Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple VPNs; Manual intervention on Restart

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 613 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      Philw
      last edited by

      Hi all, so far I think I have everything up and running great, even figuring out how VLANs work on it!

      My problem arrises on a reboot/restart of pfSense, openvpn, and passing traffic.
      I have three OpenVPN tunnels (clients):

      • Static IP
      • DNS IP
      • DNS IP (vpn provider)

      My issue on reboot.
      DNS Setup:

      • My pfSense uses my INTERNAL DNS for resolution
      • My DNS server uses the first VPN as it's gateway

      On reboot, it seems to try to bring up all three VPN connections at the same time. Since the first connection is not up yet (or is up and not passing traffic), the DNS resolver can recurse out, so it fails to provide info back to pf/ovpn service. The openvpn logs show this, as it says something about unable to resolve for those two DNS base vpn connections. It then goes into the increment retries of each. HOWEVER, it seems that something breaks in the routing or NAT of pfsense, as even with that IP based vpn up, NOTHING gets passed out that tunnel.

      I checked the DNS server and indeed, it cannot access the internet.

      If I then log into pfSense and restart the openvpn service both in the gui OR by running in a shell (both work):

      • /usr/local/sbin/pfSsh.php playback svc restart openvpn client 1
      • /usr/local/sbin/pfSsh.php playback svc restart openvpn client 2
      • /usr/local/sbin/pfSsh.php playback svc restart openvpn client 3

      Things seem to unhang or get out of the weird state and all the interfaces come back up. The DNS server is then able to reach it's recursive upstream providers, and all is well.

      After some research, it seems not uncommon an issue and there were some suggestions, such as I tried add the following options to the DNS clients, but had no effect:
      -resolv-retry infinite;
      -auth-retry nointeract;

      Any ideas? Is there a way to delay the starting of the other two dns based VPN clients by a few seconds on startup?

      1 Reply Last reply Reply Quote 0
      • P Offline
        Philw
        last edited by

        I found a temporary work-around until I can figure out how to delay the additional openvpn tunnels to start...

        Reason I like to use my internal DNS server:
        My biggest issue was trying to privatize as much as my DNS queries as possible. I generally run DNS performance checks against public DNS servers as well and my ISP to get the best performance and set those as my upstream servers from my internal DNS setup. I also like running my DNS queries out a VPN tunnel to completely prevent the ISP doing DNS interceptions (of just recording).

        The compromise I found was to try and use DNS over TLS for ONLY the pfsense DNS. This allows me to somewhat obscure my DNS queries to my VPN servers, but also allow pfSense to bring up the tunnel interfaces without going into the weird routing/nat bug by being able to resolve them right away.

        1 Reply Last reply Reply Quote 0
        • P Offline
          Philw
          last edited by

          @protar
          Nope, nothing to do with Android. the pfSense is a OpenVPN client to a few servers. It was indeed a DNS issue then getting stuck in a routing or nat loop. I'm still looking into ways to delay the other vpn connections to start so that I can use my internal DNS server that utilizes the first VPN connection outbound.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.