OpenVPN works but no local DNS



  • Hi,

    I'm running pfSense 2.4.4-RELEASE-p2 with pfBlockerNG-devel 2.2.5_22. I have OpenVPN setup and running and can connect successfully. I can access assets by IPv4 address but can't resolve local host names. I've read countless forum articles and tutorials on OpenVPN, Client, DNS issues but at this point I can't see the trees through the forest. I'm humbly asking for some assistance and or clues as to what I'm missing.

    I'm including some screen captures below. (apologies if it's too many)

    Doug

    OpenVPN Server:

    alt text

    DNS Resolver:

    alt text

    Firewall > Rules > OpenVPN:

    alt text

    Firewall > Rules > WAN:

    alt text

    Firewall > Rules > LAN:

    alt text

    client ipconfig:

    alt text

    client nslookkup:

    alt text

    pfSense packet capture:
    on OpenVPN interface, port 53:

    alt text


  • LAYER 8 Global Moderator

    Out of the box unbound does auto ACLs to allow the local networks of pfsense to query it... If you want your tunnel networks (ie vpn clients) to be able to query unbound running on pfsense then you need to adjust your unbound acls.



  • Hi John,

    Thanks for your quick reply.

    Is this what you are talking about?

    alt text

    Doug


  • LAYER 8 Global Moderator

    yeah that is where you set the acls on who can query unbound.



  • @johnpoz

    Isn't it set by that entry?

    The client is 10.0.8.2 and that is in the ACL.

    Doug


  • LAYER 8 Global Moderator

    yeah that should allow it yes.. So you just created it, or that was there already? Do you have automatic set? Not sure if when you have automatic if it reads what you set?

    autoacls.png

    I have always turned off automatic and done my own acls..

    I looked closer and sure looks like your getting answers in your packet capture..

    Oh your dns on your client is just pointing to loopback??

    broken.png

    That kind of broken... should be pointing to pfsense lan IP for dns would be how I would set it up..



  • @johnpoz

    No I didn't just create it. It's been there probably since I setup OpenVPN.

    I haven't disabled auto-added list.

    From that packet capture I thought so as well but I still can't get host resolution. Why I'm at a loss.

    Doug


  • LAYER 8 Global Moderator

    your client is asking itself for dns... So how would that get sent down the tunnel to unbound on pfsense?



  • @johnpoz

    I thought so as well John. I had that set to my pfSense IP before a recent pfBlockerNG devel release.
    BBcan177 did some "tinkering". I will ping him on this.

    Doug



  • @johnpoz

    I can now get local DNS over OpenVPN but I don't know why. I would like to if anyone can explain.

    In Services > DNS Resolver > General Settings I changed the Network Interfaces from "All" to selecting all the interfaces and saving.

    I've spent a lot of time trying to figure this out and really would like to understand why one setting
    doesn't work but the other does when essentially they are both the same?

    Thanks,

    Doug

    // Edit//

    Here's the forum thread that gave me this fix.

    alt text


  • LAYER 8 Global Moderator

    So your clients are using doing ssl/tls queries? over a VPN? WTF???



  • @johnpoz

    I’m not even sure how to answer that John. I’ll let it go as it seems to have struck a nerve.

    Thanks for your help.



  • @john_galt said in OpenVPN works but no local DNS:

    I've spent a lot of time trying to figure this out and really would like to understand why one setting
    doesn't work but the other does when essentially they are both the same?

    That looks like some sort of glitch to me. There may not be any sense to be made about it other than 'bug'.


  • LAYER 8 Global Moderator

    @john_galt

    Dude why would you do dns over tls over your own vpn? Complete nonsense and extra overhead

    Did you fix your client from pointing to loop back? Dude I use this every day there is no “bug”



  • @KOM

    KOM,

    Someone in the old forum article I referenced mentioned something about committing a fix but that was years ago.

    Like I tried to explain I know enough about networking to get myself into trouble. But I'm willing to learn.

    Thank you for your assistance.

