PfSense 2.0.3 + OpenVPN, resolving problems.

  • Hi,

    I've set up an OpenVPN service on my pfSense installation, everything works fine, except when trying to resolve names from a client connected to the OpenVPN service.

    connecting to IP's work just fine, dig @ <dns ip="">works great, but if i define the hostname of the dns server it fails.

    all of these queries work fine when i ssh into the pfSense box.

    anyone got any ideas what i've missed/missconfigured?  :-\


  • domain suffix/search path problem?

  • suspected that myself in the beginning, but everything gets set properly to the client when connected :/

    do tell if i should provide some conf. info that might help to resolve this issue.

  • So, from the client connected, show the ipconfig /all, a nslookup for a host and for its FQDN. That should have the answer in there.

  • don't really know what info ipconfig /all gives, so heres some with ifconfig and netstat.

    Server: XXX.179.18.2
    Address: XXX.179.18.2#53

    Non-authoritative answer:

    ifconfig -a
    lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
    options=3 <rxcsum,txcsum>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet netmask 0xff000000
    inet6 ::1 prefixlen 128
    gif0: flags=8010 <pointopoint,multicast>mtu 1280
    stf0: flags=0<> mtu 1280
    en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
    options=2b <rxcsum,txcsum,vlan_hwtagging,tso4>ether c8:2a:14:04:84:fd
    media: autoselect (none)
    status: inactive
    en1: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
    ether e0:f8:47:37:15:f8
    inet6 fe80::e2f8:47ff:fe37:15f8%en1 prefixlen 64 scopeid 0x5
    inet netmask 0xffffff00 broadcast
    media: autoselect
    status: active
    p2p0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 2304
    ether 02:f8:47:37:15:f8
    media: autoselect
    status: inactive
    fw0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 4078
    lladdr 70💿60:ff:fe:d1:70:10
    media: autoselect <full-duplex>status: inactive
    vboxnet0: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
    ether 0a:00:27:00:00:00
    tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
    inet –> netmask 0xffffffff
    open (pid 60243)

    netstat -rn
    Routing tables

    Destination        Gateway            Flags        Refs      Use  Netif Expire
    0/1                UGSc          72        0    tun0
    default            UGSc          11        0    en1
    10.0.2/24          link#5            UCS            4        0    en1          54:4:a6:d3:d4:3d  UHLWIir        3    6196    en1  1112          link#5            UHRLWIi        0      30    en1          98:3:d8:e8:12:13  UHLWIi          0        0    en1    382          UHS            0      100    lo0        ff:ff:ff:ff:ff:ff  UHLWbI          0      16    en1
    10.11/24          UGSc            0        0    tun0          UHr          135        0    tun0
    XXX.247.8.53/32          UGSc            1        0    en1
    127                UCS            0        0    lo0          UH            10  145126    lo0
    128.0/1            UGSc          58        0    tun0
    169.254            link#5            UCS            0        0    en1
    192.168.3          UGSc            1        0    tun0

    Destination                            Gateway                        Flags        Netif Expire
    ::1                                    link#1                          UHL            lo0
    fe80::%lo0/64                          fe80::1%lo0                    UcI            lo0
    fe80::1%lo0                            link#1                          UHLI            lo0
    fe80::%en0/64                          link#4                          UCI            en0
    fe80::%en1/64                          link#5                          UCI            en1
    fe80::e2f8:47ff:fe37:15f8%en1          e0:f8:47:37:15:f8              UHLI            lo0
    ff01::%lo0/32                          fe80::1%lo0                    UmCI            lo0
    ff01::%en0/32                          link#4                          UmCI            en0
    ff01::%en1/32                          link#5                          UmCI            en1
    ff02::%lo0/32                          fe80::1%lo0                    UmCI            lo0
    ff02::%en0/32                          link#4                          UmCI            en0
    ff02::%en1/32                          link#5                          UmCI            en1</up,pointopoint,running,simplex,multicast></broadcast,running,simplex,multicast></full-duplex></up,broadcast,smart,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,smart,running,simplex,multicast></rxcsum,txcsum,vlan_hwtagging,tso4></up,broadcast,smart,running,simplex,multicast></pointopoint,multicast></rxcsum,txcsum></up,loopback,running,multicast>

  • forgot to add this also.

    dig @ns1.XXXXXXXX.YYY
    dig: couldn't get address for 'ns1.XXXXXXXX.YYY': not found

    dig @XXX.179.18.2 +short

    nslookup ns1.XXXXXXXX.YYY
    Server: XXX.179.18.2
    Address: XXX.179.18.2#53

    Name: ns1.XXXXXXXX.YYY
    Address: XXX.179.18.2

  • what does resolv.conf say when connected, I think there might be multiple dns servers in there, you normal one and the one through the vpn.

    No too sure how to fix this on *nix though, don't use the client on linux myself.

  • When connected resolv.conf gets updated with the DNS server from the VPN config (same as for the pfsense installation)

    should i add an allow line for port 53 tcp/udp in the firewall rule list for OpenVPN? or might it be something like that thats missing?

  • by default there is a deny all rule, so you would have to allow that, yes. I would start off with allow all, to see that the vpn/routing/dns parts are working, and then lock it down.

  • There were actually problems on 2 sides :)

    First one was FW rules to allow communication from openvpn :)

    now i'm trying to figure out how to  push dns configuration to the openvpn client :)

  • There is the option under OpenVPN: Server:
    "Provide a DNS server list to clients"
    you can enter DNS servers there

    and if you want all traffic to go through the tunnel:
    "Force all client generated traffic through the tunnel. "

  • found the options myself :)
    but thanx for all the help! :)