Pritunl VPN not resolving LB DNS

282 views Asked by At

I have configured a VPN server with custom routes that only route traffic for my VPC, there are some applications running on EKS like grafana and we use Route53 to access them using the NLB DNS. My old VPN which is OpenVPN CLI based is able to resolve all DNS, but the new VPN is not resolving this.

Error i get is: NX Domain

I tried to change the routes but not able to access. I want to access the URL after connecting to the VPN.

1

There are 1 answers

1
Alexandru Paloseanu On

I was dealing with the same issue these past few days and have found the solution thanks in part to the following two articles:

  1. https://docs.pritunl.com/docs/internal-dns (from the official website)
  2. https://www.reddit.com/r/aws/comments/c2ysrm/using_rt53_for_internal_dns/

I will detail below my case and solution:

For context, we have been using an OpenVPN server hosted on an EC2 instance to access our AWS resources, including resources in the same VPC, other VPCs, and resources behind LBs and private DNS records.

Recently, due to various reasons, we wanted to switch to Pritunl and had difficulties making the configuration work as intended. After setting up the server and adding the appropriate routes, we were able to access resources via their private IPs, such as other EC2 instances, but were having difficulties with DNS resolution.

The issue here which is not mentioned in the actual docs is that you need to pay for a subscription/license in order to be able to use some of the features needed for DNS resolution (NAT). Specifically, you need the enterprise subscription, which is 70$ per host (instance) per month.

If you choose to pay for the subscription, you can then follow the first article linked to make DNS resolution work for records in private DNS zones. I will detail my steps as well in the following lines.

Remove the 0.0.0.0/0 route, then add routes for your private networks/VPCs (i.e. 172.31.0.0/16). For the VPC routes, I have also ticked the option to use each as a NAT Route. I don't think this is entirely necessary, but should be useful. This option is unavailable without a license.

As for what solves the private DNS issues, you need to add a route that will work as a NAT route. In our case, we used 172.31.0.2/32, which belongs to the VPC in which our Pritunl server is hosted (172.31.0.0/16). After this, you need to click on your Pritunl server to open its settings. There, you have to place this x.x.x.2 route in the DNS Server section (replace x.x.x.2 with the IP). This route should be the only one there. Additionally, you will have to modify the DNS Search Domain section to include this route as well as the DNS search domain of Google. It should look like this x.x.x.2, 8.8.8.8. With this setup, DNS requests should first use the DNS resolver of your VPC, which should also resolve private records, and only afterwards the DNS resolver of Google.

After this, private DNS resolution should work as expected. Hope this helps.