Only first connected user got DNS domain resolution.



  • Hi forum,

    I've searched a lot in order to resolve this issue.
    We are able to connect several users to openvpn at the same time , but the issue its that only the first one connected can resolve domains and publics ips ( internet ) through DNS. I mean, all users connects just fine, no log errors logs, get DNS and LAN ip information, but only first one, can resolve internet domains and lan ip, any other client after first one, not.

    No logs differences on windows openvpn clients connections, all users got Lan ips and DNS's, but only the first one connected can resolve domains on internet.

    I'm attaching some configuration information

    Tap Windows Adapter.
    windows TAP.png

    Windows vpn client logs. ( all users get the same informations, except lan ip of course )
    openvpn windows client log.png

    Pfsense openvpn configuration

    openvpn config 1.png
    openvpn config 2.png
    openvpn config 3.png
    openvpn config 4.png
    openvpn config 5.png
    openvpn config 6.png
    openvpn config 7.png

    First connected openvpn client can ping other Lan ip ( 192.168.100.x ), connect to domains, etc. The rest of the connected users cannot navigate even when they obtain the correct configuration on the network card. Cant not resolve something like ' ping google.com ' or ' ping 192.168.100.3 '

    I really appreciate any tip or help.

    Regards,



  • Your images are microscopic and unreadable. You can add images here directly without linking to an external site via the Upload Image button on the far right of the Edit toolbar.

    What are your firewall rules on your OpenVPN tab? Can the problem clients ping out anywhere or is DNS resolution the only problem? Can they ping the OpenVPN server interface?


  • LAYER 8 Global Moderator

    Yeah those are impossible to make out.. Love to take a look and help you with your problem, but just can not make out anything in those pics



  • My apologizes for the images size. I've just uploaded full sizeded images as you indicated.

    I'll be posting firewall rules when I get pfsense in a few hours today. Nothing complex, just normal wan/lan and the rule that the pfsense assistance insert for openvpn.

    Thank you in advance.

    Regards,



  • Only the rules on the OpenVPN tab matter at this point. WAN/LAN rules aren't relevant to your problem for now.



  • Like :

    18178eb6-463f-4a69-9308-cb27407f6a1c-image.png

    See here : https://www.youtube.com/watch?v=qscIIZ10WTQ&t=5016s 54 minutes, 19 seconds.

    As you can see, IPv4 and IPv6 traffic hits these rules just fine -> traffic is passing.

    Note : because I created a dedicated Interface from the auto created "OpenVPN", I added my rules on the "VPN" interface - the list with rules on OpenVPN can be left empty. See the official https://www.youtube.com/watch?v=PtZxuC9IyTg for this.

    edit Your images are still not readable. Click on mine, created by the windows capture tool.



  • Look at "DNS Server enable" and "WINS server enable", those are tunnel IPs.
    I doubt there is a DNS/WINS server listening on that address.

    The following addresses are not usable in topology subnet:
    192.168.100.0
    192.168.100.1
    192.168.100.254
    192.168.100.255

    *Edit to be more accurate.



  • This :
    @Pippin said in Only first connected user got DNS domain resolution.:

    https://www.youtube.com/watch?v=PtZxuC9IyTg
    192.168.100.254
    192.168.100.1

    are valid addresses.
    pfSense is delivered with a 192.168.1.1 on it's LAN.

    "WINS" servers still exists these days ?



  • Thanks for the answers.

    I'm attaching the rules for firewall view.

    Please let me know if its needed more information.

    Wan
    ovpn wan.png

    Lan
    ovpn lan.png

    Openvpn Tab
    ovpn tab.png



  • Your OpenVPN firewall rule looks fine.
    33,86 MB of traffic passed by : ok.

    It's time to make this :

    430cae38-b9af-4ac8-9e0e-33066a74502b-image.png

    readable.



  • @Gertjan It must be your settings because his updated images look good to me. I can read every line, and I have pretty thick glasses.



  • Thanks for your comments again.

    Ive just edited images at full image size, hope it works this time.



  • Images look fine here too.

    @Gertjan said in Only first connected user got DNS domain resolution.:

    This :
    @Pippin said in Only first connected user got DNS domain resolution.:

    https://www.youtube.com/watch?v=PtZxuC9IyTg
    192.168.100.254
    192.168.100.1

    are valid addresses.
    pfSense is delivered with a 192.168.1.1 on it's LAN.

    "WINS" servers still exists these days ?

    It won't work...
    .0 is the tunnel network designation
    .1 is the servers tunnel IP
    .254 is OpenVPNs internal DHCP server
    .255 is broadcast
    Leaving 252 addresses for clients.

    There is an exception though. The servers tunnel IP could be used to point to a service if that service is running on the OpenVPN host.
    Pointing to a service is typically not done on tunnel addresses.



  • @Pippin said in Only first connected user got DNS domain resolution.:

    It won't work...
    .0 is the tunnel network designation
    .1 is the servers tunnel IP
    .254 is OpenVPNs internal DHCP server
    .255 is broadcast
    Leaving 252 addresses for clients.

    192.168.100.254 it's the pfsense gateway and we put the " IPv4 Tunnel Network " as 192.168.100.0/24 for supposedly new openvpn clients get an IP from the same Pfsense LAN ( 192.168.100.0/24 ).

    Thanks for your comments.



  • That's not how it works.

    Your tunnel network cannot be your LAN network...case of conflicting subnets.



  • @Pippin said in Only first connected user got DNS domain resolution.:

    That's not how it works.

    Your tunnel network cannot be your LAN network...case of conflicting subnets.

    @Pippin thanks for the clarification. Could you confirm to me if, after changing the ' Virtual Tunnel Network ' to anything else ( ie: 10.0.8.0/24 ), will be needed to add any rule to firewall/openvpn in order to that change work ?.

    Regards,



  • All rules related to the virtual tunnel network.



  • @Pippin said in Only first connected user got DNS domain resolution.:

    All rules related to the virtual tunnel network.

    @Pippin really appreciate all comments. Works great now. As you mention, the error were putting the LAN network as the Virtual Network. Now, all clients connects, resolve domains and ping lan ips : ).

    Thank u all for the time.

    Regards,



  • Glad you got it working.


Log in to reply