Although this works. The clients still resolve names with the local DNS also.
If an address is returned by both the VPN DNS and local DNS, which one is used by the client?
I'm guessing the first one returned would be used.
But since the connection is actually going to be through the VPN it seems that would be the proper address to use.
Is there anyway to prevent queries for non-local names from being made to the local DNS?
With out local access being blocked of course.
Client config on Windows 8.1 Pro
Code: Select all
dev tun
persist-tun
persist-key
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote sub.domain.tld 1194 udp
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
pkcs12 pfsense-udp-1194-USER1.p12
tls-auth pfsense-udp-1194-USER1-tls.key 1
ns-cert-type server
comp-lzo
Server Config on pfSense 2.1.3 (FreeBSD 8.3-RELEASE-p16)
Code: Select all
dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 49.54.161.77
tls-server
server 192.168.22.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 9
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DOMAIN noyb"
push "dhcp-option DNS 192.168.2.1"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet