DNS resolver is unable to query DNS server on the other end of an OpenVPN tunnel



  • I have one pfS box with an internal network of 10.0.0.0/16.

    I have another pfS box with an internal network of 10.81.1.0/24.

    I have an OpenVPN tunnel running between the two and Allow All firewall rules on both ends.

    I am able to ping between hosts on both networks.

    However the DNS Resolver on the pfS box in the 10.81.1.0/24 network, can not communicate with a DNS server in the 10.0.0./16 network. It can however communicate with the Resolver on the other pfS box.

    I get similar behavior when pinging from the pfS box. I can ping the LAN interface address on the other network, but not other nodes when I leave the Interface selector on the “Automatic” option.

    In other words, it seems like processes on the firewall itself can’t communicate over the tunnel. (except that they can communicate with processes running on the other firewall.)


  • Rebel Alliance Developer Netgate

    The firewall itself will source its queries from the OpenVPN tunnel network IP address, not from an IP address in the LAN on its side. So you need to take that into account when crafting firewall rules, DNS server ACLs, and so on.



  • Thank-you! The light bulb above my head just turned on as that perfectly explains the behavior I am seeing. Is there a workaround? So pfS on the other side can communicate back because it has routes for the tunnel network, but the DNS server on the other side can't because it doesn't have routes for the tunnel network? (The DNS server uses another router as it's default gateway.)


  • Rebel Alliance Developer Netgate

    You could do some outbound NAT on the OpenVPN connection to nudge that, but you're better off letting it route naturally if you can. Maybe add a route to the DNS server's gateway nudging that traffic back toward pfSense.