DNSmasq / resolving between pfSense/DD-WRT over OpenVPN tunnel
-
I've setup an OpenVPN tunnel between two sites and would like to be able to forward DNS requests across that tunnel. So that if I ping from a PC at Site1 to a hostname at Site2 it will resolve. I'd prefer to have it resolve without the FQDN but I'll take what I can get.
I'm coming from a setup with 2 DD-WRT routers so now that I've upgraded one site to pfSense (2nd site will be upgraded in the next month) I'm a little confused as to how to configure the pfSense side. This is what the DD-WRT side looks like.
This picture is Site2. My OpenVPN server (pfSense) is Site1 which has an address of 192.168.4.1.
I'm not sure what I need to configure in the DNS Forwarder and if I need to leave DNS Resolver on as well (albeit tied to a different port of course).
-
You get to choose if you want to use DNS Forwarder or DNS Resolver. In either case, just add a domain override to tell it a domain that gets resolved somewhere special (in your intranet) and the IP to which name requests for that domain should be sent.
-
You get to choose if you want to use DNS Forwarder or DNS Resolver. In either case, just add a domain override to tell it a domain that gets resolved somewhere special (in your intranet) and the IP to which name requests for that domain should be sent.
That's what I figured. So I added a domain override for domain2 with an IP address of 192.168.2.1 since that's the IP address of my DD-WRT router which handles DNS requests for Site2. However doing this still doesn't let me resolve names form Site1 to Site2.
-
The DNS server needs to be able to reply to the request. The request is probably seen as coming from the OpenVPN tunnel end-point address at site1. If something in the path back from site2 does not know how to route to the OpenVPN tunnel IP then it can go wrong.
With DNS Forwarder you can specify in the domain override which IP to source the requests from - usually LAN IP is good there, the remote DNS server can usually route back to that.
With DNS Resolver you need to get your intranet routing so that the OpenVPN tunnel IPs are in the routing everywhere. -
The DNS server needs to be able to reply to the request. The request is probably seen as coming from the OpenVPN tunnel end-point address at site1. If something in the path back from site2 does not know how to route to the OpenVPN tunnel IP then it can go wrong.
With DNS Forwarder you can specify in the domain override which IP to source the requests from - usually LAN IP is good there, the remote DNS server can usually route back to that.
With DNS Resolver you need to get your intranet routing so that the OpenVPN tunnel IPs are in the routing everywhere.Is there a best practice for using Forwarder or Resolver with regard to OpenVPN site-to-site connections? Once I have pfSense on both ends, setting up the routing won't be an issue but since one end is still DD-WRT I'm not really familiar with configuring routing on them.
-
If you do not have full routing paths to/from all of your intranet tunnels… then use DNS Forwarder and specify the local LAN IP address as the Source IP of the Domain Override queries - presumably the remote DNS server will have a good route back to the LAN IP address.
-
If you do not have full routing paths to/from all of your intranet tunnels… then use DNS Forwarder and specify the local LAN IP address as the Source IP of the Domain Override queries - presumably the remote DNS server will have a good route back to the LAN IP address.
I do have routes to all my subnets on both ends of my VPN tunnel. And what's weird is that if I do a tracert from a host on the 192.168.4.0 network to a host on the 192.168.2.0 network it displays the DNS name of that host. However if I try to ping by name or do an nslookup it does not work.
P.S. I'm no longer using DD-WRT. I have pfSense on both ends and I've got a site-to-site OpenVPN tunnel setup between the two.