VPN client connection: Howto override DNS settings????

[intrepid2007]

Hi there,

In OpnSense 16.7 I have configured a OpenVPN client and the connection is up and running.. This VPN connection is one of two VPN connections running.

For a particular reason I want to 'override' the DNS servers which have been assigned/pushed to this VPN connection automatically. Is there some setting in the VPN settings (Advanced configuration) that enables me to do this?

thanks!

[bartjsmit]

Add this to the advanced client options:

dhcp-option DNS <your DNS server IP goes here>

Bart...

[intrepid2007]

Hoi Bart,

Thank you for the suggestion, I'll try this later...
I use OpnSense's DNS resolver, I do not use the DNS forwarder service.

Are there other settings in OpnSense that may prevent this option to work?

Thanks ,
alex

[bartjsmit]

Hi Alex,

Test the tunnel by IP connections (e.g. trace route to 8.8.8. and confirm that the DNS server is resolving queries. Between them you have covered all OPNsense aspects I can imagine having any impact.

Remember to allow ICMP for traffic going through the tunnel(s) you're testing.

Bart...

[the-mk]

also make sure that your DNS-Forwarder is configured to listen to specific interfaces (like LAN, OpenVPN-Server) to be able to talk from your road-warrior to the DNS-Forwarder on your OPNsense box -- https://forum.opnsense.org/index.php?topic=3598.0

[intrepid2007]

Hi Bart,

I tried your suggestion and added the line in the advanced commands section.

dhcp-option DNS x.x.x.x (IP left out)
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288


Unfortunately, it doesn't appear to work..

When connected to the VPN provider, I have access to all site, except one... That same VPN provider sent me alternative DNS servers to fix this.

This is what happens when I do a nslookup in Win7:

C:\Users\g51vx>nslookup netflix.com
Server:  ABAsense.localdomain
Address:  10.0.0.254

*** ABAsense.localdomain kan netflix.com niet vinden: Server failed

I have a Dutch Windows, it above says that it cannot find the domain requested.

In OpnSense it's the same story, in 'Interfaces: Diagnostics: Traceroute' it also won't resolve....


When I enter the DNS servers manually in the TCP/IP settings of Windows, it resolves the host without problems.... That tells me those DNS servers work... However I don't want to specify DNS servers in Windows like that....

Any idea what might go wrong? It seems that the VPN's own DNS servers are used....

Hi Alex,

Test the tunnel by IP connections (e.g. trace route to 8.8.8. and confirm that the DNS server is resolving queries. Between them you have covered all OPNsense aspects I can imagine having any impact.

Remember to allow ICMP for traffic going through the tunnel(s) you're testing.

Bart...

[intrepid2007]

Hi, DNS forwarder has been disabled. Do you suggest I need to enable it???

also make sure that your DNS-Forwarder is configured to listen to specific interfaces (like LAN, OpenVPN-Server) to be able to talk from your road-warrior to the DNS-Forwarder on your OPNsense box -- https://forum.opnsense.org/index.php?topic=3598.0

[bartjsmit]

Hi Alex,

It may be worthwhile cranking up the verbosity of the OpenVPN client to see why your tunnel doesn't get the DNS setting you specified. I would get the name resolution on OPNsense correct first and leave the clients until that is working.

If you want to change DNS resolution by domain, you need a conditional forwarder. I think that is a feature particular to Windows Server. Mind that Netflix operates a large number of domains and it could require a packet capture to see which ones are in play.

Bart...