However, after Checking that box, I now have a DNS leak
If I leave the box UNCHECKED, this is the DNS test result
-
Here are some related settings
LAN Rules related to TorGuard
-
forgot to post the (unbound) DNS Resolver settings
-
Set your VPN clients to use outside DNS servers instead of the DNS resolver on the local firewall.
-
@derelict You'll have to excuse my ignorance LBVS
How do I do that?I thought I was accomplishing that in the General System Settings by providing a DNS server tagged to the TorGuard VPN gateway
-
Nope. Set them in the DHCP server most likely, else static on the hosts.
The DHCP server will automatically give hosts the interface address if DNS servers are not specified.
-
So your saying I should setup the TorGuard Interface as DHCP? as I have it set to none at the moment and it just sets a Virtual IP
-
No. It's about what the CLIENTS that are routed over TorGuard are, themselves, configured to use as DNS servers. The DHCP configuration would be on that interface. If you only want to change certain hosts, use DHCP static mappings.
-
You're talking about here?
If I do that, then when the TorGuard Service has been disabled/disconnected, won't the PC constantly use those specific DNS servers rather than Only use the TorGuard Servers when the service is enabled and default to using Unbound DNS Resolver when TorGuard is disconnected like it performed before the "Do Not Pull Routes" option was checked?
-
Yup.
You can't have everything.
The most straightforward option I can think of is to run a DNS server off the firewall. That way DNS queries get policy routed like all other traffic.
Some people set the OpenVPN interface as the outgoing interface in DNS Resolver but, when you do that, all DNS can go south when the VPN is not connected.
If you're concerned about DNS leaks, policy route, and choose to use a DNS resolver on the firewall, there are compromises. If you otherwise choose to accept a default route from a VPN provider, there are compromises.
Maybe someone else has a better idea.
