NETGATE 2100 OPENVPN DNS QUESTION
-
Hey guys I'm sure this is a stupid question. I'm self-taught here so don't beat me up too much. I setup an open vpn to connect to my small business from my laptop and so forth. All that works I can connect and ping what devices I need to. The issue I'm having is I can ping by ip address but not by name. I had maybe once or twice it actually pinged by name. I'm assuming I'm having a DNS issue. The openvpn tunnel address are 10.0.30.0/24 my inside office lan is 192.168.1.0/24 my netgate is 192.168.1.1. Ive read for hours and tried all kinds of things others with the same issue with no difference. Can anyone offer any suggestions or help?? Thanks in advance
-
@turbogn87
Basically the client might reside in another domain and so you would have to attach the domain to the hostname (FQDN).But you can try to provide a DNS domain to the client by checking "DNS Default Domain" and entering the domain in the OpenVPN server settings.
Also you have to provide the local DNS server to the clients, of course, and allow the access to it. -
This is my VPN tunnel network :
My DNS VPN settings :
I accept all traffic coming from my remote OpenVPN client :
The resolver listens to all interfaces- and this includes the OpenVPN interface :
Let's check :
[24.11-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep 'unbound' unbound unbound 69172 3 udp6 *:53 *:* unbound unbound 69172 4 tcp6 *:53 *:* unbound unbound 69172 5 udp4 *:53 *:* unbound unbound 69172 6 tcp4 *:53 *:* .......So, its listing on all interfaces using TCP and UDP, on port 53.
I connect my OpenVPN client, I checked the OpenVPN client log, where I can see :
...
[Dec 03, 2024, 09:34:11] NIP: adding DNS 192.168.3.1
...
so the connection uses 192.168.3.1 as its DNS.I use an app on my OpenVPN client device (a phone) to 'test' the DNS access :
I told the app the use "192.168.3.1" as the DNS (normally, it would use 192.168.3.1 anyway) :
and I got an answer.
Was it from pfSense, the resolver ? Let's check :As I use pfBLockerng, I have access to the logged DNS requests the resolver receives :
Here is my OpenVPN client device, 192.168.3.2 asking for the www.google.com :
-
@Gertjan Thank you for all the suggestions, most of those I have tried and yea didn't change anything. I'm not sure what's up or what I'm doing wrong lol. I noticed when I did a nslookup on my laptop when i was connected google.com goes back to 10.0.30.1 which is my netgate so DNS seems to be somewhat working if I'm understanding it correctly
-
@turbogn87 said in NETGATE 2100 OPENVPN DNS QUESTION:
when I did a nslookup on my laptop when i was connected google.com goes back to 10.0.30.1 which is my netgate so DNS seems to be somewhat working if I'm understanding it correctly
Exact.
When you connect your laptop the next time, fire up a dos 'cmd' box.
Typeipconfig /allServeurs DNS. . . . . . . . . . . . . : 2a01:cb24:907:a7ec:92ec:77ff:fe29:392c 192.168.3.1 2a01:cb24:907:a7ec:92ec:77ff:fe29:392cBtw : "2a01:cb24:907:a7ec:92ec:77ff:fe29:392c" is the IPv6 of my VPN, I use a dual stack.
You'll see your actual connection, and what its DNS is.
If it says "10.0.30.1" then your know your system (laptop) will forward to that IP for all DNS questions.*Be ware : this doesn't mean that all your application (like web browsers) uses that IP for DNS.
Most browser will use their own "8.8.8.8" (or DoH tricks) and others because they want your DNS requests for "commercial reasons"
-
@Gertjan Yeaaaa on my IPCONFIG/all under my vpn connection my DNS server is 10.0.30.1 but for some reason I cant ping my host names in my network. Example my server name is MDSERVER I can not ping by name but the IP address will ping and get a reply or under file explorer it will show the shares under the ip but not the name EHHHHHH. Not sure what I'm doing wrong. I'm sure I'm missing something
-
Ok, DNS is set to 10.0.30.1, that's tyh first IP in your tunnel VPN network.
Check that unbound (see above) is actually listing on the OpenVPN interface.
@turbogn87 said in NETGATE 2100 OPENVPN DNS QUESTION:
but for some reason I cant ping my host names in my network. Example my server name is MDSERVER I can not ping by name but the IP address will ping
'ping' will work out of the box, if you give it an IP.
If you give ping a 'hostname' like www.google.com then it will resolve that host name first.
Typicality, it should use the system DNS = your 10.0.30.1.Test :
On my phone, I execute a DNS test for www.google.fr.On my pfSense, I packet captured (under Diagnostics) (using port 53, interface VPN, protocol UDP, and full details).
