OpenVPN client & DNSSEC

conel · August 12, 2018, 7:52am

I’ve got a dns issue while trying to set up an OpenVPN client.

When DNSSEC validation is enabled (through the Foris UI) I’m unable to ping VPN servers and cannot make a connection.

If I disable DNSSEC I can ping the VPN servers and make a connection but I can’t get any traffic through the connection for all the devices on my Lan except a Fire TV stick. The Fire TV can get traffic through the VPN when nothing else can.

Any ideas on why I can’t ping the VPN servers while I have DNSSEC validation enabled on the router?

vcunat · August 12, 2018, 8:36am

You can’t ping them by IP address?

conel · August 12, 2018, 8:40am

I can ping them by IP address but not by hostname.

When I put the IP address into the OpenVPN config I can connect without disabling DNSSEC but I still can’t get traffic.

vcunat · August 12, 2018, 8:53am

I assume that the VPN redefines what is used as upstream DNS servers for forwarding – and that those servers break standards in a way that blocks DNSSEC validation for some names. If you don’t need to resolve names defined by the VPN, I’d simply disable forwarding in Foris (in DNS tab).

Still, I expect your main problem is traffic not going through the VPN (at IP level already?) and not any DNS stuff.

conel · August 12, 2018, 9:03am

Disabling forwarding (leaving DNSSEC enabled) worked.

Thanks a lot for this, I’ve tried for a while to get this working.