pfSense DNS fails when using VPN

Hi there, first post here. So all of a sudden, any of my VLANs that are set to use OpenVPN (NordVPN) gateway fail DNS resolution. I am also using a manually configured Wireguard (Nordlynx) gateway. These are set up into a Gateway Group that I use for some of my traffic. I had everything working fine and then one day, it stopped working. Gateway monitoring using any DNS server (i.e. or shows the each of the VPN gateways up, RTT < 12ms and 0% loss.

What’s weird though is that most other VLANs that are using the default WAN gateway have their DNS queries routed through the VLAN gateway group (as I intended) and they resolve just fine. So in other words, for my non-VPN traffic, the DNS queries go through the VPN but the actual traffic goes over the regular WAN from my ISP. For my VPN traffic, DNS resolution fails but I can access sites on the web using IP address.

FWIW, these are the guides I followed:

Any ideas? Or should I try to explain it better? I’m not a networking guy, I just followed some in depth tutorials on how to set this stuff up. And learned a bunch along the way but this one stumps me.

It’s as if the VPN gateway group suddenly decided it doesn’t like being used as a gateway. I’m suspecting pfBlockerNG or Unbound but I can’t see anything in the logs that sticks out to me. Maybe I’m not looking at the right logs or don’t have the right logging options turned on. But I’m pretty sure (not positive) that the firewall itself is not blocking these queries. Nothing changed and then all of a sudden it stopped working. I’ve also tried loading up backups from Proxmox from before it broke and they still don’t work.

I would also suspect somehow the NordVPN clients/Gateways quit working but they show that they are up, at least with the RTT ping and no packet loss.

System specs:
Supermicro M11SDV-8CT-LN4F (Epyc 3201)
32GB RAM & NVMe drive
pfSense v2.7.2 running in a VM inside Proxmox v8.1.4

Verify that the OpenVPN (NordVPN) configuration is correct and that the VPN connection is established successfully. Check the OpenVPN logs in pfSense for any errors or warnings that might indicate a problem with the VPN connection. Ensure that the DNS settings for VLANs using the OpenVPN gateway are configured correctly. Check the DNS servers configured in the VLAN settings and make sure they are accessible and responsive. Since you mentioned suspicion towards pfBlockerNG or Unbound, review their configurations and logs to see if they are causing any issues with DNS resolution. Check for any blocks or rules that might be interfering with DNS traffic.
If you’re using the DNS Resolver (Unbound) in pfSense, check its configuration to ensure that it is configured to forward DNS queries to the appropriate DNS servers. Make sure that DNS resolution is enabled for the VLANs using the OpenVPN gateway.

Thanks for getting back to me with a thorough list. I had checked most of what you described but I did find something that might be an issue re:OpenVPN in its logs. Warnings about certificates. But what’s strange is that the connections are up, it’s just that they won’t take DNS queries. Here’s a sequence from the log that repeats every 20-30 minutes:

Mar 14 11:55:49	openvpn	1023	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA512, peer temporary key: 253 bits X25519
Mar 14 11:55:49	openvpn	1023	VERIFY OK: depth=0,
Mar 14 11:55:49	openvpn	1023	VERIFY EKU OK
Mar 14 11:55:49	openvpn	1023	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mar 14 11:55:49	openvpn	1023	Validating certificate extended key usage
Mar 14 11:55:49	openvpn	1023	VERIFY KU OK
Mar 14 11:55:49	openvpn	1023	VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
Mar 14 11:55:49	openvpn	1023	VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Mar 14 11:55:49	openvpn	1023	VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA
Mar 14 11:55:49	openvpn	1023	VERIFY WARNING: depth=1, unable to get certificate CRL: O=NordVPN, CN=NordVPN CA9
Mar 14 11:55:49	openvpn	1023	VERIFY WARNING: depth=0, unable to get certificate CRL:

Does that shed any light on things? It has warnings but then it says it’s ok.

Re-Post from another thread.
I’m with NordVPN and I starting having problems with my PfSense DNS resolver resolving from the root servers. As I’d just enabled PfBlockerNg I assumed it was my problem so backed my changes out until I was back to base yet still had the issue. I raised this on the PfSense forum and some smart people performed some tests which suggested that Nord is intercepting these DNS requests.
I’ve emailed Nord and the admit there is an issue with custom DNS addresses but have no eta on the fix. I asked if they intercepted the requests and they ignored that question and another on exactly what the issue is which makes me a bit worried. I’ve re-asked and waiting for a reply.
Networking is my weak area. I know the basics and can set things up but when it goes wrong it is clear I didn’t sacrifice enough small furry animals to dark gods when I was learning it.

Interesting! That sounds like it could be my issue. Please keep me posted if you get any resolution. Thanks for the info!

Well. I got a reply back from Nord. They wont tell me what the issue is. For Security reasons but they did say ‘To clarify, when you connect to the VPN server, our DNS are automatically assigned’… They were very cagey and they used those weaselly words instead of intercepted them but my interpretation is that is as close to an admission as I was going to get.

I’m now looking for a way to redirect my DNS traffic away from Nord. My setup is as Nord PfSense configuration for all traffic to go via Nord. I now want to change that so all traffic except for DNS goes through the Nord VPN pipe and the DNS goes to my standard ISP where I can query the root servers.

Before I spend 200+ hours investigation how to do that does anyone know how to do that on PfSense?

1 Like

I have the exact same issue but found no resolution yet. This is also being discussed at Netgate forum that I am following closely. It seems strange that both Nord and Mullvad decided to intercept DNS queries at the same time (as some said in the forum that there are similar issues with Mullvad too)…

1 Like

Thanks for the link. Sounds like Nord is the culprit. I ended up just switching my outgoing network interface to WAN and it seems to work again. But that kinda defeats the purpose of trying to add another layer of security with a VPN.

I’ll keep an eye on that Netgate forum thread to see if there’s any updates.