Messages

Entschuldige aber mein Deutsch ist nicht perfekt ;-)

Ich habe diese Frage auch vor mehr als einem Jahr gestellt hier.

Wenn man Verbinding macht mit ExpressVPN, dan schickt ExpressVPN die VPN DNS adresse durch den VPN tunnel. Der ExpessVPN DNS-Server ist leider eine lokale IP-Adresse (10.x.x.x) und diese Adresse kann sich jedes Mal ändern wenn man Verbindung macht.. Die große Frage ist wie man diese Adresse bekommt in OpnSense.

Leider ist das noch immer nicht bekannt of es möglich ist

[DNS 10.72.0.1]

Hello,

After 1 year of pause I decided to continue with OpnSense.. I have installed version 20.1 and have it installed the way I like it...

I use 2 subnets:
Traffic from LAN clients in the 192.168.0.0/24 range is routed to the WAN
Traffic from LAN clients in the 192.168.1.0/24 range is routed to ExpresVPN

This works fine, I even can re-route DNS requests to fixed DNS servers
(for WAN: 1.1.1.1, for ExpressVPN: 156.154.70.1)

However, I am not quite satisfied with how the DNS server setup works for ExpressVPN.
When connecting to the tunnel, ExpressVPN pushes it's internal DNS server and I would like to use that particular DNS server:

Aug 11 20:06:51 ovpn-client1[4167]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.72.0.1,comp-lzo no,route 10.72.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.72.0.102 10.72.0.101,peer-id 24,cipher AES-256-GCM'

As you can see in the log above, ExpressVPN pushes it's own internal DNS server with IP address 10.72.01. Each time that a reconnect takes place, another internal IP-address may be issued. If that internal IP-address is in a different subnet, the DNS-server also is different. So filling in that DNS server in a rule the 'hardcoded' way is not quite user-friendly.

I'd like to configure OpnSense in such a way that the pushed internal DNS server from the VPN provider is used automatically. Is this possible?

Hi Franco,

Thank you for your reply!  :)

Yes, I can see that code changes have been committed last week!
Later today I will give it a try !!

Thanks!


Update: I just applied the patch, everything went fine!  :)

[Why am I asking this?]

Hi there,

First my question (it is more a request for a new feature):
The number of DNS servers in System --> General --> Settings is _limited_ to 4 DNS servers.

Are there plans to make this dynamic, so more DNS servers can be specified?
pfSense has this feature and it is quite useful.


Why am I asking this?
In my setup I assign an IP address + DNS servers to each LAN client via the DHCP server.

These DNS servers are also configured in System --> General --> Settings:
Here I assign each DNS server to a specific gateway. I want to ensure that the query goes through that gateway only. DNS forwarding/resolver is disabled.

In general, VPN providers provide 2 DNS servers.

So when you have 3 VPN client connections in your system, you would need to configure 3x2 = 6 DNS servers in System-->General-->Settings... But that is impossible at the moment. So now I 'only' configure 1 DNS server per VPN provider..

(I also have a set of firewall rules configured, each rule specify an IP-range and a specific gateway. This way I can route LAN clients in the 192.168.0.1x range to VPN provider A, LAN clients in the 192.168.0.2x range to VPN provider B etcetera... This works fine, no leaks...)


Thanks!

[fast-io;tun-mtu 1500;persist-key;persist-tun;persist-remote-ip;verb 3;auth SHA256;keysize 256;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA]

I got it working with IPVanish...

Don't forget to add these settings in de OpenVPN settings (custom options):

fast-io;tun-mtu 1500;persist-key;persist-tun;persist-remote-ip;verb 3;auth SHA256;keysize 256;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

Also don't forget to import the IPVanish certificate... And configure the OpenVPN client settings so it will use the certificate....

tried setting up a openVPN client for ipvanish ...
think I've got everything in correctly, but it's not connecting.

know the username and PW are right, as I can run the client form my pc
but logs are showing
Options error: --auth-user-pass requires --pull

Thanks

[ZOTAC ZBOX CI323 Nano]

Hi there,

For some time I am testing OpnSense, which is installed on a ZOTAC ZBOX CI323 Nano (2 Realtek NIC's onboard). Currently I have 3 VPN providers: IPVanish, NordVPN and ExpressVPN.

