Firewalla Gold - Set DNS Server for VPN Connection

Comments

18 comments

  • Avatar
    Chris Dillard

    Hey Keith, did you ever find a solution? I just got my gold up and running and I'm facing a similar challenge.

    0
    Comment actions Permalink
  • Avatar
    Support

    This is not supported in the current app, although the DNS server on the VPN server is customizable at the backend on Gold box. We will make this configurable in the app in our future app release.

    1
    Comment actions Permalink
  • Avatar
    Justin Morrell

    So happy to hear this will be configurable in the app.  Exactly what I was looking for!

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Thumbs up from me on the customizable DNS for VPN in the app.

    0
    Comment actions Permalink
  • Avatar
    Mstormo

    Also important to note is that if you're not forcing all traffic through the VPN connection (split traffic/you only pass traffic with a destination within the VPN network through the VPN connection), then the Interface Metric/priority order becomes important.

    To ensure you use the VPN DNS server in this case, the VPN interface must have a lower Metric number/priority order than your default network connection.

    If you force all traffic through the VPN, it shouldn't matter.

     

    See https://www.windowscentral.com/how-change-priority-order-network-adapters-windows-10

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    I added dhcp-option DNS 172.X.X.X into the downloaded OpenVPN cert, but it didn’t work.  

     

    Now I figured out the server side and  changed that to point to 172.0.0.2 instead of the ISP DNS.

    Still doesn’t work....

     

    maybe getting closer

     

    0
    Comment actions Permalink
  • Avatar
    Mstormo

    If this is on a Windows machine, when the VPN interface is up, follow the guide above, and set the priority to 5 as shown, and see if that helps. 

    Next time, Windows will remember your priority, so you only have to do it once.

     

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    No I’m not on windows..

    0
    Comment actions Permalink
  • Avatar
    Shawn H

    @Andy Brown

    You can change the "push dhcp-option DNS 172.X.X.X" in the server.conf and it will work after you restart the service. 

    Only issue is it does not stick after a reboot...

    sudo nano openvpn/server.conf

    find line push dhcp-option and change it. 

    write changes and exit. 

    sudo service openvpn restart

     

    1
    Comment actions Permalink
  • Avatar
    Andy brown

    @Shawn I believe that that file pulls the DNS from ~/firewalls/vpn/server_config.txt

    I did change that file to point to my Pi-hole DNS and the openvpn/server.conf automatically updated itself to the new setting.  I restarted but still it didn’t work.

     

    Did you get it work over VPN?

    0
    Comment actions Permalink
  • Avatar
    Shawn H

    @ Andy, Yes mine is working fine. Have a copy of my server.conf in /home/pi/.firewalla/config That is where stuff sticks. So on reboot I have it copy the server.conf from there back to /home/pi/opnvpn restart openvpn service and away it goes. 

    I have other customizations in the server.conf like not to route all traffic and pushing routes as well as using firewalla as DNS server. All seems to be taking affect.... 

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Thanks, I will give it another try. Probably when they release the next version.

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    I had another go and getting VPN traffic through my pi-hole DNS.  Changed the push DNS option, restarted the VPN server.  Reconnected to VPN and the client log file shows the new DNS.  But still no traffic is being directed through pihole.  What am I doing wrong, this is more annoying than essential, but its bugging the hell out of me.  I even regenerated the vpn client files and tried again, but no luck.  Pi-hole is working correctly in all other options.  Are there any rules I need to set or something I missed on the backend setup?

     

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    @Shawn H.  Update on vpn through Pi-hole.  So I had Pi-Hole on a separate machine, just because...no real reason, playing around with containers and docker.  Never got the VPN working though Pi-hole.  Now its moved onto the gold as per the instructions and now it all works once I changed the settings as you indicated and restarted the VPN.  

    1
    Comment actions Permalink
  • Avatar
    Shawn H

    Glad to help. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    Thanks @shawn h.  I followed your directions and now my VPN client is working great.

    0
    Comment actions Permalink
  • Avatar
    Yoav freiberger

    I ran into this thread and have noticed quite a few issues because of the fact that the UI does not allow changing VPN DNS (for third party vpn in my case), and that there is no way o set metrics, and even static routes do not allow that. Is there still a plan to enable manually Allowing changing those in the UI?   

    0
    Comment actions Permalink
  • Avatar
    Yoav freiberger

    Btw i realized lqtely, that when you set up routes via vpn, it not only uses the vpn DNS for that route, It will force every consequence traffic including through your ISP gateway through that exact first DNSVPN provider forever and ever. This is because There's a fundamental flaw or the system is designed around disparate ideas As has come up in this discussion among others. When you don't realize that a route is part of a rule and everything applies to a rule applies to the road including hierarchy, And that means you're also ignore the relationship between Route in the relevant DNS. And consequently because all day this traffic is forced through VPN you'll end up with the result it has been the reason behind what was described in this thread, that really you are locking all traffic to the first DNS regardless if it even has to go through VPN or not. If you don't force of traffic through DNS for a VPN connection, because there is no metrics concept here that is absolute, meaning there really is no way to force traffic other than through the DNS in case the connection goes down and no real Killswitch, then we are left with this result. It has many other implications for for example if you want to connect a specific device to one DNS on specific network in another on another network through the use of DNS over HD TV S for only part of the networks for this works you realize that you cannot do it because this is also flat define per device. There are multiple examples but you get the idea I hope I am not a little obscure sometime

    0
    Comment actions Permalink

Please sign in to leave a comment.