Confused about OpenVPN client DNS queries on a MultiWan setup



  • Hi all,

    So, I live in Iran, where - as you might already know - we are faced with severe gov't censorship and geoblocking due to the sanctions. I have three WANs. WAN1 and WAN2 are set as LB and FO. The OpenVPN client interface (PIA) is set on WAN3. I have setup an alias for the openvpn firewall rule that is sitting on top of all other rules. Also, my DNS is configured as forwarding in Resolver mode (due to DNSSEC constraints). All non-blocked VPN client queries are resolved, but apparently those queries don't go through the ovpn gateway. So, for instance amazon.com gets resolved but youtube.com comes back with nx domain error (if memory serves me right). Now, if I configure DNS addresses manually under a client's network config (such as Google's public DNS addresses), then all queries are resolved without any issues. But this defeats the whole purpose of having a firewall level DNS service. Plus some nodes such as Google Home Hub / Amazon Alexa / Harmony Hub cannot be manually configured - to the best of my knowledge.
    Moreover, same issue persists if I change pfSense's DNS resolver (in forwarding mode) to DNS forwarder. However, if I go back to DNS resolver and disable forwarding mode under the resolver, then my clients that use the vpn gateway have no issues resolving queries, except that it takes my non-vpn gateway nodes about 30 seconds to resolve a new address that is not cached. My guess is that non-vpn clients queries have a hard time (lots of packet drops) walking down from root servers to find a resolve.

    How can I fix this issue? How can I have my OpenVPN clients to query only through the VPN gateway?!

    I am using pfSense 2.4.4-1 on a SG-5100 unit that I brought back with me from the US. Furthermore, under general setup I have setup my DNS addresses as Google's Public DNS, QUAD9, and Cloudflare in the order of WAN1, WAN2, WAN3, and OVPN respectively. DNSSEC is enabled. TLS is not.

    Thank you all. Cheers.


  • LAYER 8 Rebel Alliance


Log in to reply