pfSense DNS Host Overrides not resolving on OpenVPN clients

Networking & Firewalls
1

Hi everyone,

I followed Tom’s video to setup OpenVPN on pfSense for remote access. Everything went fine and I can connect from the outside. But there’s a problem with resolving some DNS entries.

I have some services (e.g. Paperless-Ngx) running on my local network only and not exposed to the internet. They are running behind a Traefik Reverse Proxy as Docker Containers. My local domain is singularity.lan but I had Traefik generate proper Let’s Encrypt Certificates for my services. In the case of paperless the certificate’s CN is paperless.singularity-home.ch. So to reach the services I added Host Overrides that resolve to the IP of the server that is running Traefik.

It all works perfect when connected on the local network, but when I am connected with an OpenVPN Client from the outside the DNS entries I added in the Host Overrides Section of the DNS Resolver are not resolved. I can ping all machines by IP but not by DNS name.

Here’s the output of ping and dig for that DNS name when connected via VPN:

ping paperless.singularity-home.ch
ping: cannot resolve paperless.singularity-home.ch: Unknown host`

dig paperless.singularity-home.ch

; <<>> DiG 9.10.6 <<>> paperless.singularity-home.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61034
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;paperless.singularity-home.ch.	IN	A

;; ANSWER SECTION:
paperless.singularity-home.ch. 14400 IN	CNAME	singularity-home.ch.

;; AUTHORITY SECTION:
singularity-home.ch.	3500	IN	SOA	ns41.infomaniak.com. hostmaster.infomaniak.ch. 2024091305 10800 3600 605800 3600

;; Query time: 80 msec
;; SERVER: 10.20.20.1#53(10.20.20.1)
;; WHEN: Sat Sep 14 13:58:41 CEST 2024
;; MSG SIZE  rcvd: 149

I added an ACL to the DNS Resolver to allow queries from the tunnel network, but it still doesn’t work. I am running this on a Netgate 1100 device with pfSense+ 24.03.

Has anyone else had this problem? I’m kinda stuck and don’t know where to look for clues

2

Could this be the issue?

On the OpenVPN server.conf file do you have a push option in there for it to push DNS to the clients when they get their IP settings. It would be something like(there can me multiple lines for these for extra DNS severs):

push “dhcp-option DNS 10.10.10.10”

On the DNS BIND server, do you have an ACL listing of which subnets that are allowed to query the DNS server? If that is the case, is the IP range that you assign to your OpenVPN clients listed?

3

I have push "dhcp-option DNS 10.10.30.1" in the config file.
10.10.30.0/24 is my tunnel network.
Also there is an ACL in the DNS Resolver to allow queries from the tunnel network.

4

There are a few things to test.

  • Does 10.10.30.1. respond to DNS requests over OpenVPN?
  • What DNS servers does the client show when connected over OpenVPN?

There are some work arounds

  • Add a static entry in the hosts file of the client
  • Add an external DNS entry that points to the local IP (fun fact, public DNS can point to private IP) If you run dig graylog.lawrencesystem.com it will return 192.168.2.1 which is the internal reverse proxy.
5

nslookup paperless.singularity-home.ch 10.10.30.1 returns a proper response when connected with OpenVPN Client.
But I think I found the problem. Initially the server had a split tunnel configuration.
After checking these two options it worked.

  • Force all client-generated IPv4 traffic through the tunnel.
  • Force all client-generated IPv6 traffic through the tunnel.

It’s on full tunnel now, which is the better scenario for my use case anyway.
I just wonder if this is a general limitation when using split tunnel.

Thanks for your help!

1 Like