In this article

Use this article to understand VPN compatibility considerations when the Windows Roaming Client is configured for Classic DNS Filtering. See our Connection and Filtering Mode guide for more detail.

Classic DNS Filtering works by modifying device DNS settings to route DNS queries through the Roaming Client for enforcement. Because this approach depends on loopback DNS behavior and adapter-level DNS configuration, it can conflict with VPNs that override DNS settings, restrict loopback traffic, or enforce full-tunnel DNS routing.

This includes:

• SSL VPNs
• Full tunnel VPNs

To run both security tools together, configure the VPN to preserve internal DNS resolution while allowing DNSFilter enforcement, such as by using split tunneling or DNS resolver exclusions.

Troubleshooting VPN compatibility

DNSFilter aims to support reliable deployments alongside common VPNs and third-party software. While we work to ensure broad compatibility, DNSFilter cannot guarantee functionality with every external tool or configuration. This article provides general guidance only and does not constitute official validation of third-party software.

If you experience VPN or software conflicts not covered here, submit a Support Request for assistance. For the fastest resolution, include the following details:

• The name and version of the VPN or software suspected to conflict with the Windows Roaming Client
• A screenshot of the Roaming Client tray icon, showing the current Connection and Filtering mode
• Diagnostic logs from an impacted device when the VPN is enabled
• A summary of troubleshooting steps already taken

In some cases, vendor-specific settings may impact compatibility. We recommend working with both DNSFilter Support and the third-party vendor to identify and resolve configuration issues.

Azure VPN

No known conflicts for Classic DNS Filtering compatibility. Azure VPN does require minimum OS version Windows 11—it is not supported on Windows 10.

If issues or error messages occur, set up an NRPT DNS Client rule to adjust DNS resolution settings.

Cato Networks

No known conflicts for Classic DNS Filtering compatibility. 

Cisco AnyConnect

Cisco AnyConnect can use full-tunnel routing while allowing DNS traffic to reach DNSFilter resolvers. Add the DNS1 and DNS2 IP addresses to the AnyConnect ACL allow list so DNS requests can route to the DNSFilter DNS servers.

This configuration requires terminal commands and may vary by AnyConnect version.

Cloudflare WARP

Cloudflare WARP supports multiple operating modes that control which traffic is routed through Cloudflare Gateway.

To prevent WARP from bypassing DNS filtering, disable the WARP mode that performs DNS resolution. This allows the WARP client to protect traffic and provide access to Zero Trust resources while keeping DNS resolution managed by the Roaming Client.

1. From the Cloudflare Zero Trust dashboard, navigate to Settings and select WARP Agent
2. Select Mode
3. Set the DNS-resolving mode to Disabled

Reference Cloudflare documentation for additional mode details.

F5 BIG-IP VPN

No known conflicts for Classic DNS Filtering compatibility.

FortiClient VPN / Zero Trust Agent

FortiClient VPN v7.0.6.x can conflict with the Roaming Client and cause DNS resolution or filtering issues. Start by updating to FortiClient v7.0.9.x or newer, and then update the FortiGate VPN profile to use local resolvers instead of static DNS.

Updating the FortiGate profile applies to both macOS and Windows (running Classic DNS Filtering mode) devices and helps ensure DNS traffic routes through DNSFilter as expected.

Guardian VPN

No known conflicts for Classic DNS Filtering compatibility.

Ivanti Secure Access Client

No known conflicts for Classic DNS Filtering compatibility.

Microsoft DirectAccess

No known conflicts for Classic DNS Filtering compatibility.

NetBird

No known conflicts for Classic DNS Filtering compatibility.

NordLayer VPN

No known conflicts for Classic DNS Filtering compatibility.

OpenVPN

OpenVPN Connect must allow DNS resolution over the loopback interface when used alongside the Windows Roaming Client in Classic DNS Filtering mode.

Enable loopback DNS in OpenVPN Connect:

1. In OpenVPN Connect, navigate to Settings → Advanced Settings
2. Enable the option to allow DNS resolution on loopback

Option 1: Set loopback DNS on the device

Use this option when DNS should resolve through the Roaming Client first, with VPN DNS as failover.

1. Disable the OpenVPN DNS Proxy service
2. Set custom DNS servers to:
   • Primary DNS: 127.0.0.2 (or the 127.0.0.x value configured in the agent)
   • Secondary DNS: the original DNS server provided through the VPN tunnel

This configuration allows the VPN DNS server to resolve traffic if the agent service becomes unavailable.

Option 2: Push loopback DNS through Connexa

Use this option to push loopback DNS settings to VPN clients through Connexa.

1. Navigate to Settings → WPC → Advanced Configuration
2. Add the following option:

dhcp-option DNS 127.0.0.2 (or the 127.0.0.x value configured in the agent)

Initial testing confirmed compatibility with both split-tunnel and full-tunnel configurations.

For additional OpenVPN configuration patterns, reference the AWS Access Server Support article.

Palo Alto GlobalProtect

Supports split-tunnel. If full tunnel VPN routing is required, we recommend ignoring the VPN adapter and setting a Site level policy to ensure secure filtering.

Perimeter 81 (Harmony SASE)

Conflicts occur even when Perimeter 81 is not actively logged in. Update to latest version; older versions (10.1.1.1438 and earlier) are known to cause DNS issues.

Twingate

Update the Roaming Client to send queries through a secure TLS channel on port 853.

WatchGuard Mobile VPN (SSL)

No known conflicts for Classic DNS Filtering compatibility.

WireGuard VPN

WireGuard supports both split-tunnel and full-tunnel configurations. Set the WireGuard client configuration to use the loopback DNS address.

Example:

[Interface]
PrivateKey = <generated when creating a peer>
Address = <assigned by the WireGuard server>
DNS = 127.0.0.2

Zscaler Private Access (ZPA)

No known conflicts for Classic DNS Filtering compatibility.