Traffic from Road Warrior to Branch to HQ



  • Something tells me this should be easy but I often over-complicate things.

    I connect to a branch office via OpenVPN to my work LAN.  The work LAN connects to a server via a site-to-site OpenVPN connection (HQ)  At HQ is a DNS server (Server 2012 R2).  From my remote connection I am unable to get DNS queries answered from the server at HQ.  I am unable to get a reply from nslookup or ping when I try to find a device at HQ.

    *******                ********                *****

    • HOME * >–----->* Branch >-------> HQ *
      *******                ********                  *****

    Do I need to do anything special that allows road warrior traffic to pass, ultimately, to the HQ location?  I have Unbound setup at the pfSense 2.2.4 box at Branch.  Within the config of Unbound I have defined the LANs that are able to access the service.  Within the pfSense box at Branch  I have defined the server at HQ as a DNS server and told Unbound to "enable forwarding mode".  Do I need to manually push the route to the road warrior connections?

    I do specify DNS servers within the OpenVPN config for the remote users; I specify the branch (10.10.100.1) and the HQ (10.10.10.29).

    If I'm at Branch all is good.  I can nslookup <host name="">and it relates the server at HQ and the correct IP address.</host>



  • I would really like the two DNS servers (unbound, Server 2012 R2) to update each other so they both have a current copy of the zone but I have yet to see that happen.  Can it?  With that working I believe this would be a moot point.  (?)


  • LAYER 8 Netgate

    HQ needs an openvpn route to HOME with an iroute for the same to Branch
    HOME needs an openvpn route to HQ with an iroute for the same to Branch

    For connections from HOME to HQ, there need to be OpenVPN firewall rules permitting the traffic on Branch from HOME and on HQ from Branch.

    Regarding your second post, unbound is intended to be a caching resolver, not an authoritative zone master/slave.  What you probably want to do is forward the domain's domain (and probably the in-addr zones) to your 2012R2 DNS server.



  • thank you for the directions!  Much appreciated.


Log in to reply