This is what has been captured : the DNS requests for www.googe.fr. so I know it went through the tunnel and arrived at the VPN server interface :18:15:49.562031 AF IPv4 (2), length 62: (tos 0x0, ttl 64, id 50079, offset 0, flags [none], proto UDP (17), length 58) 192.168.3.2.55681 > 192.168.3.1.53: [udp sum ok] 35350+ A? www.googe.fr. (30) 18:15:49.804182 AF IPv4 (2), length 92: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 88) 192.168.3.1.53 > 192.168.3.2.55681: [udp sum ok] 35350 q: A? www.googe.fr. 2/0/0 www.googe.fr. CNAME googe.fr., googe.fr. A 81.169.254.196 (60) -
@Gertjan Ok, where do I go to find the unbound?? I not sure where to find that in pfsense? Again thank you for you time!!
-
@turbogn87 said in NETGATE 2100 OPENVPN DNS QUESTION:
Ok, where do I go to find the unbound?? I not sure where to find that in pfsense?
unbound is also known as what pfSense calls the resolver (as it is a dns resolver):
Here you can see it running :
Its just one of the many process running on your pfSense.
This is the process that 'listens' ( as shown in my previous post) on all interfaces (did you check that ?) on DNS port '53'.
It should also listen on your VPN tunnel IP, typically 10.0.30.1. -
@Gertjan ok, here is what I have, I thought you were talking about dns resolver, I wasnt 100% sure, attached are my logs and my resolver setting, looks like port 54 is wide open and network interfaces and outgoing are highlighted.
-
The first two image : no need to past the big picture.
I saw unbound in there ... so all is well, it's running.For myself, I do this :
[24.11-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep 'unbound.conf' unbound 11560 0.0 3.4 154388 135772 - Ss 09:51 5:46.91 /usr/local/sbin/unbound -c /var/unbound/unbound.confThis :
Looks strange.
No interfaces selected ?!
I have the default (using a 4100 with 24.11):
And your resolver isn't doing any resolving, you forward (that's not default !), you should disable :
but this doesn't explain your dns openvpn issue.
-
@Gertjan sorry about that, not sure why they are do freaking big lol, yes you are correct, on my GUI both are highlighted all it just didn't show up in my screenshot for whatever reason.
-
Did you try the packet capture ?
- Select the VPN interface.
- Select View : Full details
- Protocol UDP (we're after DNS after all)
- and port 53, as DNS uses port 53.
Then, hit the Green start button.
Connect your client VPN device.
Check that you are connected :
Now, if you have the tools (apps) : do some DNS requests.
If you use a windows OS : nslookup can help you ...
Android device ? Nevers saw them, but apps must exist.
iphones : get the he.net app for, example.The packet tracer should show results now = dns packets with the host names your device was looking for.
-
@turbogn87 Is it Mac OS, fonts are awesome?
-
@turbogn87 I mean font rendering
-
@Gertjan give me over the weekend to check on things, I been buried on other projects, I will report back. Thank you again for all your help!!!!
-
@turbogn87 Well I tried all your suggestions, I honestly stumped lol, I do not see why I can ping my host name but IP is fine. I'm sure its something silly I'm missing. If you are out of answers I do understand and I appreciate your time. If you know anything else to look for let me know. The only other thing I did notice and doesn't make any sense. If im connected If I run like a program like angry ip scanner It will see the IP and the machine name and I can ping my host name after I scan until I disconnect and reconnect.
-
What are you actually trying to resolve? Hostnames in the local network? And I assume that works if you are on the local network directly?
Are they actually failing to resolve? What error is shown on the remote client?
Are you trying to use just the hostname? What if you try the full FQDN?
-
@stephenw10
What I'm trying to resolve is when I connect through my vpn I would like to either rdp to my office pc or my file server which I can as long as I know the IP address. If I put in just the computer name it doesn't work. I'm not getting any kind of error. If I try to ping by name or I did try to FQDN it just comes back and tells me it cant find the name lol. Like I said im self taught here, I was in IT like 20 years ago. I usually can figure out most issues, but PFsense and openvpn is somewhat new to me. To be clear my so-called server is just a file server as in a win11 pc with some shares I have about 3 other pc's in the office accessing. No true windows server doing dhcp or dns, Im letting my netgate device handle all that. Not sure if that has something to do with it. And yes I can ping just fine by name across the network, just when im offsite connected through vpn, but i can ping the netgate device name. So that kinda tells me dns is somewhat working. I hope all that makes sense. -
OK so what error do you see if you try to just: ping server1
And what if you try the full fqdn like: ping server1.domain.local
Obviously use the real domain you have configured.
The other thing is that hostnames are not registered in the resolver by default. The fact you are able resolve them when local makes me assume you have enabled that but make sure it is in the DHCP server settings. That also assumes that the hosts you are trying to ping are using DHCP...
