Dns problem - FIXED !!

vronp · Jul 5, 2010, 11:38 PM

Hi all,

We have been using OpenVPN for some time and it has been working great. Recently we put together a new OpenVPN rule that limited the "Local network" to a single server (/32) on a network behind the firewall.

This part works fine. Now, here is the part that doesn't work. We really want the pfsense firewall to provide DNS to the VPN client but we can't add the firewall to the "Local network" for security reasons.

Is there any way to achieve this?

thanks

GruensFroeschli · Jul 2, 2010, 10:53 AM

Not sure i understand.

Is this a PKI or a PSK setup?
Did you assign the tun interface as OPT and create firewall rules?
Or do you (in case of a PKI) just only push a route for this single server? (If yes: this is NOT secure, anyone can add routes manually)

kpa · Jul 2, 2010, 11:06 AM

Turn on filtering for OpenVPN tunnels using these instructions:

http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

Now you can restrict access for vpn clients to what you want.

vronp · Jul 2, 2010, 5:29 PM

@GruensFroeschli:

Not sure i understand.

Is this a PKI or a PSK setup?
Did you assign the tun interface as OPT and create firewall rules?
Or do you (in case of a PKI) just only push a route for this single server? (If yes: this is NOT secure, anyone can add routes manually)

Yes, just push a route for the single server. At least I believe this is the case as I am setting the local network to be just the single server with a /32 mask.

It seems from your post and the other post that I need to setup OPT.

Thanks very much for the direction.

vronp · Jul 4, 2010, 3:32 PM

Well, something isn't working here despite me following the directions carefully.

I can make the VPN connection without a problem but I am not getting any hits on the firewall rules.

In Custom Options for the VPN setup I have:

dev tun8

This appears to be okay as I was able to configure the interface.

Something that may be important to note: On the Dashboard, the openvpn status is down for server1 although I am connecting fine. Not sure if this is some kind of bug with the Dashboard?

vronp · Jul 4, 2010, 7:08 PM

I do believe there is a NAT piece to this puzzle that is not covered in:

http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

GruensFroeschli · Jul 4, 2010, 8:50 PM

Did you change the route which you push to the clients from /32 to /24?

vronp · Jul 4, 2010, 9:19 PM

@GruensFroeschli:

Did you change the route which you push to the clients from /32 to /24?

Yes and can't see a thing on the /24.

I suspect my rules are not right or I have to make a NAT change.

Also, something I should mention. If I select: Disable all auto-added VPN rules., it kills both of my VPNs.

Currently:

VPN 1 works (simple PKI with a pushed route and no rules).
VPN 2 does not work. DNS server is correct but no traffic.

kpa · Jul 4, 2010, 9:24 PM

NAT has nothing to do with it most likely, if I read your description right all subnets are directly connected to pfSense and the vpn clients do not have to access anything on pfSense's WAN side which means that no NATing is needed.

vronp · Jul 4, 2010, 9:31 PM

@kpa:

NAT has nothing to do with it most likely, if I read your description right all subnets are directly connected to pfSense and the vpn clients do not have to access anything on pfSense's WAN side which means that no NATing is needed.

Ok, you are correct. I was thinking NAT based on another post I read but you have cleared up that aspect for me.

The odd thing here is there are not hits on my rules in the firewall logs.

vronp · Jul 5, 2010, 11:37 PM

Ok, so, I made an assumption that in pfsense:

Disable all auto-added VPN rules.
Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN.

…meant that some "built in" pass rules were just disabled. I didn't realize that NOT checking this option prevents the rules one creates for the new OPT interface to be used.

I checked this and everything works!

Sorry all !!!