Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internal LAN routing when connected to a VPN service

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    dns resolver host overrides dns vpn
    2
    3
    591
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsense_joe
      last edited by

      Hi folks,

      I have an nginx reverse proxy setup on my lan. This allows me to access lan-side servers in the following manner: https://server1name.domain_name.tld. This all works great for lan-side access to the handful of various servers I have. These are not exposed to and consequently are not accessible from the WAN side. That is fine - just the way I want it. The problem I am having is that whenever I connect my Windows 10 pc to my (commercial) VPN service, I can no longer access my lan-side servers from my lan-side Windows 10 pc. Instead I have to access these lan-side servers in the following manner: http://192.168.192.xxx:port from the lan-side Windows 10 pc. As soon as I disconnect from the VPN service, I can once again access these lan-side servers in in the manner initially described (i.e. https://server1name.domain_name.tld) from the lan-side Windows 10 pc.

      It seems that whenever I am connected to the commercial VPN service, pfSense treats my https://server1name.domain_name.tld requests as if they had come from the WAN side. And the reverse proxy is configured to deny wan-side requests so I don't expose my internal servers to the external internet. Is there a way I can configure pfSense to allow me to use the https://server1name.domain_name.tld paradigm whether I am connected to the VPN or not?

      I guess what is happening is that when I am connected to the VPN service, my DNS resolution is being handled by external internet-based DNS servers and when I am not connected to the VPN service DNS resolution is being handled the Host Overrides I have defined in the Services / DNS Resolver / General Settings within pfSense.

      1 Reply Last reply Reply Quote 0
      • M
        mer
        last edited by

        I'm sure others with better knowledge than me will chime in, but as far as pfSense is concerned, I think the VPN is "not LAN", so perhaps double check the nginx reverse proxy setup a bit closer.
        The theory about which DNS resolver is getting hit is also a good one.
        I'm not sure where Windows would define that and the order they are in, but on a *nix system I would say "look at /etc/resolv.conf and see if it changes when the VPN is up, specifically the servers".

        P 1 Reply Last reply Reply Quote 0
        • P
          pfsense_joe @mer
          last edited by

          @mer Thanks for the reply! Your comments got me to thinking which can be dangerous ;-)

          I figured out the problem. It has to do with little Windows 10 app that the commercial VPN provides. This app resides in the system tray on the right side of the task bar in Windows 10. The app is used to connect and disconnect from the VPN. With your comments, I had the thought to try to figure out what DNS server windows was using when connected to the VPN and when not connected to the VPN. With a quick google search I found the Windows 10 command prompt nslookup command. Simply entering "nslookup" in a windows command prompt will return the DNS server being used. In my case, when I wasn't connected to the VPN, it returned the ip of my pfSense router. When I was connected to the VPN it returned an ip of a DNS server that belongs to my VPN provider. It seems that everytime you connect to the VPN service using their Windows 10 app, they change your DNS server address to their DNS server. I tried manually changing it back to the ip of my pfSense router but that didn't work when connected to the VPN - in that case I broke internet access altogether and couldn't connect to anything. When connected to the VPN, Windows wasn't able to resolve the local ip of my pfSense router. The solution will have to be to stop using the app provided by the VPN provider so that the DNS server that Windows uses stays pointing to my pfSense router. I had previously setup a gateway associated wiht the commercial VPN provider in my pfSense router. My solution will be to configure pfSense to route traffic from my Windows 10 through the VPN gateway when I want to use the VPN from my Windows 10 pc. Sort of a pain b/c I will have to log in to pfSense every time I want to use (or not use) the VPN. But in this scenario I can use the https://server1name.domain_name.tld paradigm to access my local services from my Windows 10 pc whether or not its WAN traffic is being routed through the VPN. This is because my Windows 10 pc will always be configured to use pfSense for domain name resolution.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post