DNS stopped working due to route from OpenVPN client

Jeremy11one

I noticed that, when my OpenVPN Client connects, it automatically creates an unwanted route that redirects my pfSense's primary DNS server (1.1.1.1) to the OpenVPN interface's IP address (10.10.110.185). I assume this is intended to prevent DNS leaks. But it somehow prevents any of my LAN hosts (or pfSense itself) from pinging 1.1.1.1 or resolving anything.

I never had this problem until a few weeks ago, around the time I updated to pfSense 2.5.2. When it occurs now, I have to remove the route via "route delete 1.1.1.1," then go to DNS Resolver, then click Save and Apply Settings.

Problems:

1. Disabling the OpenVPN Client does not automatically remove the DNS route it automatically added. Seems like it should.
2. If a gateway is specified for each DNS server in System > General, pfSense creates routes for them. OpenVPN Client overwrites the route for the first DNS server to apparently force it through the VPN, but when OpenVPN Client is disabled, it does not revert that route back to the correct gateway IP. The route is left pointing to an obsolete IP address.
3. Rebooting pfSense while the OpenVPN Client is disabled removes the route, but DNS Resolver still does not work until I click "Save" then "Apply Settings." I don't know what "Save" and "Apply Settings" fixes behind the scenes, but it probably shouldn't work like that.
4. Checking the boxes on the OpenVPN Client page for "Don't pull routes" and "Don't add/remove routes" does not seem to have any effect. Upon connecting to the VPN server, the pfSense VPN Client still automatically creates the routes for the DNS server and the VPN subnet.

How can I prevent my pfSense OpenVPN Client from breaking my DNS Resolver?

ptrtech

@jeremy11one my OpenVPN went down and it looked like I had the same issue. Rebooting and disabling the OpenVPN client seems to have done it. I specifically crafted the NordVPN settings to not send DNS through the tunnel as indicated in the instructions (https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm)...

I wonder if hard-coding the Gateway would solve it.

ptrtech

I just changed from none to hard-coded for each. We'll see what happens

viragomann

The DNS provider might push the default route to you. Hence any connection goes out via the VPN.

If you use the Resolver on pfSense and don't want to direct DNS requests over the VPN, go ino the Resolver settings and remove the VPN interface from the outgoings.
However, yeah, this will result in DNS leaks. To avoid you can forward specific clients DNS traffic to a public server and direct them over the VPN by policy routing.

Jeremy11one

I noticed that a new state gets added to the States table whenever my OpenVPN Client connects. The state has interface name "lo0".

If I delete the unwanted 1.1.1.1 route, then delete the "lo0" state, then my LAN PC is able to ping 1.1.1.1 again.

I don't understand why this problem happens. What is this "lo0" state?

Jeremy11one

@ptrtech said in DNS stopped working due to route from OpenVPN client:

I just changed from none to hard-coded for each. We'll see what happens

I tried that too, and it did not help. When I specify a gateway for each DNS Server, it creates a route for each one in the Routes table. Then, when I connect the OpenVPN Client, it overwrites the route for the first DNS Server (1.1.1.1) to point to the OpenVPN Client's local IP, and then nobody is able to query DNS. Disabling the OpenVPN Client leaves that overwritten route there, and doesn't return it back to the correct gateway like I think it should.

Jeremy11one

@viragomann said in DNS stopped working due to route from OpenVPN client:

go ino the Resolver settings and remove the VPN interface from the outgoings.

I tried that and it did not work. I set the DNS Resolver's Outgoing to only "WAN," disabled the OVPN client and rebooted pfSense. I'm able to ping 1.1.1.1 from LAN. Then I enabled the OVPN Client, and I see the 1.1.1.1 route immediately changes from my gateway to the OpenVPN Client's local IP, and none of my LAN PCs can ping 1.1.1.1 again.

ptrtech

@jeremy11one I am not getting that...

Do you have any custom or DNS settings in your OpenVPN client settings:

Jeremy11one

@ptrtech said in DNS stopped working due to route from OpenVPN client:

I am not getting that

Which of my posts are you referring to?

If you're saying you're not seeing the routes that pfSense creates when you specify a gateway for each DNS server, then you'll want to look at the Routes table, not the States table. Also, I use 1.1.1.1 as the first DNS server on the list on my pfSense, so I have the problem with 1.1.1.1. Your screenshot says you use 8.8.8.8 as your primary DNS server, so you should be searching for 8.8.8.8 instead of 1.1.1.1.

Sorry if I'm misunderstanding you.

panzerscope

@Jeremy11one said in DNS stopped working due to route from OpenVPN client:

I noticed that, when my OpenVPN Client connects, it automatically creates an unwanted route that redirects my pfSense's primary DNS server (1.1.1.1) to the OpenVPN interface's IP address (10.10.110.185). I assume this is intended to prevent DNS leaks. But it somehow prevents any of my LAN hosts (or pfSense itself) from pinging 1.1.1.1 or resolving anything.

I never had this problem until a few weeks ago, around the time I updated to pfSense 2.5.2. When it occurs now, I have to remove the route via "route delete 1.1.1.1," then go to DNS Resolver, then click Save and Apply Settings.

Problems:

1. Disabling the OpenVPN Client does not automatically remove the DNS route it automatically added. Seems like it should.
2. If a gateway is specified for each DNS server in System > General, pfSense creates routes for them. OpenVPN Client overwrites the route for the first DNS server to apparently force it through the VPN, but when OpenVPN Client is disabled, it does not revert that route back to the correct gateway IP. The route is left pointing to an obsolete IP address.
3. Rebooting pfSense while the OpenVPN Client is disabled removes the route, but DNS Resolver still does not work until I click "Save" then "Apply Settings." I don't know what "Save" and "Apply Settings" fixes behind the scenes, but it probably shouldn't work like that.
4. Checking the boxes on the OpenVPN Client page for "Don't pull routes" and "Don't add/remove routes" does not seem to have any effect. Upon connecting to the VPN server, the pfSense VPN Client still automatically creates the routes for the DNS server and the VPN subnet.

How can I prevent my pfSense OpenVPN Client from breaking my DNS Resolver?

I understand this is an older topic, but I have been experiencing the same issue. I am now testing a revised OpenVPN client config with the following options enabled to see if it will stop the behaviour.

Will report back whether it helps or not. if anyone else has any other suggestion, they are definitely welcome!