PfSense 2.0.3 + OpenVPN, resolving problems.
- 
 Hi, I've set up an OpenVPN service on my pfSense installation, everything works fine, except when trying to resolve names from a client connected to the OpenVPN service. connecting to IP's work just fine, dig @ <dns ip="">works great, but if i define the hostname of the dns server it fails. all of these queries work fine when i ssh into the pfSense box. anyone got any ideas what i've missed/missconfigured? :-\ /zleeper</dns> 
- 
 domain suffix/search path problem? 
- 
 suspected that myself in the beginning, but everything gets set properly to the client when connected :/ do tell if i should provide some conf. info that might help to resolve this issue. 
- 
 So, from the client connected, show the ipconfig /all, a nslookup for a host and for its FQDN. That should have the answer in there. 
- 
 don't really know what info ipconfig /all gives, so heres some with ifconfig and netstat. nslookup google.com 
 Server: XXX.179.18.2
 Address: XXX.179.18.2#53Non-authoritative answer: 
 Name: google.com
 Address: 173.194.32.39
 Name: google.com
 Address: 173.194.32.40
 Name: google.com
 Address: 173.194.32.41
 Name: google.com
 Address: 173.194.32.46
 Name: google.com
 Address: 173.194.32.32
 Name: google.com
 Address: 173.194.32.33
 Name: google.com
 Address: 173.194.32.34
 Name: google.com
 Address: 173.194.32.35
 Name: google.com
 Address: 173.194.32.36
 Name: google.com
 Address: 173.194.32.37
 Name: google.com
 Address: 173.194.32.38ifconfig -a 
 lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
 options=3 <rxcsum,txcsum>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
 inet 127.0.0.1 netmask 0xff000000
 inet6 ::1 prefixlen 128
 gif0: flags=8010 <pointopoint,multicast>mtu 1280
 stf0: flags=0<> mtu 1280
 en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
 options=2b <rxcsum,txcsum,vlan_hwtagging,tso4>ether c8:2a:14:04:84:fd
 media: autoselect (none)
 status: inactive
 en1: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
 ether e0:f8:47:37:15:f8
 inet6 fe80::e2f8:47ff:fe37:15f8%en1 prefixlen 64 scopeid 0x5
 inet 10.0.2.178 netmask 0xffffff00 broadcast 10.0.2.255
 media: autoselect
 status: active
 p2p0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 2304
 ether 02:f8:47:37:15:f8
 media: autoselect
 status: inactive
 fw0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 4078
 lladdr 70 60:ff:fe:d1:70:10 60:ff:fe:d1:70:10
 media: autoselect <full-duplex>status: inactive
 vboxnet0: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
 ether 0a:00:27:00:00:00
 tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
 inet 10.11.0.6 –> 10.11.0.5 netmask 0xffffffff
 open (pid 60243)
 netstat -rn 
 Routing tablesInternet: 
 Destination Gateway Flags Refs Use Netif Expire
 0/1 10.11.0.5 UGSc 72 0 tun0
 default 10.0.2.1 UGSc 11 0 en1
 10.0.2/24 link#5 UCS 4 0 en1
 10.0.2.1 54:4:a6:d3:d4:3d UHLWIir 3 6196 en1 1112
 10.0.2.47 link#5 UHRLWIi 0 30 en1
 10.0.2.98 98:3:d8:e8:12:13 UHLWIi 0 0 en1 382
 10.0.2.178 127.0.0.1 UHS 0 100 lo0
 10.0.2.255 ff:ff:ff:ff:ff:ff UHLWbI 0 16 en1
 10.11/24 10.11.0.5 UGSc 0 0 tun0
 10.11.0.5 10.11.0.6 UHr 135 0 tun0
 XXX.247.8.53/32 10.0.2.1 UGSc 1 0 en1
 127 127.0.0.1 UCS 0 0 lo0
 127.0.0.1 127.0.0.1 UH 10 145126 lo0
 128.0/1 10.11.0.5 UGSc 58 0 tun0
 169.254 link#5 UCS 0 0 en1
 192.168.3 10.11.0.5 UGSc 1 0 tun0Internet6: 
 Destination Gateway Flags Netif Expire
 ::1 link#1 UHL lo0
 fe80::%lo0/64 fe80::1%lo0 UcI lo0
 fe80::1%lo0 link#1 UHLI lo0
 fe80::%en0/64 link#4 UCI en0
 fe80::%en1/64 link#5 UCI en1
 fe80::e2f8:47ff:fe37:15f8%en1 e0:f8:47:37:15:f8 UHLI lo0
 ff01::%lo0/32 fe80::1%lo0 UmCI lo0
 ff01::%en0/32 link#4 UmCI en0
 ff01::%en1/32 link#5 UmCI en1
 ff02::%lo0/32 fe80::1%lo0 UmCI lo0
 ff02::%en0/32 link#4 UmCI en0
 ff02::%en1/32 link#5 UmCI en1</up,pointopoint,running,simplex,multicast></broadcast,running,simplex,multicast></full-duplex></up,broadcast,smart,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,smart,running,simplex,multicast></rxcsum,txcsum,vlan_hwtagging,tso4></up,broadcast,smart,running,simplex,multicast></pointopoint,multicast></rxcsum,txcsum></up,loopback,running,multicast>
- 
 forgot to add this also. dig @ns1.XXXXXXXX.YYY google.com 
 dig: couldn't get address for 'ns1.XXXXXXXX.YYY': not founddig @XXX.179.18.2 google.com +short 
 173.194.32.40
 173.194.32.41
 173.194.32.46
 173.194.32.32
 173.194.32.33
 173.194.32.34
 173.194.32.35
 173.194.32.36
 173.194.32.37
 173.194.32.38
 173.194.32.39nslookup ns1.XXXXXXXX.YYY 
 Server: XXX.179.18.2
 Address: XXX.179.18.2#53Name: ns1.XXXXXXXX.YYY 
 Address: XXX.179.18.2
- 
 what does resolv.conf say when connected, I think there might be multiple dns servers in there, you normal one and the one through the vpn. No too sure how to fix this on *nix though, don't use the client on linux myself. 
- 
 When connected resolv.conf gets updated with the DNS server from the VPN config (same as for the pfsense installation) should i add an allow line for port 53 tcp/udp in the firewall rule list for OpenVPN? or might it be something like that thats missing? 
- 
 by default there is a deny all rule, so you would have to allow that, yes. I would start off with allow all, to see that the vpn/routing/dns parts are working, and then lock it down. 
- 
 There were actually problems on 2 sides :) First one was FW rules to allow communication from openvpn :) now i'm trying to figure out how to push dns configuration to the openvpn client :) 
- 
 There is the option under OpenVPN: Server: 
 "Provide a DNS server list to clients"
 you can enter DNS servers thereand if you want all traffic to go through the tunnel: 
 "Force all client generated traffic through the tunnel. "
- 
 found the options myself :) 
 but thanx for all the help! :)