problem with cloudflare DNS over TLS and gateway group for 2 vpn servers
-
I set up dns over tls with cloudflare along with a gateway group named VPNgroup for load balancing with 2 vpn servers. Server 1 says it is using dns over tls cloudflare dns on the cloudflare esni checker website, but server 2 just says googles dns when I do a packet capture. can some people here please tell me how I setup both servers to use cloudflare dns over tls? I"m new to this so I will need pictures to show what you mean.
-
I believe that Resolver uses the default gateway, so unless thee is a clever way or greasy hack to do it, you would have to change the default to be your gateway group, but then all traffic would go through it unless you policy-routed it out a specific WAN.
-
I fixed my problem. In System>General Setup I had to specify the gateway of each VPN to each dns hostname.
-
While setting the vpn gateway per dns, you need a different tls hostname and dns ip for each vpn gateway. so for me I was lucky and just used 2 vpns setup for load balancing so I was able to use both of cloudflares IPs and tls hostnames. If I set up more vpn servers I will have a bigger problem because I would need to specify a new different dns service other than cloudflare because cloudflare on has 2 hosts.
If instead you just specify the dns ip and TLS host and select "none" as the gateways in System>General Setup ,when you have load balancing set up, only 1 vpn gateway will default to the google dns even if you put in more than one dns over tls host.
-
These guides are what helped me
https://forum.netgate.com/topic/139771/setup-dns-over-tls-on-pfsense-2-4-4-p2-guide/5
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
-
I just now realized what you meant. Thank you. Mine is set up so if by any chance both of the vpn servers get disconnected by a hacker, pfsense will not expose my real ip. I like it like that. So If I need to disable my vpns myself, I just have to change the gateway to wan in system> general settings manually.