Project

General

Profile

Actions

Bug #12552

open

"Pull DNS" option within OpenVPN client does not cause pfSense to use DNS servers assigned by remote OpenVPN server

Added by Michael Brennan about 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

I have an OpenVPN client setup to connect to ExpressVPN. ExpressVPN does not provide static DNS servers for use with their VPN traffic; DNS servers are assigned dynamically. If the "Pull DNS" checkbox is checked within the OpenVPN client settings, I'd expect my DNS Resolver to use the Express VPN assigned DNS servers

Instead, the DNS Resolver still uses the DNS servers that are configured via System -> General Setup. I have my DNS Resolver in forwarding mode ("Enable Forwarding Mode" is checked). If I put the DNS Resolver in resolver mode, then DNS queries are forwarded to my ISP (Comcast).


Files

clipboard-202112011826-kuijf.png (31.6 KB) clipboard-202112011826-kuijf.png Danilo Zrenjanin, 12/01/2021 11:26 AM
Actions #1

Updated by Danilo Zrenjanin about 2 months ago

Michael Brennan wrote:

I have an OpenVPN client setup to connect to ExpressVPN. ExpressVPN does not provide static DNS servers for use with their VPN traffic; DNS servers are assigned dynamically. If the "Pull DNS" checkbox is checked within the OpenVPN client settings, I'd expect my DNS Resolver to use the Express VPN assigned DNS servers

Instead, the DNS Resolver still uses the DNS servers that are configured via System -> General Setup. I have my DNS Resolver in forwarding mode ("Enable Forwarding Mode" is checked). If I put the DNS Resolver in resolver mode, then DNS queries are forwarded to my ISP (Comcast).

Can you confirm you enabled the DNS Server Override option under System/General Setup
?

Actions #2

Updated by Michael Brennan about 2 months ago

Danilo Zrenjanin wrote in #note-1:

Can you confirm you enabled the DNS Server Override option under *System/General Setup *?

I didn't have that option checked, but I just tried it and now it forces all DNS traffic through my ISP (Comcast), not using ExpressVPN's.

Actions #3

Updated by Michael Brennan about 2 months ago

Also, the DNS Resolution Mode is set to "Use local DNS (127.0.0.1), fall back to remote DNS Servers (Default)".

Actions #4

Updated by Danilo Zrenjanin about 2 months ago

Can you confirm you're getting DNS-related Push control messages from the OpenVPN server (Status -> System Logs -> OpenVPN)?

You can check https://redmine.pfsense.org/issues/11140 for reference.

Actions #5

Updated by Michael Brennan about 2 months ago

Danilo Zrenjanin wrote in #note-4:

Can you confirm you're getting DNS-related Push control messages from the OpenVPN server (Status -> System Logs -> OpenVPN)?

You can check https://redmine.pfsense.org/issues/11140 for reference.

It looks like it:

Dec 1 12:33:22    openvpn    72433    PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.10.0.1,comp-lzo no,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.206 10.10.0.205,peer-id 39,cipher AES-256-GCM'

Actions #6

Updated by Michael Brennan about 2 months ago

Danilo Zrenjanin however these appear right after that PUSH:

Dec 1 12:33:22    openvpn    72433    Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Dec 1 12:33:22    openvpn    72433    Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Dec 1 12:33:22    openvpn    72433    Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])

Not sure if they are related.

Actions #7

Updated by Viktor Gurov about 2 months ago

Michael Brennan wrote in #note-2:

Danilo Zrenjanin wrote in #note-1:

Can you confirm you enabled the DNS Server Override option under *System/General Setup *?

I didn't have that option checked, but I just tried it and now it forces all DNS traffic through my ISP (Comcast), not using ExpressVPN's.

What is the IPv4 Configuration Type for your WAN connection? If it's not "Static IPv4", the DNS provided by the ISP is also added to the list of DNS servers.

Perhaps we need the "Ignore received DNS" option for DHCP/PPPoE connections.

Actions #8

Updated by Michael Brennan about 2 months ago

Viktor Gurov wrote in #note-7:

What is the IPv4 Configuration Type for your WAN connection? If it's not "Static IPv4", the DNS provided by the ISP is also added to the list of DNS servers.

Perhaps we need the "Ignore received DNS" option for DHCP/PPPoE connections.