    Doug



  • @johnpoz

    John,

    My name is Doug. It's in my messages. I give you the respect of using your name.

    I did fix the loopback.

    I really don't understand why you are taking this request for help and my stated lack of
    knowledge so personally. I have no idea that I'm doing DNS over TLS over my own VPN.
    All I wanted to do was VPN into my home network from my work location and be able
    to access assets by name.

    If you wish to help I will listen and respect you for it. If you wish to berate then please
    don't help.

    Doug



  • Check your DHCP server to see what it's pushing to clients for DNS.



  • @KOM

    KOM,

    I will check when I get back to work Monday morning.

    It's working now though since I made that change. I don't know why
    and that bothers me. I will continue my research.

    Thank you for your help.


  • LAYER 8 Global Moderator

    If you do not understand what dns over tls is then why would you set it??

    dot.png

    Fixing your issue does not come from just randomly clicking shit..

    Come back when you have your client actually pointing to the IP for dns that is your pfsense box on your vpn connection which was pointed out to you back in the beginning of this thread.

    Do a simple query from your client using your fav dns tool, nslookup, dig, host, etc..

    Does it respond - yes or no?

    You show an answer in your packet capture to your query to 53 - what was that query, what was the answer... download that packet capture in wireshark.

    It's working now though since I made that change

    You changed from ALL to manually selecting "all" that is not a fix that is not even different.. So how would that "fix" anything..



  • @johnpoz

    John I setup pfsense to use Quad9 DNS over TLS earlier this year. I can't find the URL for the instructions I used but will keep looking. In those instructions I was instructed to enable that feature.

    I will come back when I can check over the VPN connection Monday.

    In my initial request for help I posted a screen grab of the packet capture which you said showed the query being answered. I did that query using nslookup and explicitly setting the server to my pfsense IPv4 address. I did not get a name back using this method.

    I will get wireshark and get that data but can't until Monday.

    Thank you for your help.

    Doug



  • Hi,

    This is your tunnel :
    ad526486-5157-46c3-b7d3-84318a0fc19c-image.png
    so make the DNS 10.0.8.1 - change this :
    465e73e3-f8a3-4f26-a051-9e89fffe4d39-image.png

    also, check this :
    6fde7427-0438-4720-b3f1-5e36f10e614a-image.png

    This options seems very important to me. Read the comments.

    IMHO these extra options are not needed :
    fbd962b4-b89c-4235-b812-7082179eefe1-image.png



  • @Gertjan
    @johnpoz
    @KOM

    I've made changes that you've pointed out that I should make which have yielded some success.
    I have two client VPN profiles on the same client computer. One profile gives me local DNS queries and the other profile doesn't. I'm going to spend some time now reading up on what I'm doing rather
    than, as @johnpoz put it "randomly clicking shit". Which was in fact what I was doing.

    I have one question now though. If I make changes to the OpenVPN server and or on the OpenVPN Client Export page does that require exporting a new client config or are those changes pushed to the client on next connect?

    I greatly appreciate your help and patience with me on this problem.

    Doug


  • LAYER 8 Global Moderator

    depends on what changes you made..

    Here I am at work now... And using unbound on pfsense for my dns... So I can resolve stuff on my home network

    Ethernet adapter Local Area Connection 2:
    
       Connection-specific DNS Suffix  . : local.lan
       Description . . . . . . . . . . . : TAP-Windows Adapter V9
       Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Tuesday, May 14, 2019 10:01:25 AM
       Lease Expires . . . . . . . . . . : Wednesday, May 13, 2020 10:01:25 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 10.0.8.254
       DNS Servers . . . . . . . . . . . : 192.168.9.253
                                           192.168.9.253
       NetBIOS over Tcpip. . . . . . . . : Enabled
    

    You can see my vpn interface told to use pfsense lan IP for dns

    If I ask for say a box on my local network..

    C:\Windows\System32>nslookup nas.local.lan
    Server:  sg4860.local.lan
    Address:  192.168.9.253
    
    Name:    nas.local.lan
    Address:  192.168.9.10
    

Log in to reply