Multiple VPNs; Manual intervention on Restart

  • Hi all, so far I think I have everything up and running great, even figuring out how VLANs work on it!

    My problem arrises on a reboot/restart of pfSense, openvpn, and passing traffic.
    I have three OpenVPN tunnels (clients):

    • Static IP
    • DNS IP
    • DNS IP (vpn provider)

    My issue on reboot.
    DNS Setup:

    • My pfSense uses my INTERNAL DNS for resolution
    • My DNS server uses the first VPN as it's gateway

    On reboot, it seems to try to bring up all three VPN connections at the same time. Since the first connection is not up yet (or is up and not passing traffic), the DNS resolver can recurse out, so it fails to provide info back to pf/ovpn service. The openvpn logs show this, as it says something about unable to resolve for those two DNS base vpn connections. It then goes into the increment retries of each. HOWEVER, it seems that something breaks in the routing or NAT of pfsense, as even with that IP based vpn up, NOTHING gets passed out that tunnel.

    I checked the DNS server and indeed, it cannot access the internet.

    If I then log into pfSense and restart the openvpn service both in the gui OR by running in a shell (both work):

    • /usr/local/sbin/pfSsh.php playback svc restart openvpn client 1
    • /usr/local/sbin/pfSsh.php playback svc restart openvpn client 2
    • /usr/local/sbin/pfSsh.php playback svc restart openvpn client 3

    Things seem to unhang or get out of the weird state and all the interfaces come back up. The DNS server is then able to reach it's recursive upstream providers, and all is well.

    After some research, it seems not uncommon an issue and there were some suggestions, such as I tried add the following options to the DNS clients, but had no effect:
    -resolv-retry infinite;
    -auth-retry nointeract;

    Any ideas? Is there a way to delay the starting of the other two dns based VPN clients by a few seconds on startup?

  • I found a temporary work-around until I can figure out how to delay the additional openvpn tunnels to start...

    Reason I like to use my internal DNS server:
    My biggest issue was trying to privatize as much as my DNS queries as possible. I generally run DNS performance checks against public DNS servers as well and my ISP to get the best performance and set those as my upstream servers from my internal DNS setup. I also like running my DNS queries out a VPN tunnel to completely prevent the ISP doing DNS interceptions (of just recording).

    The compromise I found was to try and use DNS over TLS for ONLY the pfsense DNS. This allows me to somewhat obscure my DNS queries to my VPN servers, but also allow pfSense to bring up the tunnel interfaces without going into the weird routing/nat bug by being able to resolve them right away.

  • @protar
    Nope, nothing to do with Android. the pfSense is a OpenVPN client to a few servers. It was indeed a DNS issue then getting stuck in a routing or nat loop. I'm still looking into ways to delay the other vpn connections to start so that I can use my internal DNS server that utilizes the first VPN connection outbound.

Log in to reply