pfSense: OpenVPN server breaks DNS on VPN client

Hello folks,

Need some help for my pfsense here. Previously I setup a OpenVPN client on my pfsense (with SurfShark, if that matters), that was setup by basically following this Video from Tom - How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN - YouTube and secondarily, this guide from reddit (they are very similar) -

That worked properly without much issue. However, I am trying to setup an OpenVPN server for remote access, and followed Tom’s 2017 and 2020 video for that. How To Setup OpenVPN For Remote Access On pfsense - YouTube and Tutorial: pfsense OpenVPN Configuration For Remote Users 2020 - YouTube .

It also worked, except - when the new vpn server is running (showing in dashboard as openvpn under service status), the DNS on the vpn client will not work (showing dashboard as openvpn_2, even though was configured first, if that matters). The machine in the VPN routing list will be able to ping google’s IP address, but not domain name.

Checking the VPN status it will still say online/up. Restarting unbound doesn’t do anything (it shouldn’t, since VPN machines route through VPN not local DNS).

If I simply stop the vpn server (as openvpn on dashboard), the DNS for those machines work again.

I’ve tried to restart those services in different sequences and reboot pfsense, but it didn’t seem to help.

What areas should I look at to resolve this? Thanks folks, I can do screenshots of my setup if that helps.

In your VPN settings, do you have it set to force all traffic through the VPN? Provide DNS server info to clients?

Thanks for replying and attempting to help troubleshoot.

In the VPN settings for the VPN server (for remote access), no, I do not have force all traffic through VPN (see


In the VPN client for those machines in the VPN list, yes all traffic is forced through VPN including a firewall rule blocking other DNS servers beforer the VPN redirect rules (see


and DNS servers provided in DHCP server static entries (with DNS that’s not used in pfsense elsewhere) (see


I could be wrong, but I think if you move the rule for “Allow pfSense DNS” and “Allow pfSense DNS over TLS” above the Surfshark DNS blocking rules, it may open things up. I’m not sure what the Surfshark rules entail, though.

That looks to be a lot of DNS rules going on. Since you have rules in place to “Block other DNS” under the “Allow pfSense DNS”, do you really need the Surfshark DNS rules?

The “block other DNS” and “allow pfsense DNS” are intended such that a host does not come up with their own DNS server to use (not really applicable to this subnet, more for IoT, but was added to every LAN)

The “surfshark DNS” related ones are intended such that the hosts that uses VPN does not use the same DNS server as other hosts, in order to prevent DNS leaks.

What bothers me is that this set of firewall rules works, before adding a VPN server. But I think you are pointing out a good direction to look at, which I will dig a bit deeper here and report back if I find anything. Thanks.

I realize what they are intended for, but as they are enabled, they are relevant. You just need to visualize where DNS queries are going from the computers on the VPN. If those queries are going to a good DNS server, you should be fine with those settings. If they go elsewhere, you need to change the settings to a good DNS server.

I’m interested to know if you have gotten it all working, and what steps resolved it. I like to know if my advice was correct, so that future advice is better. :slight_smile:

I haven’t got a chance to try yet but they go to as shown in screenshots.

Thanks for trying to help. I will report back once I get to try them later this week.

Sorry for this late reply… it hasn’t been a real issue for me to get remote access, so I didn’t put this on my priority until I got some time now.

Even if removing all the “block DNS” rules, the same situation applies - without enabling openvpn server, the VPN client functions properly. with enabling openvpn server, the client does not function properly.

And I did a bit more test with my 2 machines that’s on the VPN redirect list. 1 machine would lose total internet access outside of home; the other one would lose stability of DNS, but not all - ping an external ip it would work; ping an external domain name it would not. Using a browser, I could still get to sites that’s not cached DNS, and ipleak dot come showed 12 errors of the 30+ DNS tests it does.

I am not sure what else I could do at this point. I will prob try wireguard instead of openVPN for remote access.

I had a thought. Try removing all of the DNS firewall rules. See if it works. Add them one at a time and see which one breaks it. Also, all the allow rules should be above the deny rules in the list. If none of the allow rules catch, the deny rules should catch and block whatever traffic you’re trying to block.

Any luck on getting this working?

yes and no… What I got was even after removing all the block rule and still nothing different. The key part to me is that the behavior for Vpn client is different enabling vs not enabling remote access has on a related (other than both openvpn) Vpn server.

However, I noticed that I may have messed up a setting in DHCP server. I am yet to be able to test it, as I have a lot of stuff ongoing. But my server backup is scheduled to end this weekend and I will prob test this next week.

If I can’t resolve this next week, I am also ready to give wireguard a try instead of OpenVPN. Not sure if that would lead to a different behavior.

Either way, will report back here. Sorry it has been very slow in my feedback.

Within the OpenVPN server config on pfsense check the box that reads “Provide a DNS server list to clients. Addresses may be IPv4 or IPv6.” and add . Restart the OpenVPN service after that change. That’s what I did to fix this issue.

It sounds like you had the same/ similar issue. Thanks for your post - let me try this early next week and report back.

It is weird though - how did the server side DNS impact the client (that is using a 3rd party server) behavior? Did you figure out why that’s happening?

@arthurroos I think I jumped the gun here. I admit I didn’t read the whole thread. I was under the impression that your remote access VPN didn’t have access to pfsenses local DNS entries. I see now that the first VPN you created looses it’s DNS after the second VPN service is started on pfsense. That’s odd.

My first question is where do you want DNS to come from on each VPN? I assume for the SharkVPN clients and your local DNS ( for the remote access VPN. If so make sure you add those IP addresses to the DNS server section of each server configuration. Restart the OpenVPN service after making these changes.

If you still loose DNS on the SharkVPN clients after that change I’d look at the firewall rules. Like one of the previous posters stated, remove all your rules from that interface and start with what you need. I’d remove everything but an allow all rule with logging turned on. Then id inspect the connections that rule is allowing, specifically noting where the clients are picking up their DNS from. Then once you find out what DNS server they are using, make new rules above the allow all rule specifically allowing the clients to the DNS server they were reaching successfully.