Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 4223 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No local DNS when connected to SSL VPN

Joe Schmoe

From my Android phone using openvpn and the ovpn config from my Sophos box, I can connect to my network.

I can get to my servers from using their IP, but I cannot get hostnames to resolve.

In System > Administration I have DNS turned on for VPN

10.0.0.1 is my sophos box and also how my LAN uses for gateway.

Sophos is my DHCP server.

I have a DNS server on 10.0.0.4 that is a raspberry pi running pi-hole.  It is configured to pass local name resolution to the sophos box.

My VPN Settings:




Any idea what I am doing wrong?



This thread was automatically locked due to age.
Parents
  • 0

    With "local ACL" you allow access to the firewalls DNS-service.

    You need an additional firewall rule to access DNS on 10.0.0.4. Do you have such a rule?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Like this?

    Doesn't seem to change anything so maybe I did this wrong?

  • 0 in reply to Joe Schmoe

    this allows access to the DNS-service of the firewall.
    If you use the firewall-IP for DNS, this may work.

    If you wish to use an different DNS-server, you need a firewall-rule (not a local ACL) to allow this access.

    Create a LOG-and-DROP rule at the end of your firewall rule set and check for dropped packets.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    The first part of what you said makes sense...

    for the second part... Is that rule not already created?

  • 0 in reply to Joe Schmoe

    Yes, these rule should allow access to the PiHole.
    if you enable logging, you can check this.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Joe Schmoe

    Rule 16 looks good.
    .. but no hits ... :-(

    You may use a DNS-test-Tool at your Phone, or connect a windows-device and use nslookup.

    Check firewall log again, if you see traffic from VPN-network and Port 53.

    Which Browser do you use ... possible the browser use its own DNS

    Sophos firewall is the gateway for all devices in your network (pihole to?)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to Joe Schmoe

    Rule 16 looks good.
    .. but no hits ... :-(

    You may use a DNS-test-Tool at your Phone, or connect a windows-device and use nslookup.

    Check firewall log again, if you see traffic from VPN-network and Port 53.

    Which Browser do you use ... possible the browser use its own DNS

    Sophos firewall is the gateway for all devices in your network (pihole to?)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Unfiltered HTML