Openvpn – Get OpenVPN clients names to resolve through dnsmasq

dnsmasqopenvpn

I have a PFSense box running as an OpenVPN server. There are several remote devices that connect through the VPN (as tap devices).

The VPN stuff is working, I can access the remote hardware by looking up the IP assigned to each device on the PFSense router.

What I'd like is to have it so I can resolve the remote hardware addresses via DNS while on the local network. Note that this is only local-network -> remote-device (they're backup boxes). I don't need to have the remote devices resolve using the local DNS forwarding agent.

I have the rest of the devices on the network that need to be accessible via DNS report their name during the DHCP process. However, the IP assignment for OpenVPN tap clients, while it is dynamic (which is why I need DNS), does not seem to use the local DHCP server.

How can I have my openvpn server add information for it's clients to the dnsmask resolver? Is this setup even reasonable (I'm not familiar with openVPN at all)?

Best Answer

You need to push the routes from the server to the clients.

I have never used pfsense but on the openvpn client.

You'd do

push "redirect-gateway def1 bypass dhcp"

Related Solutions

Ubuntu – OpenVPN: Not all DNS entries get pushed to clients from server. (dnsmasq)

I think your setup is going to break or not work:

Your OpenVPN client configuration uses server.foo.com's public address to connect to the OpenVPN server. This address will be looked up prior to establishing the VPN tunnel, obviously.

You're trying to push a DNS entry for server.foo.com with a OpenVPN IP after the tunnel is established with the dnsmasq config. Either the OpenVPN client ignores it (since it already knows about server.foo.com as it had to look it up to establish the tunnel) or it will respect it, and then drop the tunnel because the OpenVPN client configuration will point to a now nonexistent IP address. The latter may likely happen during your OpenVPN session, depending on the TTL of the DNS server for server.foo.com's public IP.

TL;DR: you are basically trying to tell your client conflicting information about server.foo.com. I can't think of a good way to do what you have in mind. An alternative might be to set up a second DNS entry A record vpnserver.foo.com which points to the same IP as server.foo.com, and then change your OpenVPN config to use that.

OpenVPN bridge: remote clients don’t see local

The most likely you forgot to enable forwarding. Add net.ipv4.ip_forward=1 to /etc/sysctl.conf, then sysctl -p or restart. Also try to add following to OpenVPN config:

server-bridge 172.20.200.2 255.255.255.0 172.20.200.100 172.20.200.200
push "route 172.20.200.0 255.255.255.0"

Note that adding interface to bridge, sets promisc flag appropriately. Bridge interface need not to be in promisc mode.

I got the same setup running, but on OpenSUSE, TAP interfaces are created during startup and OpenVPN just opens them - no start/stop script in OpenVPN.

Best Answer

Related Solutions

Ubuntu – OpenVPN: Not all DNS entries get pushed to clients from server. (dnsmasq)

OpenVPN bridge: remote clients don’t see local

Related Topic