What's new

Question about DNS VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wichinbb

New Around Here
Hi All,
Would someone give me some pointers on the following?
I have two VPN client connections through my VPN provider to two different locations.
I have set up Aliases for devices that I want on each VPN and aliases for the DNS servers. The connection work great but it seems that the DNS for one VPN is being used for both VPN connections and even my WAN connection. I have created the following port forward rules:
upload_2019-1-24_19-19-53.png

So what I am getting is the DNS from the DNS_QC for the DNS_NY and the DNS_WAN.
Even though I am specifying the redirect IPs of the DNS servers in the Aliases, is it possible for each connection to have its own DNS?
Am I missing a block rule for each so that it does not go into the other? If yes, can you give me an example of how to go about it?

here is my NAT Outbound rule and they are set to manual:
upload_2019-1-24_19-27-54.png


Here are my LAN Rules:
upload_2019-1-24_19-36-25.png


I have the DNS resolver enabled and under network interfaces, I have only the LAN and local host highlighted. Under outgoing network interfaces, I only have my two VPN connections selected. DNSSEC is unchecked as well as enable forward mode.
Under general set up and DNS server settings, I have no DNS servers defined at all. The only option checked is Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall.

If you can give me some advice and if I what I would like to have done is doable, please let me know.
Thanks!
 

Attachments

  • upload_2019-1-24_19-17-12.png
    upload_2019-1-24_19-17-12.png
    69.5 KB · Views: 582
Hi I am only a newbie my self your question is confusing to me. If both clients are using the same VPN provider won't they be using the VPN providers DNS server? I think they can go to dns leak detected to find out.

Also I would think people will need to know what type of devices you are using and software if any. I think it may be edge x but can't be sure from your pictures. Were you able to get everything to work with IP addresses before you went to aliases?
 
Hi Lostcowboy,
Thanks for the reply.
Yes, both clients are using the same VPN provider but if I have created a specific port forward rule with aliases that specify different DNS servers, don't you think that each connection would have to use that DNS server(s) that I set in that rule?

Yes, I have gone to the DNS leak test site to check and I get only one DNS server for all three connections. So for example, I have devices through the VPN going to NY, the others going to Montreal, and then the rest of them are just going out my regular WAN ISP. So all devices get the DNS from the montreal connection even though I have set Google and OpenDNS for the WAN and NY connections.
So my question is why is it doing this and is it necessary to create block rules so that one DNS doesn't interfere with the other two?
Is it a bit clearer now?

As for devices, just using PFSENSE my router, with no packages installed, pretty much a default install. Windows clients and a couple of Linux ones. I have a active directory domain set up so all clients point to the AD DNS which forwards request to a pihole for adblocking and the pihole forwards to the PFSense box .
 
Hi, as I said I am a extremely new at this, so I can't help more. But your router is where everything is happening at so read on it, find forums on it to ask this question on. Also read up on the configuration file of the VPN you are using. 0penvpn has a lot of documents on their web site. I think the config file is where you need to setup which IP addresses uses the vpn. The VPN likely only has one DNS server for you to use,so you are stuck with it, but I don't think that will slow you down. Right now your VPN conf file is setup so all traffic goes through it, most people want that so that is what you get. I believe it is a text file, so you can edit it I think you need to use static IP addresses for the devices that will be using the VPN and put them into the VPN config file, then there should be a rule in there that is directing all traffic through the VPN, you need to remove it I believe.
About pi-hole, I don't think the VPN will use it as is.

I am going a different route myself for now, I have IPVanish VPN, but found my curent router while able to do 0penvpn was to slow. So I am using ipvanish apps on each device.
 
Hello @Wichinbb
I know what you are trying to do as I have made some attempts at it as well. I have three OpenVPN clients. On DNS Resolver (Unbound), I select the three OpenVPN clients as the Outgoing Network Interface option on the gui. When I do an IP leak test, it shows the IP addresses of the three OpenVPN clients as the DNS IP address. I want it to only show the IP of the tunnel I am currently connected to.

It looks like you are attempting Method 1 to prevent DNS Leak from the guide on
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/

I have not been successful with Method 1. With Method 1, I get pages not found errors and can't surf the web.

Method 2 is how I currently have it implemented and the author now recommends this method down in the comment section. I've searched the net trying to find how to get the results we both want and have played with the firewall rules myself without success. I make attempts at it from time to time when no one is around to complain about the internet being down. I would have thought someone would have figured this out by now on the pfSense forums on forums.netgate.com or on reddit.

What some people are doing is to use Cloudflare DNS over TLS. For this approach, select WAN as the outgoing interface. Then, paste the following in the Custom Options box:

Code:
do-tcp: yes
forward-zone:
  name: "."
  forward-ssl-upstream: yes
  forward-addr: 1.1.1.1@853

Your DNS queries will go out the WAN interface encrypted to Cloudflare on port 853. Luckily, sites that need to determine geo location are using your IP address end point and not DNS to determine where you are. It seems to speed up my browsing as the DNS is more local and does not have to travel over my VPN tunnels to resolve.
 
Found a possible solution on the Negate forum. https://forum.netgate.com/topic/134822/dns-leak-using-gateways-group/2

I have some of the rules in place. Too bad the kachunkachunk did not post screen pics though. Maybe a friendly request for pics? I have some other priorities right now. Hope to try this soon though.

Also thought of asking YouTube Channel for Lawrence Systems to do a video on the topic. He does a lot of pfSense videos that really helped me when I first started learning pfSense.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top