OpenVPN works but no local DNS

  • Hi,

    I'm running pfSense 2.4.4-RELEASE-p2 with pfBlockerNG-devel 2.2.5_22. I have OpenVPN setup and running and can connect successfully. I can access assets by IPv4 address but can't resolve local host names. I've read countless forum articles and tutorials on OpenVPN, Client, DNS issues but at this point I can't see the trees through the forest. I'm humbly asking for some assistance and or clues as to what I'm missing.

    I'm including some screen captures below. (apologies if it's too many)


    OpenVPN Server:

    alt text

    DNS Resolver:

    alt text

    Firewall > Rules > OpenVPN:

    alt text

    Firewall > Rules > WAN:

    alt text

    Firewall > Rules > LAN:

    alt text

    client ipconfig:

    alt text

    client nslookkup:

    alt text

    pfSense packet capture:
    on OpenVPN interface, port 53:

    alt text

  • LAYER 8 Global Moderator

    Out of the box unbound does auto ACLs to allow the local networks of pfsense to query it... If you want your tunnel networks (ie vpn clients) to be able to query unbound running on pfsense then you need to adjust your unbound acls.

  • Hi John,

    Thanks for your quick reply.

    Is this what you are talking about?

    alt text


  • LAYER 8 Global Moderator

    yeah that is where you set the acls on who can query unbound.

  • @johnpoz

    Isn't it set by that entry?

    The client is and that is in the ACL.


  • LAYER 8 Global Moderator

    yeah that should allow it yes.. So you just created it, or that was there already? Do you have automatic set? Not sure if when you have automatic if it reads what you set?


    I have always turned off automatic and done my own acls..

    I looked closer and sure looks like your getting answers in your packet capture..

    Oh your dns on your client is just pointing to loopback??


    That kind of broken... should be pointing to pfsense lan IP for dns would be how I would set it up..

  • @johnpoz

    No I didn't just create it. It's been there probably since I setup OpenVPN.

    I haven't disabled auto-added list.

    From that packet capture I thought so as well but I still can't get host resolution. Why I'm at a loss.


  • LAYER 8 Global Moderator

    your client is asking itself for dns... So how would that get sent down the tunnel to unbound on pfsense?

  • @johnpoz

    I thought so as well John. I had that set to my pfSense IP before a recent pfBlockerNG devel release.
    BBcan177 did some "tinkering". I will ping him on this.


  • @johnpoz

    I can now get local DNS over OpenVPN but I don't know why. I would like to if anyone can explain.

    In Services > DNS Resolver > General Settings I changed the Network Interfaces from "All" to selecting all the interfaces and saving.

    I've spent a lot of time trying to figure this out and really would like to understand why one setting
    doesn't work but the other does when essentially they are both the same?



    // Edit//

    Here's the forum thread that gave me this fix.

    alt text

  • LAYER 8 Global Moderator

    So your clients are using doing ssl/tls queries? over a VPN? WTF???

  • @johnpoz

    I’m not even sure how to answer that John. I’ll let it go as it seems to have struck a nerve.

    Thanks for your help.

  • @john_galt said in OpenVPN works but no local DNS:

    I've spent a lot of time trying to figure this out and really would like to understand why one setting
    doesn't work but the other does when essentially they are both the same?

    That looks like some sort of glitch to me. There may not be any sense to be made about it other than 'bug'.

  • LAYER 8 Global Moderator


    Dude why would you do dns over tls over your own vpn? Complete nonsense and extra overhead

    Did you fix your client from pointing to loop back? Dude I use this every day there is no “bug”

  • @KOM


    Someone in the old forum article I referenced mentioned something about committing a fix but that was years ago.

    Like I tried to explain I know enough about networking to get myself into trouble. But I'm willing to learn.

    Thank you for your assistance.


  • @johnpoz


    My name is Doug. It's in my messages. I give you the respect of using your name.

    I did fix the loopback.

    I really don't understand why you are taking this request for help and my stated lack of
    knowledge so personally. I have no idea that I'm doing DNS over TLS over my own VPN.
    All I wanted to do was VPN into my home network from my work location and be able
    to access assets by name.

    If you wish to help I will listen and respect you for it. If you wish to berate then please
    don't help.


  • Check your DHCP server to see what it's pushing to clients for DNS.

  • @KOM


    I will check when I get back to work Monday morning.

    It's working now though since I made that change. I don't know why
    and that bothers me. I will continue my research.

    Thank you for your help.

  • LAYER 8 Global Moderator

    If you do not understand what dns over tls is then why would you set it??


    Fixing your issue does not come from just randomly clicking shit..

