Openvpn server and DNS over TLS

  • On my pfsense router I have the DNS resolver setup in forwarding mode to forward TLS requests to cloudflare. Works well...all DNS traffic is over port 853 and all encrypted. I can use to verify DOT is working.

    I have recently setup an openvpn server on the same pfsense box and it too is working well. I recently setup the openvpn connect app on an iphone and when using openvpn to my surprise I saw that the iphone, connected with Verizon, was using google as the dns resolver even though google services are not used on the iphone or mentioned anywhere on the pfsense router. Maybe that is hard coded with the openvpn connect app. So I configured the openvpn server instance with the GUI to push cloudflare's address for dns to the vpn clients and this was successful, client dns requests are going to cloudflare, EXCEPT the dns requests are not being encrypted...I can verify this with cloudflare test...they must be being sent directly by the iphone.

    Is there any way to have the openvpn clients use the pfsense router's DNS resolver to do the dns requests so the client dns requests remain TLS encrypted??

    Using latest version of pfsense 2.4.4-p3


  • I actually found instructions from Netgate on how to do this from one of their web presentations.

    Under firewall, NAT do a port forward rule:

    Interface: OpenVPN
    Protocol: TCP/UDP
    Destination: Invert Match checked, This Firewall (self)
    Destination Port Range: DNS (will be port 53)
    Redirect Target IP:
    Redirect Target Port: DNS (will be port 53)

    This worked perfect for me and all Openvpn DNS requests are now encrypted with DOT. I actually duplicated this rule for all my interfaces/networks in case users try to use their own DNS servers over port 53, they will now be encrypted and sent over port 853 to cloudflare.

Log in to reply