VPN Client DNS Mapping

Pritunl Pritunl VPN
1

We want to use the client DNS mapping feature to be able to resolve our servers internally.

Can you advise what is missing from the steps below to troubleshoot and get the DNS mapping to work?

  1. Enable VPN client DNS Mapping from webui and start the vpn server
    image

  2. The users’ dns names are available in the user/organization list
    image

  3. Doing a dns lookup for a user’s dns name from a vpn client fails

    On a tcp dump on the pritunl server we can see that there are requests from the client to the vpn server’s IP, but there is nothing listening on port 53/udp on the server, so the port is unreachable.
    12:12:39.877236 IP 192.168.216.1 > 192.168.216.3: ICMP 192.168.216.1 udp port 53 unreachable, length 89

    Before enabling the dns mapping setting on the server, the dns requests do not hit the vpn server, but go straight to the public dns servers.

According to the documentation, the dns service is created automatically when the dns mapping option is enabled and should resolve the .vpn dns names and any other requests will be forwarded to public dns servers (this last part works).

Thanks in advance,
Anestis

2

For macOS Ventura this requires running sudo pritunl set vpn.dns_mapping_push_all false. The Debugging documentation has more information.

3

Hi Zach,

Thanks for the quick response.
We are not using macOS, most of our clients run on Linux (Ubuntu).

The issue is not the use of external (public) DNS - this works, but the resolution of the internal example.organization.vpn.

Regards,
Anestis

4

The Pritunl Client doesn’t support configuring the DNS server with NetworkManager which is used by Ubuntu. Systemd Resolved used in Fedora is supported. The Gnome Client will allow configuring the DNS server on Ubuntu.

5

Hi Zach,

We are using systemd-resolved service for dns:

image
image920×626 71.9 KB

We try to enable the vpn client DNS mapping from the vpn server instance:
image

Our clients run on Ubuntu 22.04 (headless). We got pritunl-client (not electron) installed.

Can you provide a working example of client DNS mapping?
Or is this not supported for our setup?

Many thanks,
Anestis

6

If the system has systemd-resolved it should work. Refer to pritunl/pritunl-client-electron/service/profile/profile.go:361 for the code that determines if the systemd-resolved start script is used. It will look for the string systemd-resolved in /etc/resolv.conf. If this is true check the code used for the script and look for errors in the profile log pritunl/pritunl-client-electron/service/profile/scripts.go:243