Both providers have been configured, based upon the client's IP address in the LAN, traffic is passed to one of the 3 VPN providers... This works fine, even no DNS leaks!

Since 2 weeks my configuration is 'stable', it hasn't changed much anymore :-)

However I noticed something strange with the NordVPN connection and I can't explain why it happens.
Every few minutes (random) the traffic via that connection stops suddenly...  Then the VPN's timeout mechanism appeares to trigger (180 seconds) and a re-connect is forced (according to the logs).
Changing to another NordVPN VPN server doesn't help, the same thing is happening....

Both OpnSense version 16.7.x and version 17.1.3 have this issue...

I have had contact with NordVPN about this; According to them, my configuration seemed OK...

The other 2 VPN providers do not have this problem under OpnSense, no connection 'drops'.... You would then think that it is 'NordVPN' related and not OpnSense, but....

I also installed pfSense 2.3.2 and I configured it (also) the same way as in OpnSense...
With pfsense it works flawless, no connection drops...

When I grab some networktraffic in OpnSense and save it to a .pcap file, Wireshark can't import it because the .pcap appears to be corrupted... Is this something that sounds familiar to you?

When I 'repair' the .pcap file and imports it to WireShark, I see packets that does not appear to be IP packets (unknown)...

Any suggestions?

Best regards!

I have had the same issue as you described. I used
another bootable medium (cd/dvd/usb, Linux based) with partitition manager software to remove the partitions and erase the contento... After that I was able to re-use the usb drive again in Windows.

Hi there,

Another approach/attempt to get this working correctly...

What I want, is the following:

LAN clients in 192.168.0.10 - 192.168.0.19 range must connect to OpenVpn client expressvpn
LAN clients in 192.168.0.20 - 192.168.0.29 range must connect to OpenVpn client ipvanish #1
LAN clients in 192.168.0.30 - 192.168.0.39 range must connect to OpenVpn client ipvanish #2

Each vpn must use it's own manually configured dns server for resolving names...


For example:
When a client with IP 192.168.0.32 connects to the internet, it must use the ipvanish #2 gateway.
Both resolving the DNS as the DATA transfer should be handled by this gateway.

I am new to OpnSense and I have tried various scenarios. Unfortunately I still can't get it to work correctly.
Is what I want, possible with OpnSense???

When using my configuration, it appears to 'mix' the gateways and dns servers (dns resolve via expressvpn, data exchange via ipvanish)



My setup is as follows:
OpnSense version 16.7 (with the last updates installed)

LAN Interface : IP range = 192.68.0.x
OpnSense IP  : 192.168.0.254
WAN              : static, IP = 192.168.1.199 (upstream gateway set to DSL modem IP 192.168.1.254)

And I have configured 3 vpn clients (1x expressvpn, 2x ipvanish), which appear to be  working fine.


Config in OpnSense is as follows:

- In system, settings, general:
Prefer IPv4 over IPv6=checked
Gateway switching =unchecked

DNS servers:
dns server=8.8.8.8 / gateway=wan

Allow DNS server list to be overridden by DHCP/PPP on WAN=checked
Do not use the DNS Forwarder/Resolver as a DNS server for the firewall=checked

- In firewall -> rules i have the following rules in the LAN section:

rule 1: Anti-Lockout Rule

rule 2: DNS
interface=lan
protocol=tcp/ip
source/invert= unchecked
source=any
destination=any
destination port range = dns - dns
gateway=default

rule 3: expressvpn
interface=lan
tcp/ip version=ipv4
Protocol=any
Source / Invert=unchecked
Source=expressvpn (the alias with ip addresses)
Destination=any
Destination port range=any
Gateway=opt_expressvpn_vpnv4

rule 4 and rule 5: ipvanish#1 / ipvanish#2
same as expressvpn rule, only the gateway is different

DNS resolver service is enabled (using default settings -all checkboxes are unchecked-).


The opnsense's dhcp server issues specific ip addresses based upon the mac address of the client's NIC.

Has anyone ideas to get me in the right direction????

Hi, DNS forwarder has been disabled. Do you suggest I need to enable it???

also make sure that your DNS-Forwarder is configured to listen to specific interfaces (like LAN, OpenVPN-Server) to be able to talk from your road-warrior to the DNS-Forwarder on your OPNsense box -- https://forum.opnsense.org/index.php?topic=3598.0

[dhcp-option DNS x.x.x.x (IP left out)tun-mtu 1500fragment 1300mssfix 1450keysize 256auth SHA512sndbuf 524288rcvbuf 524288]

Hi Bart,

I tried your suggestion and added the line in the advanced commands section.

dhcp-option DNS x.x.x.x (IP left out)
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288


Unfortunately, it doesn't appear to work..

