Site-2-Site OpenVPN DNS resolution

I have a working Site 2 Site OpenVPN connection over Opnsense. I am connecting my parent’s house with mine. My opnsense box is the VPN server and my parents’ is the VPN client. Both use Unbound as the resolver with forwarding mode NOT enabled.

I have a few services like nextcloud and bitwarden. I can access all my services on my network servicename.mypublicdomain.net. (setup via the HAProxy plugin). I can also connect to the same services from the VPN client network using the IP addresses.

I would like to set it up such that the client can access it using bitwarden.mypublicdomain.net. I don’t think I want to resolve all the clients’ DNS – only the services that are hosted on my network (192.168.1.0/24).

  1. How would I pass my opnsense (VPN server side) DNS entries via the VPN tunnel? (Not sure if that is the right question to ask)
  2. What are the changes that I would need to make this happen?

If you only have a couple of services to connect that way, just add to the Windows Host List “\windows\system32\drivers\etc\hosts” - add the name and then the internal address of your services

That way it communicates internal to the VPN etc.

I don’t have any Windows machines on the client site. Also the devices could be changing so I won’t be able to add them to all clients.

I was hoping that I could somehow set the DNS entries on the client opnsense – either by passing my DNS entries via the tunnel or creating host overrides on the client just as I have on the server side.

When you are doing a site to site VPN you would set the DNS server on the other side to get it’s updates from the primary site then the local workstations would use that servers DNS.

Thanks Tom. How would I go about doing that ?

Have the firewall at Site B use the DNS from Site A firewall and then the site B DNS would be the Site B firewall. Just an FYI if the VPN goes down, so does Site B DNS.

This won’t work because if the DNS goes down – the internet is down as far as my non-tech parents are concerned.

So there’s no way to have selective DNS resolution? as in use SiteA DNS when accessing SiteA services(all on 192.168.1.0/24), and SiteB DNS server for everything else

Not really any simple way to do that in pfsense.

@inxsible - I think you are misunderstanding @LTS_Tom . If the internet goes down, you’ll only lose the remote but not local DNS. If the internet is down, remote DNS is useless because the tunnel will fail anyway (no internet = no vpn link).
The way that I do this is to use ‘domain overrides’ that are at the bottom of the unbound configuration (Services-> DNS resolver->general settings in pfsense, not sure about opnsense), and I use separate tld’s for each network (localnet with server at 192.168.0.1 and remotenet with server at 192.168.100.1). So on the local network pfsense, I have a DNS override for the remotenet tld that uses the server IP address 192.168.100.1). Likewise on the remote network pfsense, I have a DNS override for localnet with a server at 192.168.0.1). So any requests on localnet for DNS to remotenet will be forwarded through the VPN to the remote server at 192.168.100.1. Any requests on remotenet for localnet DNS will be forwarded through the VPN to the server at 192.168.0.1.
Hope this helps.

Thanks @gzornetzer I tried what you suggested…

I enabled the forwarding mode in Unbound. Then added a domain override for mypublicdomain.net, Set the IP to 192.168.1.1 (which is the server side internal firewall IP). Then tried bitwarden.mypublicdomain.net on a machine connected to the VPN client, but it still couldn’t resolve.

So I added 192.168.1.1 in the DNS servers under System → Settings–> General with gateway set to WAN. But still no dice.

Then I disabled Unbound and enabled Dnsmasq. Created an override for mypublicdomain.net. Set the IP to 192.168.1.1 & Source IP to 192.168.3.1 and it still wouldn’t resolve. Finally I also tried putting in my server side public WAN IP in the domain override that I created, but that didn’t work either.

In all of the tests, Chrome shows “Try running Connectivity Diagnostics”. When I click on that, the DNS is always set to the client’s local DNS server (192.168.3.1) and never to the 192.168.1.1 (which is the VPN server side DNS server)

What else can I try? How do I make it check with the siteA DNS? Help please !

Dude, seriously? I gave you the answer over on Spiceworks

As you will note that I tried a few things but that didn’t work for me as described in the post above. It’s possible that I made an error. I am still trying to wrap my head around DNS.

When i ran nslookup from the client – it was hitting the local DNS server (on the VPN client side). So I dug a bit deeper to see what mistake I was making and sure enough I found the issue.

I was using homevpn.domain1.com as the Remote Server in the VPN client configuration as I had set up the A record in my public DNS account. However, the minute I added the domain override under Unbound for domain1.com , the VPN connection would not be initialized – as it would try to contact the VPN server side DNS (without the VPN connection being established) which obviously wouldn’t work.

In any case, I own 2 domains. So I ended up creating a new A record for homevpn.domain2.com and now use that for DDNS and as the vpn server endpoint. Then I added a domain override for domain1.com under Unbound and now I am able to access my self-hosted services via https from the client machine