Force DNS over OVPN

McMurphy

Apologies for all the posts however I have been trying to resolve this problem from various angles and each ends up at a dead end. Lots of learnings along the way too.

Here is the scenario:

• I have a network behind a pfSense router
• I wish to use a private DNS filtering service that is only accessible via OVPN
• The OVPN link works fine and the private DNS server is accessible
• pfSense needs access to a DNS public server to establish the OVPN link initially

Question:
How can ensure all LAN devices only use the private DNS?

There must be a way to achieve this but I am at a loss.

Gertjan

@McMurphy said in Force DNS over OVPN:

How can ensure all LAN devices only use the private DNS?

A (possible) solution :

First : have your LAN devices use pfSense as the local DNS server.
Normally, they should use the DNS IP (should be pfSense) as their DNS source. But, it's 2024, people can do wild things with their devices.
You can enforce pfSense DNS usage on all your devices on pfSense by blocking all "port 53" that wants to go outside.

Then : enforce pfSense so it uses only the VPN connection. This will include, among others, DNS.
As every "good" VPN supplier has a write up, like this one :
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/#route
you can use that to create policy rules etc.

McMurphy

@Gertjan

I have tried this approach however pfSense needs access toa DNS server to establish the VPN connection initially. If pfSense is set to use the VPN DNS server then it will be unable to establish the VPN connection to access the DNS server. Catch 22.

Gertjan

@McMurphy

Read this Policy Routing Configuration.

I'll say upfront : I've no experience what so ever with multi WAN, as using a VPN ISP over your ISP WAN is some kind of multi WAN.

The idea, or, what I read when I see "Policy Routing Configuration" that you send traffic - using the policy routing rule, and that rule matches when the gateway exists (== VPN connection is up).
If it isn't, the rule can't match : rule matching will fall through.

This boils down to all traffic goes out over WAN, normally, like the initial DNS traffic to resolve the VPN server.
As soon as the VPN comes up, the policy routing rule kicks in : you're good.

You could even "block" upfront all outgoing traffic except DNS (udp and tcp to port 53) so that resolving works - and only resolving (don't forget the VPN connection over WAN itself ^^). This enables the OpenVPN client to connect.

Again : this is all theory in my head.

Bob.Dig

@McMurphy said in Force DNS over OVPN:

Question:
How can ensure all LAN devices only use the private DNS?

Whatever this is, put it in the DNS-field of the DHCP-Server on that LAN. Don't use pfSense Resolver for that LAN.