DNS resolution through VPN isn't working

  • Hi there,
    I know it must be the millionth time this has been asked but in my defense I have to tell you I've been trying to solve this problem since 2011 (!) on many different VPN configs and I couldn't get it work, not a single time. No matter how much effort I put in reading, learning, watching tutorials over and over again just to throw everything away after two weeks of trying. So here it goes, I really hope you can help me out.
    My setup:
    Network (A):, local domain: domain1.lan
    Network (B): local domain: domain2.lan
    VPN Network:
    Network (A) has an OpenWRT router (A) that works as DHCP, DNS, Internet access, etc. -server for network (A) and has the IP address
    My pfsense is serving as an OpenVPN Server with the address I completely disabled the internal firewall in pfsense since I don't need it (I just wanted a fancy Web Interface for the OpenVPN server with a client export function) no DNS or DHCP server has been set up on it.

    Network (B) has an OpenWRT router (B) as well with the same function as the router from network (A) (DHCP, DNS, Internet, etc) with IP address
    I want the router (B) on Network (B) to act as the OpenVPN Client.
    To that point my VPN is working great, I can connect router (B) to my VPN server in network (A), I can access shares etc, that's working fine.
    The only thing that's missing to work is DNS resolution on a client that is in Network (B), e.g. when I'm working on I can connect to but only via IP address, not via hostname (and that sh*t is freaking me out). Ping says "unknown host", nslookup is asking wrongly - not like I want it to.
    The thing is: when I'm connecting a client directly to the VPN (e.g. from via client software Tunnelblick, Viscosity, OpenVPN GUI etc) the DNS resolution works flawless. I can resolve hostnames both of network (A) AND network (B).
    So I'm coming to the conclusion that my server and client configs are actually working.

    My goal is to have a 24/7 VPN connection from network (B) to network (A) and every client on network (B) shall be able to access machines in - but "native" without the use of any client application. I have about 120+ clients on network (B) and I don't want to configure 120 VPN clients.
    I read a lot about DNS forwarding, DNS resolvers etc but I have absolutely no clue where I should start (besides trial and error).

    One thing is really important: While connected to the VPN it must be ensured that clients from network (B) can resolve hostnames on both networks.
    Some years ago I already had something like a "half solution" with a working DNS resolution but only for resolving hostnames on network (A). When connected to the VPN machines on network (B) couldn't resolve hostnames on network (B) any more.
    Viscosity has a quite nice feature called "Split DNS" that uses only for hostnames located on network (A) and for everything else. I don't know if it's possible to do like that on a router like in my scenario.

    Sorry for this long text but I hope my problem is comprehensible now.
    Any help is really appreciated.


    dev tun
    cipher AES-256-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA1
    resolv-retry infinite
    remote dyndns.networka.com 6655 udp
    remote-cert-tls server

    -----END CERTIFICATE-----
    setenv CLIENT_CERT 0
    key-direction 1

    2048 bit OpenVPN static key

    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----


    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp4
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    client-config-dir /var/etc/openvpn/server1/csc
    verify-client-cert none
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user xxxxxxxxxxx= false server1 6655
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server' 1"
    lport 6655
    management /var/etc/openvpn/server1/sock unix
    max-clients 40
    push "route"
    push "dhcp-option DOMAIN domain1.lan"
    push "dhcp-option DNS"
    push "register-dns"
    capath /var/etc/openvpn/server1/ca
    cert /var/etc/openvpn/server1/cert
    key /var/etc/openvpn/server1/key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1/tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    topology subnet

  • Add a domain override for network A to your DNS server in network B, so that DNS requests for hosts within that domain are forwarded to the DNS server in A. Allow DNS access from site B.
    Then you should be able to resolve the hosts in A by <host-name.domain>.

Log in to reply