When connected to the VPN provider, I have access to all site, except one... That same VPN provider sent me alternative DNS servers to fix this.

This is what happens when I do a nslookup in Win7:

C:\Users\g51vx>nslookup netflix.com
Server:  ABAsense.localdomain
Address:  10.0.0.254

*** ABAsense.localdomain kan netflix.com niet vinden: Server failed

I have a Dutch Windows, it above says that it cannot find the domain requested.

In OpnSense it's the same story, in 'Interfaces: Diagnostics: Traceroute' it also won't resolve....


When I enter the DNS servers manually in the TCP/IP settings of Windows, it resolves the host without problems.... That tells me those DNS servers work... However I don't want to specify DNS servers in Windows like that....

Any idea what might go wrong? It seems that the VPN's own DNS servers are used....

Hi Alex,

Test the tunnel by IP connections (e.g. trace route to 8.8.8.8) and confirm that the DNS server is resolving queries. Between them you have covered all OPNsense aspects I can imagine having any impact.

Remember to allow ICMP for traffic going through the tunnel(s) you're testing.

Bart...

Hoi Bart,

Thank you for the suggestion, I'll try this later...
I use OpnSense's DNS resolver, I do not use the DNS forwarder service.

Are there other settings in OpnSense that may prevent this option to work?

Thanks ,
alex

Hi there,

In OpnSense 16.7 I have configured a OpenVPN client and the connection is up and running.. This VPN connection is one of two VPN connections running.

For a particular reason I want to 'override' the DNS servers which have been assigned/pushed to this VPN connection automatically. Is there some setting in the VPN settings (Advanced configuration) that enables me to do this?

thanks!

[(/32).]

After several days of experimenting, I think I finally got it figured out (it appears to be working now  :) )....

For those that are interested, I explain what I have changed....

It appears that if you want to specify a specific IP address for routing, you need to use a mask of <255.255.255.255> (/32).

In Firewall --> Rules:
IPv4 *    10.0.0.100    *    *    *    OPT1_VPNV4       Allow LAN to VPN
IPv4 *    10.0.0.99     *    *    *    WAN_DHCP         Allow LAN to WAN


These 2 rules do the 'magic' here:
- Traffic from LAN device with IP=10.0.0.99 is routed to VPN,
- Traffic from LAN device with IP=10.0.0.100 is routed to WAN (direct)

One thing I noticed is that the 2 IP-adresses  are shown without the '/xx' (this is due to the /32 setting, I guess)


Grtz

Hello,

I am new to OpnSense and I recently started playing with it to see what it's possibilities are...
The software runs on a mini-pc with 2 NIC's (a LAN port and WAN port).

My goal is to configure the router in such a way that it routes LAN traffic to:

1. a VPN connection _

_or_

2. to the WAN (direct)

depending on the IP address of the device in the LAN.

First of all I'd like to know if that's possible, because until now I can't get it to work like that....
The documentation of OpnSense is rather rudimentary for beginners like me, so I am kind of stuck here....

My setup:

LAN IP mini pc : static (10.0.0.1/8), DHCP server is enabled
WAN IP mini pc: DHCP (192.168.1.13)

Also configured is an OPT1 interface (VPN client connection)

The WAN port is connected to the DSL modem (IP=192.168.1.254)
The LAN port is connected to my laptop (IP=10.0.0.100)

I have been playing with these settings:

In [Firewall -> Rules] I have defined two rules in LAN:
IPv4 TCP/UDP    *    *    *    53 (DNS)    *       'DNS'
IPv4 *    *    *    10.0.0.100/8    *    WAN_DHCP  'LAN to WAN'
IPv4 *    *    *    10.0.0.101/8    *    OPT1_VPNV4  'LAN to VPN'

In [Firewall -> NAT -> Outbound] I have defined two entries:
OPT1    any     *    *    *    OPT1 address    *    NO
WAN    any     *    *    *    WAN address    *    NO

I am not sure if I am in the right direction....
Any ideas on how I could get this to work?


Thanks!