    Come back when you have your client actually pointing to the IP for dns that is your pfsense box on your vpn connection which was pointed out to you back in the beginning of this thread.

    Do a simple query from your client using your fav dns tool, nslookup, dig, host, etc..

    Does it respond - yes or no?

    You show an answer in your packet capture to your query to 53 - what was that query, what was the answer... download that packet capture in wireshark.

    It's working now though since I made that change

    You changed from ALL to manually selecting "all" that is not a fix that is not even different.. So how would that "fix" anything..

  • @johnpoz

    John I setup pfsense to use Quad9 DNS over TLS earlier this year. I can't find the URL for the instructions I used but will keep looking. In those instructions I was instructed to enable that feature.

    I will come back when I can check over the VPN connection Monday.

    In my initial request for help I posted a screen grab of the packet capture which you said showed the query being answered. I did that query using nslookup and explicitly setting the server to my pfsense IPv4 address. I did not get a name back using this method.

    I will get wireshark and get that data but can't until Monday.

    Thank you for your help.


  • Hi,

    This is your tunnel :
    so make the DNS - change this :

    also, check this :

    This options seems very important to me. Read the comments.

    IMHO these extra options are not needed :

  • @Gertjan

    I've made changes that you've pointed out that I should make which have yielded some success.
    I have two client VPN profiles on the same client computer. One profile gives me local DNS queries and the other profile doesn't. I'm going to spend some time now reading up on what I'm doing rather
    than, as @johnpoz put it "randomly clicking shit". Which was in fact what I was doing.

    I have one question now though. If I make changes to the OpenVPN server and or on the OpenVPN Client Export page does that require exporting a new client config or are those changes pushed to the client on next connect?

    I greatly appreciate your help and patience with me on this problem.


  • LAYER 8 Global Moderator

    depends on what changes you made..

    Here I am at work now... And using unbound on pfsense for my dns... So I can resolve stuff on my home network

    Ethernet adapter Local Area Connection 2:
       Connection-specific DNS Suffix  . : local.lan
       Description . . . . . . . . . . . : TAP-Windows Adapter V9
       Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . :
       Subnet Mask . . . . . . . . . . . :
       Lease Obtained. . . . . . . . . . : Tuesday, May 14, 2019 10:01:25 AM
       Lease Expires . . . . . . . . . . : Wednesday, May 13, 2020 10:01:25 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . :
       DNS Servers . . . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Enabled

    You can see my vpn interface told to use pfsense lan IP for dns

    If I ask for say a box on my local network..

    C:\Windows\System32>nslookup nas.local.lan
    Server:  sg4860.local.lan
    Name:    nas.local.lan

  • I know its an old post but Im having the very same problem. When openvpn is on my phone it does not use the dns ive set on pfsense. Also just plan ignores pfblocker-dev

    alt text

  • @x3rl
    Ipv4 Tunnel Network is set as:
    Dns Server 1 is set as:

    Change the dns server to

    I am doing more complex vpns. Having 2 vpns together to get the most out of the filtering.
    Home Pfsense (Connecting) to Cloud Remote Pfsense (Actual VPN) to DNS Server VPN (Actual VPN through the Cloud VPN)
    Home = Cloud = DNS

    Hope this helps.

  • @Mr-Waste did not work pal pfbocker was not working when setting that dns

  • This post is deleted!

  • @x3rl

    Go to Firewall/pfBlockerNG/IP
    IP Interface/Rules Configuration:

    Inbound Firewall Rules:

    Outbound Firewall Rules:
    OpenVpn Server interface

    Make sure you have that interface highlighted. This might be the problem.
    Make sure you have the dns resolver on as well. Local DNS Resolver to up stream DNS Server/ like cloud flare or google.



    Make sure everything else are all GREEN/ ON or it will not work. - (Resolver)
    pfb_dnsbl is down something isn't right. Like with the first picture. - (The interfaces)

    Mr. Waste

  • My dns is set to I have all the rules and everything is active.

  • Side note :
    @Mr-Waste :



  • @Gertjan pfsense does the resloving.

  • @x3rl
    Try resetting everything to the way it was in your screenshot, then change the option "DNS Default Domain" to just "localdomain". Next add the tunnel network ( in your case) to the DNS Resolver access list by going to Services > DNS Resolver > Access Lists and adding a new entry for the tunnel network.

    Hopefully that solves the issue.


  • @Jochim nope still does not use piholes adblocker via pfsense DNS.

  • Same here.
    It seems the set DNS Server is only used for the set domain name.
    In my case it‘s home and everything ending with .home is resolved and available in my OpenVPN Split Tunnel. But other name resolution seems to happen with any other DNS Server (unknown).

Log in to reply