Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS resolver is unable to query DNS server on the other end of an OpenVPN tunnel

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 699 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I have one pfS box with an internal network of 10.0.0.0/16.

      I have another pfS box with an internal network of 10.81.1.0/24.

      I have an OpenVPN tunnel running between the two and Allow All firewall rules on both ends.

      I am able to ping between hosts on both networks.

      However the DNS Resolver on the pfS box in the 10.81.1.0/24 network, can not communicate with a DNS server in the 10.0.0./16 network. It can however communicate with the Resolver on the other pfS box.

      I get similar behavior when pinging from the pfS box. I can ping the LAN interface address on the other network, but not other nodes when I leave the Interface selector on the “Automatic” option.

      In other words, it seems like processes on the firewall itself can’t communicate over the tunnel. (except that they can communicate with processes running on the other firewall.)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The firewall itself will source its queries from the OpenVPN tunnel network IP address, not from an IP address in the LAN on its side. So you need to take that into account when crafting firewall rules, DNS server ACLs, and so on.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett
          last edited by

          Thank-you! The light bulb above my head just turned on as that perfectly explains the behavior I am seeing. Is there a workaround? So pfS on the other side can communicate back because it has routes for the tunnel network, but the DNS server on the other side can't because it doesn't have routes for the tunnel network? (The DNS server uses another router as it's default gateway.)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You could do some outbound NAT on the OpenVPN connection to nudge that, but you're better off letting it route naturally if you can. Maybe add a route to the DNS server's gateway nudging that traffic back toward pfSense.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.