OpenDNS over OpenVPN



  • Hi all. I have successfully set up multiple OpenVPN clients, and created a gateway group, as detailed in this post:
    http://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/amp/
    I am using VPN.ac, and used the pfSense guide on their website to set up the first client and get it working.
    I have a LAN (10.10.10.x) DMZ vlan (10.10.20.x) kids vlan (10.10.30.x) and guest vlan (10.10.40.x).
    DMZ is routed over WAN as normal. LAN, kids, and guest are all routed over the multi-vpn client gateway. LAN and guest work fine.
    My issue is with the kids vlan, which I also want to use exclusively openDNS.
    This was achieved by allowing kids network to OpenVPN addresses on port 53, and blocking all others. I also had a NAT rule to re-route any alternate DNS servers to OpenDNS, which worked a treat.
    Previously this was working when everything was routed over the WAN. However now I have no connectivity on the kids Vlan.
    The only major change I can think of, is moving from the DNS resolver (now off) to the DNS forwarder (now on).
    I have created a new NAT rule that points the DNS re-route to the VPN client gateway group instead of the WAN, but still have no internet.
    I'm on mobile at the moment, but if screenshots of any rules etc are required, I will try to upload them later from my laptop.

    Thanks all,
    Tom.



  • Hi,

    Forcing all or some LAN or LAN's based traffic over VPN-Client (VPN as a WAN) has to be tested first.
    That has to work fine.
    After that, include OpenDNS - and rember : you'll be contacting OpenDNS using the new WAN IP, the IP from your VPN supplier. OpenDNS needs to know that that is YOUR IP. So connect to the User space of OpenDNS, and add that IP. Keep in mind that that IP might change every time your VPN connection goes up and down. That's up to your OpenVPN supplier.



  • Gertjan, thanks!

    Ah crap, I completely forgot you need to add your IP to OpenDNS. Honestly I don't know how I have kept the same IP from my ISP for so long, but apparently it's still the same as it was over a year ago!
    So now I have a problem - I can only add 2 it's to my open DNS account without paying, and I need 5! It also appears my VPN provider uses dynamic IP's at their servers (to be expected I suppose) but each time I drop a connection it comes back with a different IP.

    So... Does anyone have any idea where so can go from here? I want the VPN for security, and multiples to make full use of my connection. But also need a way to keep the kids away from nasty websites. Any ideas would be appreciated!
    Cheers,
    Tom.



  • P.S
    "Forcing all or some LAN or LAN's based traffic over VPN-Client (VPN as a WAN) has to be tested first.
    That has to work fine.”

    It does - the guest network and LAN are running on this setup fine. Going to https://www.iplocation.net/find-ip-address and hitting refresh has me jumping all over Europe, except my actual location.



  • You should know that OpenDNS supportq "dyndns' , so that your current IP - the one the VPN is supplying you, can be updates as soon as your WAN IP changes.



  • Hi, thanks again.
    Yes I remembered about dynamic DNS - I have moved the kids network to use just one VPN tunnel for now, instead of going over the group, and added a dynamic DNS entry pointing at opendns, which is updating just fine when I stop and restart the link to the VPN server in question, so that much is sorted.

    Now, whenever I disable all the firewall rules on the kids network pertaining to port 53 and DNS overrides, the network works fine and has full internet access. However, when I add any rules, even one that passes port 53 to my OpenDNS alias (IP's 208.67.222.222 and 208.67.220.220)
    The internet connection goes down.
    Adding the NAT reroute and the rule to block !OpenDNS does nothing to help this.
    Does anyone have any ideas?

    Thanks
    Tom.



  • @tomhbp said in OpenDNS over OpenVPN:

    The internet connection goes down.

    What is the exact definition here ?
    Connection totally down or just DNS traffic ?

    Anyway, it's time to unhide your setup and rules.


Log in to reply