Apparently it’s quite hard to set up a Site-to-Site VPN Connection *and* resolve DNS names over that tunnel. Lots of googling and silly advise later it turns out it’s not half as complicated as many make it seem. It’s actually stupidly simple if you use pfSense (www.pfsense.com).

Wait what?

VPN (Virtual Private Networking) is a technology to link networks together. For many it also serves as a secure connection to office servers when they’re on the road.
VPN comes in various shapes and sizes (OpenVPN, PPTP, IPSec, L2TP and some variants). In this article we’ll be using OpenVPN. The same can be done with Cisco IPSec if you prefer and in some situations that’s much preferred over using OpenVPN. Here we focus on OpenVPN.

Site-to-Site means to connect two sites (Locations) or more together. For example if you have 2 offices each with their own computer network and you want to link them together through a secure connection via the public internet.

And DNS resolving is translating domain names (Hostnames) to IP addresses. You typed meandmymac.net to get to this site. That name translates to an actual address. That’s what DNS does. On larger networks it’s preferred to use DNS as names are much easier to remember than IP addresses.

Basically what we’re going to do is link those 2 networks with a 3rd overlapping network (VPN Tunnel) which is encrypted.
Once that is working we’ll create a DNS Override in each pfSense machine so DNS resolving works.

Prerequisites

  • 2 separate networks in different subnets, preferably in a physically different location.
  • 2 Computers with pfSense 2.1 installed as your UTM/Gateway (One in each location).
  • A working and set up domain name for each location.
  • Somewhat fast internet on both locations.
  • Basic networking skills and understanding.

Assumptions

  • pfSense is installed and working on both computers acting as the firewall/gateway.
  • Both networks are working.
  • Network 1 is set up as 172.20.0.0/24 where 172.20.0.1 is the gateway, DNS server and pfSense machine.
  • Network 2 is set up as 10.0.0.0/24 where 10.0.0.1 is the gateway, DNS server and pfSense machine.
  • OpenVPN will be set up as 10.0.3.0/30 where 10.0.3.1 will be the server (automatic).

Server side

The way OpenVPN works, as opposed to IPSec’s Mesh approach, is that each remote location connects to and through a central point. the OpenVPN server.
In my setup, Network 2 is the server.

OpenVPN Server

In the pfSense dashboard navigate to VPN > OpenVPN > Server and click the little + icon to add a new server.
Fill in the settings as depicted here.
server

Notes

- Use any encryption type you prefer. I just went with the default.
- For the shared key, leave the box ticked. After you save the OpenVPN instance you can edit it and copy the key. You’ll need this key on the remote location.
- The tunnel network suggests to use 10.0.8.0/24. Which is perfectly fine. I went with a smaller subnet since I have only 1 remote location.
- There are some more options below (outside) the screenshot, they can all be left blank.

Save the OpenVPN instance. Click the little [E] icon and copy the Shared Key to a text file. Treat this as a PIN number or Password.

DNS Forwarder

Next navigate to Services > DNS Forwarder, scroll all the way down and click the little + icon to add a new Domain Override:
dns1

Notes

- For the domain you set the domain of the remote location.
- Use any description you like.

Click save.

And the server is done. You’ll need to open port 1194 on the WAN interface.
firewall-wan

Additionally you need to allow traffic through the OpenVPN tunnel.
rules-openvpn
I’m not entirely sure if the DHCP block is required, but better safe than sorry.

Client side

The client side as you’d expect needs to login to your OpenVPN Server. This is done using the address and shared key and some settings that must match.

OpenVPN client

In the pfSense dashboard navigate to VPN > OpenVPN > Client and click the little + icon to add a new server.
Fill in the settings as depicted here.
client1

client2

Notes

- Server host or Address is the servers External IP address or hostname.
- Use any description you like.
- For the shared key, untick the box and paste the Shared Key you generated on the OpenVPN Server
- Make sure the encryption matches that of the server.

Click save.

DNS Forwarder

Navigate to Services > DNS Forwarder, scroll all the way down and click the little + icon to add a new Domain Override:
dns2

Notes

- For the domain you set the domain of the server location.
- Use any description you like.

Save your override.

Also here, allow traffic through port 1194 and apply rules to the Open VPN Tunnel so traffic can go through.
firewall-wan

rules-openvpn

And if all went right, you should see something similar to this on both ends in Status > OpenVPN.
status

If the connection is not made, check the settings and the logs for errors.

Victory

You can now access computers on both subnets from both subnets by IP and Hostname.

8 thoughts on “pfSense OpenVPN Site-to-Site with DNS resolving

  1. i also do this working properly but at present need to configure Road warrior open vpn.

    i configured it and client connected from outside network to main server location but not able to access lan or ping .

Comments are closed.