OVPN client setup problem- big unexplained DNS traffic



  • Hi Everybody,
    I've being testing how OVPN will work with my setup on pFSense router.
    I followed setup from PureVPN site (provider I currently using) + Strong VPN and this site.
    In short, I created OVPN client, entered CA and certificate, set all required fields. The other problem with Pure VPN, their site show instruction actually for pFSense 2.3.5 but posted as v.2.4.2 (misleading)
    Never mind, I've being using their VPN occasionally on Win/Linux PC with mostly positive experience.
    One of the goals, was to make OVPN available for any LAN client as I assign Host IP Alias for LAN firewall rules directing to created for VPN dedicated Gateway with dynamic settings. Also I have using additional floating rule/tag for NO_WAN_EGRESS and NO_VPN_EGRESS
    Everything was OK and no DNS leaks and worked for some time for basic internet browsing. However, after attempting to download some large file 1-2G (software package), VPN traffic stopped, then I lost WAN connection, then I started to see big IN/OUT DNS traffic to about 200 DNS/root servers. Snort rejected most of them with following messages SID:
    -Attempted User Privilege Gain
    PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt SID 3:19187
    Attempted Information Leak
    PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid SID 3:19187
    In order to restore my WAN connection I had to delete OVPN client, gateway, suspend LAN OVPN gateway rules, NAT manual outgoing rules to VPN gateway, restart router.
    I got back my WAN connection but still seen a lot of DNS requests IN/OUT of router not initiated by any of my LAN devices. It was firewall itself. In order to stop those, I've had to return some original settings back such as:
    System/General Setup/DNS Server settings: DNS Server Override (v) checked
    Services/General Settings/DNS Query Forwarding: Enable Forwarding mode (v) checked
    Can you please enlighten me what goes wrong or what am I missing?
    Is some how firewall being compromised?

    Edit. The only ideas I've got from other post: may be it won't work without subLAN separation because looks like I have to disable DNS resolver for those VPN hosts and looks like it's impossible for IP's on the same LAN where other clients using WAN gateway. But it may be part of the problem only.... or not problem at all.
    Thanks


Log in to reply