Firewalla Gold - Set DNS Server for VPN Connection
Hi all,
I recently installed my new Firewalla gold, which I'm loving. I got it running with no issues whatsoever. However, my current challenge is this:
I have a virtual server environment within my network, which hosts about 20 or so servers. I also have a Raspberry Pi running PiHole on the network which I run both a DNS redirect for those servers.
I was able to configure the DNS server for each LAN network currently connected to the Gold device; however, there is no option to set the DNS server for the VPN so it redirects through the Raspberry Pi. So, when I'm not within my network and VPN'ing in, none of my services are working since it's not obtaining the local DNS. I've tried adding to the Client VPN configuration the "dhcp-option DNS X.X.X.X" with the Pi's IP address, but it uses that in addition to my ISP's default DNS server, so it's not forcing traffic to the Pi.
Can anyone help troubleshoot so I can configure the VPN service to route all traffic through the Pi?
Many, many thanks.
-
Also important to note is that if you're not forcing all traffic through the VPN connection (split traffic/you only pass traffic with a destination within the VPN network through the VPN connection), then the Interface Metric/priority order becomes important.
To ensure you use the VPN DNS server in this case, the VPN interface must have a lower Metric number/priority order than your default network connection.
If you force all traffic through the VPN, it shouldn't matter.
See https://www.windowscentral.com/how-change-priority-order-network-adapters-windows-10
-
@Andy Brown
You can change the "push dhcp-option DNS 172.X.X.X" in the server.conf and it will work after you restart the service.
Only issue is it does not stick after a reboot...
sudo nano openvpn/server.conf
find line push dhcp-option and change it.
write changes and exit.
sudo service openvpn restart
-
@ Andy, Yes mine is working fine. Have a copy of my server.conf in /home/pi/.firewalla/config That is where stuff sticks. So on reboot I have it copy the server.conf from there back to /home/pi/opnvpn restart openvpn service and away it goes.
I have other customizations in the server.conf like not to route all traffic and pushing routes as well as using firewalla as DNS server. All seems to be taking affect....
-
I had another go and getting VPN traffic through my pi-hole DNS. Changed the push DNS option, restarted the VPN server. Reconnected to VPN and the client log file shows the new DNS. But still no traffic is being directed through pihole. What am I doing wrong, this is more annoying than essential, but its bugging the hell out of me. I even regenerated the vpn client files and tried again, but no luck. Pi-hole is working correctly in all other options. Are there any rules I need to set or something I missed on the backend setup?
Thanks
-
@Shawn H. Update on vpn through Pi-hole. So I had Pi-Hole on a separate machine, just because...no real reason, playing around with containers and docker. Never got the VPN working though Pi-hole. Now its moved onto the gold as per the instructions and now it all works once I changed the settings as you indicated and restarted the VPN.
-
I ran into this thread and have noticed quite a few issues because of the fact that the UI does not allow changing VPN DNS (for third party vpn in my case), and that there is no way o set metrics, and even static routes do not allow that. Is there still a plan to enable manually Allowing changing those in the UI?
-
Btw i realized lqtely, that when you set up routes via vpn, it not only uses the vpn DNS for that route, It will force every consequence traffic including through your ISP gateway through that exact first DNSVPN provider forever and ever. This is because There's a fundamental flaw or the system is designed around disparate ideas As has come up in this discussion among others. When you don't realize that a route is part of a rule and everything applies to a rule applies to the road including hierarchy, And that means you're also ignore the relationship between Route in the relevant DNS. And consequently because all day this traffic is forced through VPN you'll end up with the result it has been the reason behind what was described in this thread, that really you are locking all traffic to the first DNS regardless if it even has to go through VPN or not. If you don't force of traffic through DNS for a VPN connection, because there is no metrics concept here that is absolute, meaning there really is no way to force traffic other than through the DNS in case the connection goes down and no real Killswitch, then we are left with this result. It has many other implications for for example if you want to connect a specific device to one DNS on specific network in another on another network through the use of DNS over HD TV S for only part of the networks for this works you realize that you cannot do it because this is also flat define per device. There are multiple examples but you get the idea I hope I am not a little obscure sometime
Please sign in to leave a comment.
Comments
18 comments