PfSense 2.0.3 + OpenVPN, resolving problems.

zleeper · May 8, 2013, 3:23 PM

Hi,

I've set up an OpenVPN service on my pfSense installation, everything works fine, except when trying to resolve names from a client connected to the OpenVPN service.

connecting to IP's work just fine, dig @ <dns ip="">works great, but if i define the hostname of the dns server it fails.

all of these queries work fine when i ssh into the pfSense box.

anyone got any ideas what i've missed/missconfigured? :-\

/zleeper</dns>

SeventhSon · May 10, 2013, 6:45 PM

domain suffix/search path problem?

zleeper · May 13, 2013, 6:44 AM

suspected that myself in the beginning, but everything gets set properly to the client when connected :/

do tell if i should provide some conf. info that might help to resolve this issue.

SeventhSon · May 13, 2013, 4:59 PM

So, from the client connected, show the ipconfig /all, a nslookup for a host and for its FQDN. That should have the answer in there.

zleeper · May 15, 2013, 8:38 AM

don't really know what info ipconfig /all gives, so heres some with ifconfig and netstat.

nslookup google.com
Server: XXX.179.18.2
Address: XXX.179.18.2#53

Non-authoritative answer:
Name: google.com
Address: 173.194.32.39
Name: google.com
Address: 173.194.32.40
Name: google.com
Address: 173.194.32.41
Name: google.com
Address: 173.194.32.46
Name: google.com
Address: 173.194.32.32
Name: google.com
Address: 173.194.32.33
Name: google.com
Address: 173.194.32.34
Name: google.com
Address: 173.194.32.35
Name: google.com
Address: 173.194.32.36
Name: google.com
Address: 173.194.32.37
Name: google.com
Address: 173.194.32.38

ifconfig -a
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
options=3 <rxcsum,txcsum>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8010 <pointopoint,multicast>mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
options=2b <rxcsum,txcsum,vlan_hwtagging,tso4>ether c8:2a:14:04:84:fd
media: autoselect (none)
status: inactive
en1: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
ether e0:f8:47:37:15:f8
inet6 fe80::e2f8:47ff:fe37:15f8%en1 prefixlen 64 scopeid 0x5
inet 10.0.2.178 netmask 0xffffff00 broadcast 10.0.2.255
media: autoselect
status: active
p2p0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 2304
ether 02:f8:47:37:15:f8
media: autoselect
status: inactive
fw0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 4078
lladdr 7060:ff:fe:d1:70:10
media: autoselect <full-duplex>status: inactive
vboxnet0: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
ether 0a:00:27:00:00:00
tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
inet 10.11.0.6 –> 10.11.0.5 netmask 0xffffffff
open (pid 60243)

netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.11.0.5 UGSc 72 0 tun0
default 10.0.2.1 UGSc 11 0 en1
10.0.2/24 link#5 UCS 4 0 en1
10.0.2.1 54:4:a6:d3:d4:3d UHLWIir 3 6196 en1 1112
10.0.2.47 link#5 UHRLWIi 0 30 en1
10.0.2.98 98:3:d8:e8:12:13 UHLWIi 0 0 en1 382
10.0.2.178 127.0.0.1 UHS 0 100 lo0
10.0.2.255 ff:ff:ff:ff:ff:ff UHLWbI 0 16 en1
10.11/24 10.11.0.5 UGSc 0 0 tun0
10.11.0.5 10.11.0.6 UHr 135 0 tun0
XXX.247.8.53/32 10.0.2.1 UGSc 1 0 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 10 145126 lo0
128.0/1 10.11.0.5 UGSc 58 0 tun0
169.254 link#5 UCS 0 0 en1
192.168.3 10.11.0.5 UGSc 1 0 tun0

Internet6:
Destination Gateway Flags Netif Expire
::1 link#1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%en0/64 link#4 UCI en0
fe80::%en1/64 link#5 UCI en1
fe80::e2f8:47ff:fe37:15f8%en1 e0:f8:47:37:15:f8 UHLI lo0
ff01::%lo0/32 fe80::1%lo0 UmCI lo0
ff01::%en0/32 link#4 UmCI en0
ff01::%en1/32 link#5 UmCI en1
ff02::%lo0/32 fe80::1%lo0 UmCI lo0
ff02::%en0/32 link#4 UmCI en0
ff02::%en1/32 link#5 UmCI en1</up,pointopoint,running,simplex,multicast></broadcast,running,simplex,multicast></full-duplex></up,broadcast,smart,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,smart,running,simplex,multicast></rxcsum,txcsum,vlan_hwtagging,tso4></up,broadcast,smart,running,simplex,multicast></pointopoint,multicast></rxcsum,txcsum></up,loopback,running,multicast>

zleeper · May 16, 2013, 12:49 PM

forgot to add this also.

dig @ns1.XXXXXXXX.YYY google.com
dig: couldn't get address for 'ns1.XXXXXXXX.YYY': not found

dig @XXX.179.18.2 google.com +short
173.194.32.40
173.194.32.41
173.194.32.46
173.194.32.32
173.194.32.33
173.194.32.34
173.194.32.35
173.194.32.36
173.194.32.37
173.194.32.38
173.194.32.39

nslookup ns1.XXXXXXXX.YYY
Server: XXX.179.18.2
Address: XXX.179.18.2#53

Name: ns1.XXXXXXXX.YYY
Address: XXX.179.18.2

SeventhSon · May 16, 2013, 5:58 PM

what does resolv.conf say when connected, I think there might be multiple dns servers in there, you normal one and the one through the vpn.

No too sure how to fix this on *nix though, don't use the client on linux myself.

zleeper · May 16, 2013, 9:15 PM

When connected resolv.conf gets updated with the DNS server from the VPN config (same as for the pfsense installation)

should i add an allow line for port 53 tcp/udp in the firewall rule list for OpenVPN? or might it be something like that thats missing?

SeventhSon · May 18, 2013, 11:49 AM

by default there is a deny all rule, so you would have to allow that, yes. I would start off with allow all, to see that the vpn/routing/dns parts are working, and then lock it down.

zleeper · May 22, 2013, 6:27 AM

There were actually problems on 2 sides :)

First one was FW rules to allow communication from openvpn :)

now i'm trying to figure out how to push dns configuration to the openvpn client :)

SeventhSon · May 29, 2013, 9:08 PM

There is the option under OpenVPN: Server:
"Provide a DNS server list to clients"
you can enter DNS servers there

and if you want all traffic to go through the tunnel:
"Force all client generated traffic through the tunnel. "

zleeper · Jun 4, 2013, 11:07 AM

found the options myself :)
but thanx for all the help! :)