My Openwrt gateway router currently serves as the DNS server for my local network. For my own domain name, I have several entries setup in "Network -> DHCP and DNS -> Hostnames" to point to a local IP address (instead of the normal WAN IP that the domain name resolves to).
This works well for my LAN clients, but VPN clients need another local IP address of the server (i.e. one within the VPN subnet) in order to properly access the domain server. Is it possible somehow for Openwrt to recognize the IP of the querying device to "dynamically" provide another result for the DNS query in case the query comes from an IP at the VPN subnet?
The best way to solve this is for the VPN server to act as a gateway and install routes between the VPN and LAN subnets. Your DNS service won't have to do anything special for the VPN clients because VPN clients don't need to be in LAN subnet to communicate with LAN nodes. Their packets would just need to be routed. After all, that's how the entire global Internet works. The OpenWrt website isn't on your LAN subnet and yet your LAN nodes have no problem accessing it or resolving the A/AAAA record for it.
We need way more details about your setup though, like what VPN are you using and whether or not this VPN endpoint is running on the same device as the router.
.. for my particular case, the VPN server IS the domain server. So this server has two IP addresses: one is the local LAN IP (let's call this "A"), the other is the VPN gateway IP (let's call this "B"). The server (acting as the VPN server) already has static routes installed, so my VPN clients can access other machines within the LAN, but for the VPN gateway itself (which happens also to be the domain server), the VPN clients just don't have a path to the server if "A" is used instead of "B".... at least I couldn't figure out what extra configurations there should be.
Edit: So to answer your question: my VPN server is my Synology NAS, so no, the VPN endpoint is not the Openwrt gateway router. My Synology NAS is also the domain server. But the DNS server for my LAN and VPN clients is the Openwrt gateway router.
Wait, which one is it? Are your VPN clients being served by the DNS on the NAS or the DNS on the OpenWrt router? Or do you mean something else by "domain server", because I don't know what you're referring to there.
Can you draw a diagram (ASCII art or quick drawing is OK) of your setup? Otherwise we will be talking in circles as I'm already confused as to how your network is set up.
Hope this is clear enough. VPN Server is configured such that all VPN clients use 192.168.1.1 as the DNS Server while connected.
The Openwrt router (192.168.1.1) has a hostname configured: "www.myhost.com" resolves to 192.168.1.2
For public DNS servers (e.g. 8.8.8.8), www.myhost.com resolves to 235.235.235.235
For phone A, when a connection is made to www.myhost.com, the domain name resolves to 192.168.1.2, and connection can be established.
For phone B, when a connection is made to www.myhost.com, the domain name resolves to 192.168.1.2, and connection cannot be established.
But if phone B gets 172.17.0.1 instead of 192.168.1.2 when it looks up www.myhost.com, then a connection could have been established.
The current workaround is to have the OpenVPN Server tell its VPN clients to use 8.8.8.8 instead for the DNS server, but then www.myhost.com would resolve to 235.235.235.235, and the connection, while successful, would traverse from the OpenVPN Server then out to internet then back again, not efficient.
Maybe allowing traffic from 172.17.0.0/24 onto your Synology NAS will make it work?
By default traffic from other subnets then 192.168.1.0/24 is blocked.
172.17.0.0/24 can already see everything in 192.168.1.0/24, EXCEPT FOR 192.168.1.2 (the OpenVPN Server itself). To talk to it, VPN clients need to use 172.17.0.1, but not 192.168.1.2. That may be the way Synology NAS behaves, and routing is all done by the NAS when I setup the OpenVPN Server, so i have no control over this behavior.
This is why I was thinking if Openwrt can fetch a different IP just for the VPN clients, that would be excellent. Hence my question.
BIND9 can do this - look for "views" in the docs and you can filter the returned data according to inbound IP ranges. You will need to switch away from dnsmasq however.
Thanks for all the suggestions ! Creating another DNS Server seems to the the common theme here. Of these suggestions having a 2nd one on Synology seems to be the easiest to do. Will give that a try. Cheers !
