Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No local DNS when connected to SSL VPN

Joe Schmoe

From my Android phone using openvpn and the ovpn config from my Sophos box, I can connect to my network.

I can get to my servers from using their IP, but I cannot get hostnames to resolve.

In System > Administration I have DNS turned on for VPN

10.0.0.1 is my sophos box and also how my LAN uses for gateway.

Sophos is my DHCP server.

I have a DNS server on 10.0.0.4 that is a raspberry pi running pi-hole.  It is configured to pass local name resolution to the sophos box.

My VPN Settings:




Any idea what I am doing wrong?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Joe,

    The issue seems to be with your connection to the Pi-hole DNS server. Is the 10.0.0.4 IP included in the Permitted network resources?

    • 0 in reply to FormerMember

      So, I can access 10.0.0.4 from my phone while connected to the VPN.  So wouldn't that mean it's accessible?

        • FormerMember
          0 FormerMember in reply to Joe Schmoe

          The configuration is correct, and you should be able to access it.

          Since you mentioned that you’re accessing it through your phone, can you also try connecting to the VPN using a PC if you experience the same issue? Since in a PC, you can issue a nslookup and confirm if the DNS server will respond to you

          You can also try creating a firewall rule with source LAN to destination VPN just to be sure.

      • 0

        With "local ACL" you allow access to the firewalls DNS-service.

        You need an additional firewall rule to access DNS on 10.0.0.4. Do you have such a rule?


        Dirk

        Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
        Sophos Solution Partner since 2003
        If a post solves your question, click the 'Verify Answer' link at this post.

        • 0 in reply to dirkkotte

          Like this?

          Doesn't seem to change anything so maybe I did this wrong?

          • 0 in reply to Joe Schmoe

            this allows access to the DNS-service of the firewall.
            If you use the firewall-IP for DNS, this may work.

            If you wish to use an different DNS-server, you need a firewall-rule (not a local ACL) to allow this access.

            Create a LOG-and-DROP rule at the end of your firewall rule set and check for dropped packets.


            Dirk

            Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
            Sophos Solution Partner since 2003
            If a post solves your question, click the 'Verify Answer' link at this post.

            • 0 in reply to dirkkotte

              The first part of what you said makes sense...

              for the second part... Is that rule not already created?

              • 0 in reply to Joe Schmoe

                Yes, these rule should allow access to the PiHole.
                if you enable logging, you can check this.


                Dirk

                Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
                Sophos Solution Partner since 2003
                If a post solves your question, click the 'Verify Answer' link at this post.

                • 0 in reply to dirkkotte

                  What am I missing?

                  • 0 in reply to Joe Schmoe

                    Rule 16 looks good.
                    .. but no hits ... :-(

                    You may use a DNS-test-Tool at your Phone, or connect a windows-device and use nslookup.

                    Check firewall log again, if you see traffic from VPN-network and Port 53.

                    Which Browser do you use ... possible the browser use its own DNS

                    Sophos firewall is the gateway for all devices in your network (pihole to?)


                    Dirk

                    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
                    Sophos Solution Partner since 2003
                    If a post solves your question, click the 'Verify Answer' link at this post.

                • 0

                  Just a crazy idea, but have you tried another VPN client? I've used OpenVPN client for years now, and a while back (v20?) I could no longer get DNS. I wasn't using it for a while, but got back to it recently (v21 beta, maybe v20) and tried using the Tunnelblick client (on a Mac) and suddently DNS works. Same ovpn file, same everything on the firewall, but now it works. I wonder if the OpenVPN client has a bug -- at least in terms of using an older ovpn file.