Push different DNS to specific users on the same server (pfSense OpenVPN)

[Simple_One]

Hi All,

I'm using OpenVPN as built into a pfsense firewall. The OpenVPN server is serving many users, but I need to send a different DNS (and override/remove the default that is pushed to the other users of the server) for two specific clients when they connect.

I'm aware of the following on the server side:
push "dhcp-option DNS …"

And the following on the client side:
pull-filter "dhcp-option DNS …"

What I'm hoping to achieve is, from the server side only, use a 'client specific override' (presumably pfsense speak for some sort of dynamically generated client-config-dir files for each user CN) to tell these specific clients that when they connect, they should remove/ignore the default dns that is pushed by the server, and then subsequently use push dhcp-option dns … to point them to their correct DNS.

Anyone know of a way to achieve this on the pfsense implementation of OpenVPN?

Thanks

[TinCanTech]

This is achieved on pfSense exactly the same way as any other OS.

[Simple_One]

Great though it is to hear that its achievable, could you elaborate in constructive manner as to how to achieve it?

For instance, how does one, from the server side, prevent the default DNS being pushed to a specific client when they connect?

More specifically, how do you do this in pfsense when the CCD folder doesn't appear to exist and seems to be dynamically generated from text entries within the Advanced section of the client specific overrides which, as far as I can tell, seem to only accept server side commands for a specific client of the server?

[TinCanTech]

Great though it is to hear that its achievable, could you elaborate in constructive manner as to how to achieve it?

I could repeat the documentation but you'll just end up reading it twice ..

More specifically, how do you do this in pfsense

I do not know how pfSense chose to do this but you can do this exactly as described in the documentation on openvpn. You just have to know how to use pfSense ..

Hint: Try a terminal ..

[300000]

Great though it is to hear that its achievable, could you elaborate in constructive manner as to how to achieve it?

For instance, how does one, from the server side, prevent the default DNS being pushed to a specific client when they connect?

More specifically, how do you do this in pfsense when the CCD folder doesn't appear to exist and seems to be dynamically generated from text entries within the Advanced section of the client specific overrides which, as far as I can tell, seem to only accept server side commands for a specific client of the server?

server will know which client connect to it by comom name in certificate so basic you need to find out certificate of the client you want to put specific dns like this.

for example you got a client its common name certificate is jonh.

make an file withou extension name jonh , open the file and add like this,place this file in cdd folder and add full path to the server config
client-config-dir "/tmp/openvpn/ccd"

push "route 192.168.100.0 255.255.255.0"
push "dhcp-option WINS 192.168.20.1"
push "dhcp-option DNS 192.168.20.1 "
push "dhcp-option DOMAIN abc.co.uk"

when the client connect to server , server will check its name in cdd folder and load all infor in the file jonh and apply to that client.




it is more eazy if you can download winscp and make connect to the server and add that file .

[TinCanTech]

Or use --push-remove in the client.

See --push-remove in the manual.

[Simple_One]

Okay thanks all. I'll read up on --push-remove, sounds like an interesting option.

The problem with pfsense, unless I'm doing it in the wrong spot is that it seems to overwrite/delete files that I'm putting in the CCD folder when you restart the firewall. I'll see if I work out how to get around that.