• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Dns problem - FIXED !!

Scheduled Pinned Locked Moved OpenVPN
11 Posts 3 Posters 4.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vronp
    last edited by Jul 5, 2010, 11:38 PM Jul 1, 2010, 10:47 PM

    Hi all,

    We have been using OpenVPN for some time and it has been working great.  Recently we put together a new OpenVPN rule that limited the "Local network" to a single server (/32) on a network behind the firewall.

    This part works fine.  Now, here is the part that doesn't work.  We really want the pfsense firewall to provide DNS to the VPN client but we can't add the firewall to the "Local network" for security reasons.

    Is there any way to achieve this?

    thanks

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Jul 2, 2010, 10:53 AM

      Not sure i understand.

      Is this a PKI or a PSK setup?
      Did you assign the tun interface as OPT and create firewall rules?
      Or do you (in case of a PKI) just only push a route for this single server? (If yes: this is NOT secure, anyone can add routes manually)

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by Jul 2, 2010, 11:06 AM

        Turn on filtering for OpenVPN tunnels using these instructions:

        http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

        Now you can restrict access for vpn clients to what you want.

        1 Reply Last reply Reply Quote 0
        • V
          vronp
          last edited by Jul 2, 2010, 5:29 PM

          @GruensFroeschli:

          Not sure i understand.

          Is this a PKI or a PSK setup?
          Did you assign the tun interface as OPT and create firewall rules?
          Or do you (in case of a PKI) just only push a route for this single server? (If yes: this is NOT secure, anyone can add routes manually)

          Yes, just push a route for the single server.  At least I believe this is the case as I am setting the local network to be just the single server with a /32 mask.

          It seems from your post and the other post that I need to setup OPT.

          Thanks very much for the direction.

          1 Reply Last reply Reply Quote 0
          • V
            vronp
            last edited by Jul 4, 2010, 3:32 PM

            Well, something isn't working here despite me following the directions carefully.

            I can make the VPN connection without a problem but I am not getting any hits on the firewall rules.

            In Custom Options for the VPN setup I have:

            dev tun8

            This appears to be okay as I was able to configure the interface.

            Something that may be important to note:  On the Dashboard, the openvpn status is down for server1 although I am connecting fine.  Not sure if this is some kind of bug with the Dashboard?

            1 Reply Last reply Reply Quote 0
            • V
              vronp
              last edited by Jul 4, 2010, 7:08 PM

              I do believe there is a NAT piece to this puzzle that is not covered in:

              http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

              1 Reply Last reply Reply Quote 0
              • G
                GruensFroeschli
                last edited by Jul 4, 2010, 8:50 PM

                Did you change the route which you push to the clients from /32 to /24?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • V
                  vronp
                  last edited by Jul 4, 2010, 9:19 PM

                  @GruensFroeschli:

                  Did you change the route which you push to the clients from /32 to /24?

                  Yes and can't see a thing on the /24.

                  I suspect my rules are not right or I have to make a NAT change.

                  Also, something I should mention.  If I select:  Disable all auto-added VPN rules., it kills both of my VPNs.

                  Currently:

                  1. VPN 1 works (simple PKI with a pushed route and no rules).

                  2. VPN 2 does not work.  DNS server is correct but no traffic.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by Jul 4, 2010, 9:24 PM

                    NAT has nothing to do with it most likely, if I read your description right all subnets are directly connected to pfSense and the vpn clients do not have to access anything on pfSense's WAN side which means that no NATing is needed.

                    1 Reply Last reply Reply Quote 0
                    • V
                      vronp
                      last edited by Jul 5, 2010, 12:45 AM Jul 4, 2010, 9:31 PM

                      @kpa:

                      NAT has nothing to do with it most likely, if I read your description right all subnets are directly connected to pfSense and the vpn clients do not have to access anything on pfSense's WAN side which means that no NATing is needed.

                      Ok, you are correct.  I was thinking NAT based on another post I read but you have cleared up that aspect for me.

                      The odd thing here is there are not hits on my rules in the firewall logs.

                      1 Reply Last reply Reply Quote 0
                      • V
                        vronp
                        last edited by Jul 5, 2010, 11:37 PM

                        Ok, so, I made an assumption that in pfsense:

                        Disable all auto-added VPN rules.
                        Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN.

                        …meant that some "built in" pass rules were just disabled.  I didn't realize that NOT checking this option prevents the rules one creates for the new OPT interface to be used.

                        I checked this and everything works!

                        Sorry all !!!

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received