Show Posts
1
17.1 Legacy Series / traffic (DNS) is using wrong output interface with OPENVPN.
« on: June 13, 2017, 08:10:37 pm »
Hello all,
I want to use my opnsense firewall with openvpn and ensure that all trafic goes into tunnel for confidentiality.
Thanks to the NAT->Internet rule that sent traffic to the VPN gateway , the LAN initiated traffic is correcly tunnelised.
But i got an issue for DNS resolution of LAN computers. It 's sent to firewall but the firewall always use WAN if instead of VPN one.
I understood technical reason why one would tell that DNS should be sent to WAN, for example to solve the VPN server name before opening the tunnel. But let's forgot that and let's go only in the proof of concept (after all i can put IP of VPN server in opnsense conf.) that i want ALL traffic to be in tunnelised once it 's established (confidentiality)
My configuration is quite simple : A Lan, the opnsense box(v17.1.8-amd64), internet router. My DNS configuration is dns resolver activated on firewall. NAT computers use firewall IP for DNS.
paramter "Allow DNS server list to be overridden by DHCP/PPP on WAN " is unchecked.
parameter "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" is unchecked.
DNS servers paramter in "System/settings" are DNS from VPN provider and currently with parameter of the "use gateway" with VPN interface.
I tested a lot of configuration/parameter during well some long hours.
But it never worked as i would like, the logs show clearly DNS request using WAN interface and not VPN one.
I could put the the VPN DNS IP on the LAN computer network conf. instead of firewall IP. In that case dns traffic is correctly sent in tunnel. But i would prefer having dns on opnsense.
Can someone help for that?
Thanks !
I want to use my opnsense firewall with openvpn and ensure that all trafic goes into tunnel for confidentiality.
Thanks to the NAT->Internet rule that sent traffic to the VPN gateway , the LAN initiated traffic is correcly tunnelised.
But i got an issue for DNS resolution of LAN computers. It 's sent to firewall but the firewall always use WAN if instead of VPN one.
I understood technical reason why one would tell that DNS should be sent to WAN, for example to solve the VPN server name before opening the tunnel. But let's forgot that and let's go only in the proof of concept (after all i can put IP of VPN server in opnsense conf.) that i want ALL traffic to be in tunnelised once it 's established (confidentiality)
My configuration is quite simple : A Lan, the opnsense box(v17.1.8-amd64), internet router. My DNS configuration is dns resolver activated on firewall. NAT computers use firewall IP for DNS.
paramter "Allow DNS server list to be overridden by DHCP/PPP on WAN " is unchecked.
parameter "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" is unchecked.
DNS servers paramter in "System/settings" are DNS from VPN provider and currently with parameter of the "use gateway" with VPN interface.
I tested a lot of configuration/parameter during well some long hours.
But it never worked as i would like, the logs show clearly DNS request using WAN interface and not VPN one.
I could put the the VPN DNS IP on the LAN computer network conf. instead of firewall IP. In that case dns traffic is correctly sent in tunnel. But i would prefer having dns on opnsense.
Can someone help for that?
Thanks !