Timeout overriding entire domain w DNS forwarder over OpenVPN site2site tunnel

  • I have two pfsense instances connected via an openvpn tunnel.  I have the client pfsense instance's dns forwarder overriding an entire domain using a dns server on the LAN side of the other pfsense instance.  This was working just fine, then I took the tunnel down for some maintenance.  When I brought it back up the dns forwarder on the client side started timing out whenever a look up was done for the overridden domain.

    I've tried restarting the dns forwarder on the client side pfsense instance.  This has not resolved the problem.

    Anyone have any suggestions?


  • I do this exact thing and have never had a problem with it. Try to log into the shell in the client machine or use the command option to do a manual DNS lookup over the tunnel. For example, if the remote server is try:

    host yahoo.com

    (better yet use a host you know can only be resolved correctly from your DNS server). This should work, if it doesn't work but you can ping the DNS server just fine, make sure your DNS server is configured to allow requests from the remote subnet (or from the client pfSense address specifically as it would be seen from the DNS server).

  • Thanks for the reply.

    I tried what you suggested, and I get a timeout.  I think I might have a problem with my tunnel.

    I keep getting this in the server instance's open vpn log:
    openvpn[13591]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig'

    I have the "Interface IP" on the client instance and the "Address Pool" on the server instance set to

    Something else I've noticed is that if I have "Use static IPs" unchecked, I can't ping the server side of the tunnel from the client side.  However, unchecking "Use static IPs" will get rid of the ifconfig warning message.


    I've tried both UDP, and TCP on the tunnel, and still get the same results.

  • Post both the client and server side configs, or screen shots of each. It will make it a lot easier to figure out. I'm assuming this is a shared key site-to-site tunnel?

Log in to reply