• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN clients can't resolve local server names

Scheduled Pinned Locked Moved OpenVPN
11 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dansci
    last edited by Jul 4, 2022, 12:14 PM

    Hi, I have OpenVPN configured and it works fine, but there is one problem. Clients connecting through it are not able to connect to local servers using their names. I don't see what the problem could be. Can you guys help?

    192.168.11.0/24 is my tunnel network
    192.168.99.0/24 is my managemet VLAN network

    1226c515-15fa-4bbd-8e8b-4e760b9c84c8-obraz.png

    J 1 Reply Last reply Jul 4, 2022, 12:22 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @dansci
      last edited by Jul 4, 2022, 12:22 PM

      @dansci what version of pfsense are you using. You need to make sure that your tunnel networks are in the unbound acl.

      what is in
      cat /var/unbound/access_lists.conf

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      D 1 Reply Last reply Jul 4, 2022, 12:28 PM Reply Quote 0
      • D
        dansci @johnpoz
        last edited by Jul 4, 2022, 12:28 PM

        @johnpoz This is the output:

        access-control: 127.0.0.1/32 allow_snoop
        access-control: ::1 allow_snoop
        access-control: 127.0.0.0/8 allow
        access-control: 192.168.10.0/24 allow
        access-control: 192.168.11.0/24 allow
        access-control: 192.168.20.0/24 allow
        access-control: 192.168.20.1/24 allow
        access-control: 192.168.30.0/24 allow
        access-control: 192.168.40.0/24 allow
        access-control: 192.168.50.0/24 allow
        access-control: 192.168.70.0/24 allow
        access-control: 192.168.71.0/24 allow
        access-control: 192.168.80.0/24 allow
        access-control: 192.168.99.0/24 allow
        access-control: ::1/128 allow
        #DNS access
        access-control: 192.168.11.0/24 allow
        

        So the last line seems to be what I've added into the Servies->DNS Resolver->Access Lists

        J 1 Reply Last reply Jul 4, 2022, 12:31 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @dansci
          last edited by Jul 4, 2022, 12:31 PM

          @dansci well its in there.

          So from a vpn client, do a dns query to unbound.. Do you time out, do you get say a refused or NX answer?

          use your fav dns client, dig, host or even nslookup.

          If you get timeout - sniff on pfsense via packet capture is pfsense seeing the query?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          D 1 Reply Last reply Jul 4, 2022, 12:48 PM Reply Quote 0
          • D
            dansci @johnpoz
            last edited by Jul 4, 2022, 12:48 PM

            @johnpoz I do nslookup and I get

            Server:		127.0.0.53
            Address:	127.0.0.53#53
            
            ** server can't find <my_server_name>.<my_domain>: NXDOMAIN
            
            J 1 Reply Last reply Jul 4, 2022, 12:53 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @dansci
              last edited by Jul 4, 2022, 12:53 PM

              @dansci Well 127.0.0.53 is not pfsense, that is some local dns client on the machine, that prob forwards to where??? My guess is the dns the client got from its local dhcp server.

              So now change the server you talk to so you directly ask pfsense IP you want to use.

              dig its as simple as @ipaddress in your query

              with nslookup you need to set server.. like this.

              $ nslookup
              Default Server:  pi.hole
              Address:  192.168.3.10
              
              > server 192.168.9.253
              Default Server:  sg4860.local.lan
              Address:  192.168.9.253
              

              then do your query for example.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              D 1 Reply Last reply Jul 4, 2022, 1:06 PM Reply Quote 0
              • D
                dansci @johnpoz
                last edited by Jul 4, 2022, 1:06 PM

                @johnpoz hmm, I have no idea why the VPN doesn't set up a server like I would need, which is 192.168.11.1.

                When I set it that way in nslookup I get a connection timeout:

                > server 192.168.11.1
                Default server: 192.168.11.1
                Address: 192.168.11.1#53
                > google.pl
                ;; connection timed out; no servers could be reached
                
                

                On the pfSense side I see:

                15:00:44.169763 AF IPv4 (2), length 59: (tos 0x0, ttl 64, id 41007, offset 0, flags [none], proto UDP (17), length 55)
                    192.168.11.2.48282 > 192.168.11.1.53: [udp sum ok] 11595+ A? google.pl. (27)
                15:00:44.173324 AF IPv4 (2), length 59: (tos 0x0, ttl 64, id 241, offset 0, flags [none], proto UDP (17), length 55)
                    192.168.11.2.50416 > 192.168.11.1.53: [udp sum ok] 11595+ A? google.pl. (27)
                15:00:49.183350 AF IPv4 (2), length 59: (tos 0x0, ttl 64, id 23552, offset 0, flags [none], proto UDP (17), length 55)
                    192.168.11.2.50058 > 192.168.11.1.53: [udp sum ok] 11595+ A? google.pl. (27)
                
                J 1 Reply Last reply Jul 4, 2022, 1:09 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @dansci
                  last edited by Jul 4, 2022, 1:09 PM

                  @dansci well good that you get timeout, firewall rule blocking.. Because if unbound was actually seeing it, but client was not in the acl, you would get a refused vs timeout.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  D 1 Reply Last reply Jul 4, 2022, 1:13 PM Reply Quote 0
                  • D
                    dansci @johnpoz
                    last edited by Jul 4, 2022, 1:13 PM

                    @johnpoz Even now I changed the server to 192.168.99.1 which is the address of the main VLAN of mine (previously I used 192.168.11.1 - the first address from the address pool for the VPN tunnel). Now nslookup was able to find the name of my local server :)

                    So the question remains what to do to make the VPN clients know that 192.168.99.1 is the DNS server...

                    J 1 Reply Last reply Jul 4, 2022, 1:19 PM Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @dansci
                      last edited by Jul 4, 2022, 1:19 PM

                      @dansci you hand it out to them, but there is nothing saying they will use it.

                      That 127.0.0.53 address you show points to the client using systemd-resolved.. That is a whole ball of wax on its own ;)

                      You would need to look in how to configure that how you want, pretty sure it does allow for split dns, etc. Not a fan of it on my own linux boxes, I always just turn it off ;) And allows me to set specific dns I want to use with the old resolv.conf method.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      D 1 Reply Last reply Jul 4, 2022, 1:48 PM Reply Quote 0
                      • D
                        dansci @johnpoz
                        last edited by Jul 4, 2022, 1:48 PM

                        @johnpoz I found somewhere on the web that it is useful to install the 'openresolv' package. This helped :)

                        Thank you for your activity on the forum and quick support on any issue :)

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received