Problemi with dns resolution

sasa1

Hi,
I have a problem with a host-to-site, the vpn is working properly but the remote client cannot make a dns resolution.
After the remote client (Windows 10) is connected in vpn, if I try from a Web browser, to access a website this fails.
If I use the IP address (and not the domain name) it works.
In the configuration, in "Advanced Client Settings" in DNS Domain I indicated 8.8.8.8
Do I need to configure any other parameters?
Thanks.

KOM

Did you check the DNS Server enable checkbox?

sasa1

yes

KOM

I had to ask. You didn't explicitly say, and I never assume the obvious. I have a similar config and it works for me. If the client runs:

ipconfig /all

what is showing for DNS servers?

sasa1

Hi,
the dns shown is:
8.8.8.8
I attach picture.
Thanks.

KOM

OK, so it seems ot be aware of DNS available to it. Can you ping 8.8.8.8? What happens when you run this on the client:

nslookup www.microsoft.com

sasa1

the ping is OK, in attached result about dns resolution.
Thanks.

KOM

Well, there is your problem. Can you ping 8.8.8.8?

sasa1

yes, ping to 8.8.8.8 is OK.
Thanks.

KOM

OK, so what happens when you run:

nslookup
server 8.8.8.8
www.microsoft.com

As I recall, on the OpenVPN page there were some mitigation options for Windows 10 clients. Have you tried checking Force DNS cache update under Advanced Client Settings?

sasa1

the result is in attach.
Yes, force DNS cache update is already selected.
Thanks.

KOM

Show me a screenshot of your firewall rules for the OpenVPN interface. I suspect you're not allowing UDP traffic or something like that.

sasa1

Hi,
attached the required rules.
Thanks. rules openvpn.JPG

KOM

Set the protocol to Any and try again.

sasa1

Hi,
unfortunately even with any dns resolution it fails.
Thanks.

KOM

Very strange. Does your firewall log show any relevant blocks while you're testing?

sasa1

Hi,
no, I don't see deny in the logs.
Thanks.

KOM

Yo @johnpoz Johnny joe ray bob, any thoughts?

marvosa

We need more details on the setup. For clarity, is "host-to-site" referring to a remote access, road warrior setup? If so, post the server1.conf (/var/etc/openvpn).

We'll know more once we see the config, but is all traffic forced thru the tunnel?

sasa1

Hi, attached server1.conf.
The address:
192.168.1.1
is the address of the router / dns referenced by the remote client that connects to my openvpn server.
The pfSense version is 2.3.2, do I need to update it?
Thanks.
server1.txt