DNS resolution through VPN isn't working
T4ke last edited by T4ke
I know it must be the millionth time this has been asked but in my defense I have to tell you I've been trying to solve this problem since 2011 (!) on many different VPN configs and I couldn't get it work, not a single time. No matter how much effort I put in reading, learning, watching tutorials over and over again just to throw everything away after two weeks of trying. So here it goes, I really hope you can help me out.
Network (A): 192.168.44.0/24, local domain: domain1.lan
Network (B): 192.168.5.0/24 local domain: domain2.lan
VPN Network: 192.168.70.0/24
Network (A) has an OpenWRT router (A) that works as DHCP, DNS, Internet access, etc. -server for network (A) and has the IP address 192.168.44.1.
My pfsense is serving as an OpenVPN Server with the address 192.168.44.2. I completely disabled the internal firewall in pfsense since I don't need it (I just wanted a fancy Web Interface for the OpenVPN server with a client export function) no DNS or DHCP server has been set up on it.
Network (B) has an OpenWRT router (B) as well with the same function as the router from network (A) (DHCP, DNS, Internet, etc) with IP address 192.168.5.1.
I want the router (B) on Network (B) to act as the OpenVPN Client.
To that point my VPN is working great, I can connect router (B) to my VPN server in network (A), I can access shares etc, that's working fine.
The only thing that's missing to work is DNS resolution on a client that is in Network (B), e.g. when I'm working on 192.168.5.120 I can connect to 192.168.44.100 but only via IP address, not via hostname (and that sh*t is freaking me out). Ping says "unknown host", nslookup is asking wrongly 192.168.5.1 - not 192.168.44.1 like I want it to.
The thing is: when I'm connecting a client directly to the VPN (e.g. from 192.168.5.120 via client software Tunnelblick, Viscosity, OpenVPN GUI etc) the DNS resolution works flawless. I can resolve hostnames both of network (A) AND network (B).
So I'm coming to the conclusion that my server and client configs are actually working.
My goal is to have a 24/7 VPN connection from network (B) to network (A) and every client on network (B) shall be able to access machines in 192.168.44.0 - but "native" without the use of any client application. I have about 120+ clients on network (B) and I don't want to configure 120 VPN clients.
I read a lot about DNS forwarding, DNS resolvers etc but I have absolutely no clue where I should start (besides trial and error).
One thing is really important: While connected to the VPN it must be ensured that clients from network (B) can resolve hostnames on both networks.
Some years ago I already had something like a "half solution" with a working DNS resolution but only for resolving hostnames on network (A). When connected to the VPN machines on network (B) couldn't resolve hostnames on network (B) any more.
Viscosity has a quite nice feature called "Split DNS" that uses 192.168.44.1 only for hostnames located on network (A) and 192.168.5.1 for everything else. I don't know if it's possible to do like that on a router like in my scenario.
Sorry for this long text but I hope my problem is comprehensible now.
Any help is really appreciated.
remote dyndns.networka.com 6655 udp
setenv CLIENT_CERT 0
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
keepalive 10 60
server 192.168.70.0 255.255.255.0
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user xxxxxxxxxxx= false server1 6655
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server' 1"
management /var/etc/openvpn/server1/sock unix
push "route 192.168.44.0 255.255.255.0"
push "dhcp-option DOMAIN domain1.lan"
push "dhcp-option DNS 192.168.44.1"
tls-auth /var/etc/openvpn/server1/tls-auth 0
viragomann last edited by
Add a domain override for network A to your DNS server in network B, so that DNS requests for hosts within that domain are forwarded to the DNS server in A. Allow DNS access from site B.
Then you should be able to resolve the hosts in A by <host-name.domain>.