OpenVPN server & PF -> Client DNS lookup not working



Thanks: 8
Messages: 86


I have a running OpenVPN network with several clients and a server (all machines run FreeBSD 11 64-Bit). The machines can successfully talk to each other over the VPN. Where I'm hitting a wall is when it comes to gateway redirection: What I want is that the entire internet traffic of all OpenVPN clients is routed through that OpenVPN server. For this, I added/enabled the following lines in my OpenVPN server config:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
I have added this line to my OpenVPN client config:
redirect-gateway def1
After restarting all OpenVPN instances, I am able to ping a public IP address from a client through the server:

root@client:~ % ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=60 time=29.962 ms
64 bytes from icmp_seq=1 ttl=60 time=29.189 ms
64 bytes from icmp_seq=2 ttl=60 time=29.796 ms
64 bytes from icmp_seq=3 ttl=60 time=28.933 ms
--- ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 28.933/29.470/29.962/0.423 ms
traceroute confirms that the traffic is indeed being routed through the OpenVPN server (
root@client:~ # traceroute
traceroute to (, 64 hops max, 40 byte packets
 1 (  22.585 ms  22.661 ms  22.555 ms
 2 (  23.333 ms  24.108 ms  22.632 ms
 3 (  23.173 ms  22.980 ms  22.795 ms
 4 (  27.905 ms  34.365 ms  34.623 ms
 5 (  33.874 ms  28.433 ms  28.529 ms
 6 (  29.994 ms * *
 7 (  28.318 ms (  28.218 ms (  29.904 ms
 8 (  28.477 ms  28.501 ms  28.576 ms
Looking at the client's /etc/resolv.conf I can see that the wrong nameservers are set:
root@client:~ # cat /etc/resolv.conf
# Generated by resolvconf
The client doesn't have any firewall enabled and the server runs pf with the following configuration:
vpnclients = ""
wanint = "igb0"
vpnint = "tun0"

# OpenVPN by default runs on udp port 1194
udpopen = "{1194}"
icmptypes = "{echoreq, unreach}"

set skip on lo
# the essential line
nat on $wanint inet from $vpnclients to any -> $wanint

block in
pass in on $wanint proto udp from any to $wanint port $udpopen
# the following two lines could be made stricter if you don't trust the clients
pass out quick
pass in on $vpnint from any to any
pass in inet proto icmp all icmp-type $icmptypes

pass in quick on $wanint proto tcp from any to any port ssh flags S/SA keep state
I'm out of guesses - any ideas?
Any help would be much appreciated.



Thanks: 8
Messages: 86

Everything works just fine and as expected if I manually change the nameservers in /etc/resolv.conf to and The reason for this is that my OpenVPN client is a VPS and the hoster has their own internal DNS. So when my client tries to make a DNS request it needs to do that through my OpenVPN server which cannot access the hoster's internal DNS.

So the only question is: Why does my OpenVPN server not overwrite the client's nameservers IPs properly?


Son of Beastie

Thanks: 1,590
Messages: 3,450

Is there anything in /etc/dhclient.conf or does /etc/dhcp-options exist by any chance?

Most obvious possibility is that the clients were reconfigured to handle the DHCP requests differently.