Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS resolution through VPN isn't working

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 403 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      T4ke
      last edited by T4ke

      Hi there,
      I know it must be the millionth time this has been asked but in my defense I have to tell you I've been trying to solve this problem since 2011 (!) on many different VPN configs and I couldn't get it work, not a single time. No matter how much effort I put in reading, learning, watching tutorials over and over again just to throw everything away after two weeks of trying. So here it goes, I really hope you can help me out.
      My setup:
      Network (A): 192.168.44.0/24, local domain: domain1.lan
      Network (B): 192.168.5.0/24 local domain: domain2.lan
      VPN Network: 192.168.70.0/24
      Network (A) has an OpenWRT router (A) that works as DHCP, DNS, Internet access, etc. -server for network (A) and has the IP address 192.168.44.1.
      My pfsense is serving as an OpenVPN Server with the address 192.168.44.2. I completely disabled the internal firewall in pfsense since I don't need it (I just wanted a fancy Web Interface for the OpenVPN server with a client export function) no DNS or DHCP server has been set up on it.

      Network (B) has an OpenWRT router (B) as well with the same function as the router from network (A) (DHCP, DNS, Internet, etc) with IP address 192.168.5.1.
      I want the router (B) on Network (B) to act as the OpenVPN Client.
      To that point my VPN is working great, I can connect router (B) to my VPN server in network (A), I can access shares etc, that's working fine.
      The only thing that's missing to work is DNS resolution on a client that is in Network (B), e.g. when I'm working on 192.168.5.120 I can connect to 192.168.44.100 but only via IP address, not via hostname (and that sh*t is freaking me out). Ping says "unknown host", nslookup is asking wrongly 192.168.5.1 - not 192.168.44.1 like I want it to.
      The thing is: when I'm connecting a client directly to the VPN (e.g. from 192.168.5.120 via client software Tunnelblick, Viscosity, OpenVPN GUI etc) the DNS resolution works flawless. I can resolve hostnames both of network (A) AND network (B).
      So I'm coming to the conclusion that my server and client configs are actually working.

      My goal is to have a 24/7 VPN connection from network (B) to network (A) and every client on network (B) shall be able to access machines in 192.168.44.0 - but "native" without the use of any client application. I have about 120+ clients on network (B) and I don't want to configure 120 VPN clients.
      I read a lot about DNS forwarding, DNS resolvers etc but I have absolutely no clue where I should start (besides trial and error).

      One thing is really important: While connected to the VPN it must be ensured that clients from network (B) can resolve hostnames on both networks.
      Some years ago I already had something like a "half solution" with a working DNS resolution but only for resolving hostnames on network (A). When connected to the VPN machines on network (B) couldn't resolve hostnames on network (B) any more.
      Viscosity has a quite nice feature called "Split DNS" that uses 192.168.44.1 only for hostnames located on network (A) and 192.168.5.1 for everything else. I don't know if it's possible to do like that on a router like in my scenario.

      Sorry for this long text but I hope my problem is comprehensible now.
      Any help is really appreciated.

      client.ovpn

      dev tun
      persist-tun
      persist-key
      pull
      cipher AES-256-CBC
      ncp-ciphers AES-256-GCM:AES-128-GCM
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote dyndns.networka.com 6655 udp
      auth-user-pass
      remote-cert-tls server

      <ca>
      -----BEGIN CERTIFICATE-----
      xxxxxxx
      -----END CERTIFICATE-----
      </ca>
      setenv CLIENT_CERT 0
      key-direction 1
      <tls-auth>

      2048 bit OpenVPN static key

      -----BEGIN OpenVPN Static key V1-----
      xxxxxxxx
      -----END OpenVPN Static key V1-----
      </tls-auth>

      server.ovpn


      verb 1
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      cipher AES-256-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local 192.168.44.2
      tls-server
      server 192.168.70.0 255.255.255.0
      client-config-dir /var/etc/openvpn/server1/csc
      verify-client-cert none
      username-as-common-name
      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user xxxxxxxxxxx= false server1 6655
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server' 1"
      lport 6655
      management /var/etc/openvpn/server1/sock unix
      max-clients 40
      push "route 192.168.44.0 255.255.255.0"
      push "dhcp-option DOMAIN domain1.lan"
      push "dhcp-option DNS 192.168.44.1"
      push "register-dns"
      client-to-client
      duplicate-cn
      capath /var/etc/openvpn/server1/ca
      cert /var/etc/openvpn/server1/cert
      key /var/etc/openvpn/server1/key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1/tls-auth 0
      ncp-ciphers AES-256-GCM:AES-128-GCM
      persist-remote-ip
      float
      topology subnet
      fast-io

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Add a domain override for network A to your DNS server in network B, so that DNS requests for hosts within that domain are forwarded to the DNS server in A. Allow DNS access from site B.
        Then you should be able to resolve the hosts in A by <host-name.domain>.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.