Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confused about OpenVPN client DNS queries on a MultiWan setup

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 285 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aah57
      last edited by aah57

      Hi all,

      So, I live in Iran, where - as you might already know - we are faced with severe gov't censorship and geoblocking due to the sanctions. I have three WANs. WAN1 and WAN2 are set as LB and FO. The OpenVPN client interface (PIA) is set on WAN3. I have setup an alias for the openvpn firewall rule that is sitting on top of all other rules. Also, my DNS is configured as forwarding in Resolver mode (due to DNSSEC constraints). All non-blocked VPN client queries are resolved, but apparently those queries don't go through the ovpn gateway. So, for instance amazon.com gets resolved but youtube.com comes back with nx domain error (if memory serves me right). Now, if I configure DNS addresses manually under a client's network config (such as Google's public DNS addresses), then all queries are resolved without any issues. But this defeats the whole purpose of having a firewall level DNS service. Plus some nodes such as Google Home Hub / Amazon Alexa / Harmony Hub cannot be manually configured - to the best of my knowledge.
      Moreover, same issue persists if I change pfSense's DNS resolver (in forwarding mode) to DNS forwarder. However, if I go back to DNS resolver and disable forwarding mode under the resolver, then my clients that use the vpn gateway have no issues resolving queries, except that it takes my non-vpn gateway nodes about 30 seconds to resolve a new address that is not cached. My guess is that non-vpn clients queries have a hard time (lots of packet drops) walking down from root servers to find a resolve.

      How can I fix this issue? How can I have my OpenVPN clients to query only through the VPN gateway?!

      I am using pfSense 2.4.4-1 on a SG-5100 unit that I brought back with me from the US. Furthermore, under general setup I have setup my DNS addresses as Google's Public DNS, QUAD9, and Cloudflare in the order of WAN1, WAN2, WAN3, and OVPN respectively. DNSSEC is enabled. TLS is not.

      Thank you all. Cheers.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

        -Rico

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.