diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2
index 4e6860a42712d2e22d152e203b81e7ee17d9692f..3ebf6fe85c7c9132bf4cbe98d5e26a1c1d675aad 100644
--- a/config/roles/openvpn/templates/50openvpn.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn.firewall.j2
@@ -16,4 +16,6 @@ add_rule6 -A FORWARD -d {{ openvpn_network6 }} -m state --state RELATED,ESTABLIS
 add_rule4 -A FORWARD -i tun0 -o tun0 -j DROP
 add_rule6 -A FORWARD -i tun0 -o tun0 -j DROP
 
-
+# allow vpn clients to resolve DNS (i.e. query knot-resolver)
+add_rule -A user-input -i tun0 -p udp --dport 53 -j ACCEPT
+add_rule -A user-input -i tun0 -p tcp --dport 53 -j ACCEPT