Windows DNS resolution + OpenVPN ?



  • Dear PF users,

    I have used IPcop in the past along with openvpn.
    As I recall correctly I could only connect to my internal servers by ip not by its name.

    Now I am facing the same issue even though I have not tested it with PFsense yet.

    There is a field on the openvpn server where you can enter one or more DNS servers.

    Now my question is whether I must use port forwarding on the firewall in order to get the VPN client to reach the internal DNS server?

    I am very curious about this one.

    Thank you,



  • Now my question is whether I must use port forwarding on the firewall in order to get the VPN client to reach the internal DNS server?

    I haven't had to in my past setups, but yours might differ depending on your exact setup.

    Do you have pfSense running now?
    What type of OpenVPN setup are you envisioning Site-Site, Road Warrior, SSL/TLS, shared key?

    Perhaps the simplest thing to do is get OpenVPN up and running and see how it fares.
    My experience  has been it's not difficult to get yourself a working installation.



  • Hmm,

    Forgot to mention that I am trying to get it to work on Pfsense.
    Yes I use openvpn with SSL/TLS and it connects properly.



  • @IrixOS:

    Now my question is whether I must use port forwarding on the firewall in order to get the VPN client to reach the internal DNS server?

    Commonly the access to your internal hosts is routed over the vpn. So if the DNS server is in the same subnet as the hosts you want reach from vpn client the route is set by entering this subnet in the "IPvX Local Network/s" box and will be already set. If it is in another subnet just add the DNS servers address there with /32 appended.



  • Yes, the DNS server originates from another subnet than the configured local network.
    What do you mean with /32?
    Is the ip only not sufficient?



  • Yes, the DNS server originates from another subnet than the configured local network.
    What do you mean with /32?

    Since your DNS server is in a different subnet, you will have to enter their IP's in the DNS section and push a route to that network, which is what viragomann described.  The /32 is CIDR notation and has to do with routing.  In this case, if your DNS server was on 192.168.100.10/24, instead of pushing a route to the entire network (i.e. 192.168.100.0/24), you could just push a route to the host by entering 192.168.100.10/32, which would isolate access to the DNS server only instead of the entire network it sits on.

    Is the ip only not sufficient?

    For the DNS servers, yes, but not for the "IPv4 Local Network/s" section or any other network portion of the config.