# OpenVPN server & PF -> Client DNS lookup not working



## jbo (Mar 6, 2018)

Hi,

I have a running OpenVPN network with several clients and a server (all machines run FreeBSD 11 64-Bit). The machines can successfully talk to each other over the VPN. Where I'm hitting a wall is when it comes to gateway redirection: What I want is that the entire internet traffic of all OpenVPN clients is routed through that OpenVPN server. For this, I added/enabled the following lines in my OpenVPN server config:


```
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
```

I have added this line to my OpenVPN client config:

```
redirect-gateway def1
```

After restarting all OpenVPN instances, I am able to ping a public IP address from a client through the server:


```
root@client:~ % ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=60 time=29.962 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=29.189 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=29.796 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=60 time=28.933 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 28.933/29.470/29.962/0.423 ms
```

`traceroute` confirms that the traffic is indeed being routed through the OpenVPN server (10.8.0.1):

```
root@client:~ # traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 40 byte packets
 1  10.8.0.1 (10.8.0.1)  22.585 ms  22.661 ms  22.555 ms
 2  80.74.128.21 (80.74.128.21)  23.333 ms  24.108 ms  22.632 ms
 3  195.143.102.237 (195.143.102.237)  23.173 ms  22.980 ms  22.795 ms
 4  212.23.43.238 (212.23.43.238)  27.905 ms  34.365 ms  34.623 ms
 5  74.125.50.93 (74.125.50.93)  33.874 ms  28.433 ms  28.529 ms
 6  108.170.251.193 (108.170.251.193)  29.994 ms * *
 7  216.239.59.113 (216.239.59.113)  28.318 ms
    72.14.232.61 (72.14.232.61)  28.218 ms
    216.239.56.159 (216.239.56.159)  29.904 ms
 8  8.8.8.8 (8.8.8.8)  28.477 ms  28.501 ms  28.576 ms
```

Looking at the client's /etc/resolv.conf I can see that the wrong nameservers are set:

```
root@client:~ # cat /etc/resolv.conf
# Generated by resolvconf
nameserver 84.22.106.7
nameserver 84.22.106.8
```

The client doesn't have any firewall enabled and the server runs pf with the following configuration:

```
vpnclients = "10.8.0.0/24"
wanint = "igb0"
vpnint = "tun0"

# OpenVPN by default runs on udp port 1194
udpopen = "{1194}"
icmptypes = "{echoreq, unreach}"

set skip on lo
# the essential line
nat on $wanint inet from $vpnclients to any -> $wanint

block in
pass in on $wanint proto udp from any to $wanint port $udpopen
# the following two lines could be made stricter if you don't trust the clients
pass out quick
pass in on $vpnint from any to any
pass in inet proto icmp all icmp-type $icmptypes

# SSH
pass in quick on $wanint proto tcp from any to any port ssh flags S/SA keep state
```

I'm out of guesses - any ideas?
Any help would be much appreciated.


----------



## jbo (Mar 11, 2018)

Everything works just fine and as expected if I manually change the nameservers in /etc/resolv.conf to 8.8.4.4 and 8.8.8.8. The reason for this is that my OpenVPN client is a VPS and the hoster has their own internal DNS. So when my client tries to make a DNS request it needs to do that through my OpenVPN server which cannot access the hoster's internal DNS.

So the only question is: Why does my OpenVPN server not overwrite the client's nameservers IPs properly?


----------



## ShelLuser (Mar 11, 2018)

Is there anything in /etc/dhclient.conf or does /etc/dhcp-options exist by any chance?

Most obvious possibility is that the clients were reconfigured to handle the DHCP requests differently.


----------



## jbo (Mar 12, 2018)

/etc/dhclient.conf exists but is empty.
/etc/dhcp-options does not exist.
The interface is set to static IP mode.


----------