Hi Viktor, the IPv4 Configuration Type for the WAN is DHCP. An option to ignore the DHCP DNS would be most helpful. As a workaround, is there anything I could do in the DHCP client configuration or OpenVPN custom options?

Actions #9

Updated by Viktor Gurov about 2 months ago

Michael Brennan wrote in #note-8:

Viktor Gurov wrote in #note-7:

What is the IPv4 Configuration Type for your WAN connection? If it's not "Static IPv4", the DNS provided by the ISP is also added to the list of DNS servers.

Perhaps we need the "Ignore received DNS" option for DHCP/PPPoE connections.

Hi Viktor, the IPv4 Configuration Type for the WAN is DHCP. An option to ignore the DHCP DNS would be most helpful. As a workaround, is there anything I could do in the DHCP client configuration or OpenVPN custom options?

Workaround:
1) cp /usr/local/sbin/pfSense-dhclient-script /usr/local/sbin/pfSense-dhclient-script.nodns
2) Comment lines 359, 388-390 in /usr/local/sbin/pfSense-dhclient-script.nodns
3) cp /var/etc/dhclient_wan.conf /usr/local/etc/nodns_dhcp.conf
4) Change the 'script' string to 'script "/usr/local/sbin/pfSense-dhclient-script.nodns";'
5) Interface configuration page: check the "Configuration Override" and select the '/usr/local/etc/nodns_dhcp.conf' in the 'Configuration File Override' field

Actions #10

Updated by Michael Brennan about 2 months ago

Viktor Gurov wrote in #note-9:

Workaround:
1) cp /usr/local/sbin/pfSense-dhclient-script /usr/local/sbin/pfSense-dhclient-script.nodns
2) Comment lines 359, 388-390 in /usr/local/sbin/pfSense-dhclient-script.nodns
3) cp /var/etc/dhclient_wan.conf /usr/local/etc/nodns_dhcp.conf
4) Change the 'script' string to 'script "/usr/local/sbin/pfSense-dhclient-script.nodns";'
5) Interface configuration page: check the "Configuration Override" and select the '/usr/local/etc/nodns_dhcp.conf' in the 'Configuration File Override' field

For step 2, I'm assuming you meant 359, 388, and 389? If I comment out line 390, that's the "fi" closing the "if" statement. Or did you mean to comment out lines 397-389 which would include commenting out the call to 'add_new_routes?' I tried commenting out just 359, 388 and 389, keeping the call to 'add_new_routes' in but when I applied the changes after performing steps 3-5 it caused the WAN link to go down.

Actions #11

Updated by Viktor Gurov about 2 months ago

Michael Brennan wrote in #note-10:

Viktor Gurov wrote in #note-9:

Workaround:
1) cp /usr/local/sbin/pfSense-dhclient-script /usr/local/sbin/pfSense-dhclient-script.nodns
2) Comment lines 359, 388-390 in /usr/local/sbin/pfSense-dhclient-script.nodns
3) cp /var/etc/dhclient_wan.conf /usr/local/etc/nodns_dhcp.conf
4) Change the 'script' string to 'script "/usr/local/sbin/pfSense-dhclient-script.nodns";'
5) Interface configuration page: check the "Configuration Override" and select the '/usr/local/etc/nodns_dhcp.conf' in the 'Configuration File Override' field

For step 2, I'm assuming you meant 359, 388, and 389? If I comment out line 390, that's the "fi" closing the "if" statement. Or did you mean to comment out lines 397-389 which would include commenting out the call to 'add_new_routes?' I tried commenting out just 359, 388 and 389, keeping the call to 'add_new_routes' in but when I applied the changes after performing steps 3-5 it caused the WAN link to go down.

These lines:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/pfSense-dhclient-script#L359
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/pfSense-dhclient-script#L388-L390

Actions #12

Updated by Michael Brennan about 2 months ago

Viktor Gurov wrote in #note-11:

These lines:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/pfSense-dhclient-script#L359
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/pfSense-dhclient-script#L388-L390

Ah ok, my mistake, not sure what I was thinking there. In any case, I commented out those lines, configured the override for the WAN, which this time didn't kill the interface but the DNS resolution is still going through my configured DNS servers in General Setup. I also tried restarting the OpenVPN client service to re-establish the link but I get the same result.

Actions #13

Updated by Michael Brennan about 2 months ago

Viktor Gurov Is there anything I can do to further debug this and find a work around? I'd love to help.

Actions

Also available in: Atom PDF