Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Redirect over OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Ryu945 @Bob.Dig
      last edited by

      @bob-dig I don't have anything to show other then my experimental rules. OpenVPN area comes with no rules. I based everything off of my LAN version of the DNS redirect which looks like this.

      https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

      johnpozJ Bob.DigB 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Ryu945
        last edited by

        Well couple things - you would need the redirect on the vpn interface.

        And you would have to make sure you unbound acls allow for your vpn tunnel network.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        R 1 Reply Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8 @Ryu945
          last edited by

          @ryu945 I don't see why it shouldn't work. But sure clients can use whatever they want, if they have full control over their device.

          1 Reply Last reply Reply Quote 0
          • R
            Ryu945 @johnpoz
            last edited by Ryu945

            @johnpoz said in DNS Redirect over OpenVPN:

            Well couple things - you would need the redirect on the vpn interface.

            And you would have to make sure you unbound acls allow for your vpn tunnel network.

            I did a redirect on the OpenVPN interface with LAN address as set as the destination. I did what I think needs to be done on the ACLs. I can ping the Pfsense router. I can't seem to access any of the intranet websites on the network.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Ryu945
              last edited by johnpoz

              @ryu945 said in DNS Redirect over OpenVPN:

              LAN address as set as the destination

              You wouldn't really want that - you should redirect to loopback

              https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

              What did you do on the ACLs - out of the box unbound is not going to answer query from the tunnel network, ie the IP some vpn client got..

              If you query say 8.8.8.8 for some local resource name does it come back with your local IP - this would be the way to test your setup is working.

              To validate unbound is allowing talking to your vpn client do a directed query to pfsense IP that unbound is listening on that you allow via your vpn rules, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • R
                Ryu945
                last edited by Ryu945

                @johnpoz said in DNS Redirect over OpenVPN:

                https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

                I believe you mean 127.0.0.1 when you say loop back. That is what I have for the DNS redirect. I literally have that rule identical to the LAN rule I linked except it is on the OpenVPN Interface. When I said I had the DNS rule on LAN address, I meant that I have a rule after that that allows port 53 with destination targets of LAN address.

                I tried nslookup and I got an interesting error message. I see it attempts 8.8.8.8 and 8.8.4.4 even if I specify to use other DNS servers in the OpenVPN app. It replies back saying it is getting unexpected DNS server 10.0.0.1 instead. This is on the OpenVPN subnet. Then it says it timed out. Could the OpenVPN android app in the Fdroid store be refusing to proceed with the connection because it is not getting the DNS server it asked for?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Ryu945
                  last edited by

                  @ryu945 said in DNS Redirect over OpenVPN:

                  unexpected DNS server 10.0.0.1 instead

                  Help if you should show your rules and forwards. I could duplicate what your trying to do.. Try it a bit later and post results.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    Ryu945 @johnpoz
                    last edited by Ryu945

                    @johnpoz

                    These are the rules I am experimenting with. First one is under OpenVPN area. Second one is under port forward. LAN Merge is my LAN.

                    http://imgur.com/qJUtqOBl.png

                    http://imgur.com/eQVyZGbl.png

                    1 Reply Last reply Reply Quote 0
                    • R
                      Ryu945
                      last edited by Ryu945

                      @johnpoz @Bob-Dig I found something interesting. When I create an OpenVPN interface rule that says allow any source to any destination but destination port 443 or 80 must be used then it works. That is way to general of a rule so I am trying to lock it down and figure out what interface is allowing it to work. I tried VPN1 to LAN and LAN to VPN1 so far and it doesn't work.

                      edit: For some reason, no combination of source address/network to destination address/network I could find worked. What worked is instead of using the source and destination names, I used the subnets. I made a rule allow access from VPN subnet to LAN subnet on the OpenVPN interface and it worked. Do you have any idea what is going on? Normal rules using the interface name work. Why did I have to use subnet IPs instead?

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Ryu945
                        last edited by

                        @ryu945 said in DNS Redirect over OpenVPN:

                        Why did I have to use subnet IPs instead?

                        I have not idea what you actually did.. You can for sure use specific IPs in the rules for source and destination..

                        Maybe you had the wrong IPs in source or destination, maybe there was a state already if you were trying to to block something..

                        Order of rules matter! Top down, first rule to trigger wins, no other rules are evaluated, etc.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.