Hello,
I have problem with my setup where I have TP-Link router posing as a Open VPN server in my home network.
A docker container is running AdGuard which I use as my local DNS server on the home network. I also have a Raspberry Pi 4 which runs OpenWRT and connects to my home network over OpenVPN. I manage to connect to the local VPN network without a problem, but the problem is DNS resolution for .ls - my local domain. The dns server is set as the default on the network so all my local machines in the home network can get the ip for any .ls domain. Moreover when I run OpenVPN in the app client on my laptop with option DNS 10.1.1.3 defined in my config file all domains are resolved without a problem. When I use the same config file to create the OpenVPN configuration and connect to my home network no resolution happens.
I tried the following:
nslookup home.ls returns ** server can't find home.ls: NXDOMAIN
nslookup home.ls 10.1.1.3 (my local DNS ip) returns the ip of the machine running the home.ls web app
tried adding custom DNS forwardings in the DNS and DHCP options in OpenWRT doesn't work
tried adding the nameserver in /etc/resolv.conf but it gets overwritten by dnsmasq on reboot
/etc/init.d/dnsmasq status returns running
when i stop dnsmasq and start it again i get this /etc/init.d/dnsmasq start
udhcpc: started, v1.35.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
am i missing something? what else can i check to make it work?
The OpenVPN server has to push the DNS server to the VPN clients: push "dhcp-option DNS 10.1.1.3" push "dhcp-option DOMAIN ls"
Or the clients must have this in their config: dhcp-option DNS 10.1.1.3 dhcp-option DOMAIN ls
When the client is OpenWRT however the pushed DNS servers are just ignored and you have to set the DNS server manually at the interface.
However this DNS server is just added to the already present DNS servers, so it is a hit or miss if this specific DNS server is used.
I use a script to get the pushed DNS server and use it exclusively, maybe that helps also in your case?
It is intended behaviour. The dnsmasq initscript does a DHCP request on its own, to check that there if no other DHCP server on your network segment, before starting the dæmon. This is done to prevent rogue DHCP servers, which would be a real problem.
P.S. I am away for the remainder of the day so cannot help you further today
Hi @egc! Thanks a lot for getting back to me so quickly! Amazing to see that OpenWrt has such a great community to help us newbies out
I am using a TPLink router that is not flashed with any custom firmware, so it seems that i don't have access to any server configuration file except the options provided through GUI which are limited.
So in the mean time i tried the following:
I tried to add dhcp-option DOMAIN ls but it breaks my connection - no connection is established for some reason. without this line and only with dhcp-option DNS 10.1.1.3 it connects
I took a look at the script that you sent over - and it seems to be targeting Wireguard and pushed dns from the server - which i cannot set
I tried setting the 10.1.1.1 in the /tmp/resolv.conf.d/resolv.conf.auto but no luck
I also tried setting the list dns 10.1.1.3 in the /etc/config/network under the lan interface but no luck..
if any of the options above don't make sense - please excuse me, i am setting any option suggested online which might not make sense, so metaphorically speaking I am shooting in the dark with a shotgun
added the lines to my open vpn config file - the client one
...
dhcp-option DNS 10.1.1.3
dhcp-option DOMAIN ls
up /etc/openvpn/ovpn-up-update-resolv-5
down /etc/openvpn/ovpn-up-update-resolv-5
...
uploaded the config enabled the connection and rebooted
what i have noticed:
the queries take a long time to resolve - google.com is loaded after 10s of delay
on the local machine connected to the OpenWRT i get the following:
nslookup google.com
Server: UnKnown
Address: fd91:7e6d:f848::1
*** UnKnown can't find google.com: No response from server
and:
nslookup home.ls
Server: UnKnown
Address: fd91:7e6d:f848::1
*** UnKnown can't find home.ls: No response from server
on the Raspberry Pi i get the following:
nslookup home.ls
nslookup: write to '127.0.0.1': Connection refused
nslookup: write to '::1': Connection refused
;; connection timed out; no servers could be reached
and
nslookup google.com
nslookup: write to '127.0.0.1': Connection refused
nslookup: write to '::1': Connection refused
;; connection timed out; no servers could be reached
on the machine connected to OpenWRT i cannot load the home.ls page or any .ls domain on the home network
Your help so far is highly appriciated! Thank you so much and happy holidays!
You should test a VPN client from outside e.g. via your phone as hotspot on cellular.
DNS servers like pihole etc often only listen to their own subnet and will not listen to other (e.g. VPN) subnets) unless specifically instructed
You can check if the script is working by looking for \tmp\resolv_conf.vpn
that file should contain the DNS servers pushed by the VPN server and /or the DNS servers added in the OpenVPN config file (.ovpn)
Next check if DNSmasq is actually using this file: cat /etc/config/dhcp or uci get dhcp.@dnsmasq[0].resolvfile
You can also check if the DNS server are actually routed via the vpn with: 'ip ro`
I have a Mullvad VPN client running which is pushing a DNS server 10.15.0.1.
My normal DNS servers (set on the WAN interface are 9.9.9.9 and 1.0.0.1
But after my VPN is up I have got this
root@DL-WRX36:~# uci get dhcp.@dnsmasq[0].resolvfile
/tmp/resolv_conf.vpn
root@DL-WRX36:~# cat /tmp/resolv_conf.vpn
nameserver 10.15.0.1
root@DL-WRX36:~# ip ro get 10.15.0.1
10.15.0.1 dev tun0 src 10.15.0.12 uid 0
cache
which show it is working and the DNS server 10.15.0.1 from Mullvad is used
Hi @egc! Thanks again for all the help.
I have followed your instructions so again - script downloaded, made executable, referenced in the config file with up and down alongside the dhcp-option DNS 10.1.1.3 and dhcp-option DOMAIN ls.
I am using AdGuard as my DNS server - so I double checked which is my ip address which the router assigns to the connected client over VPN. it is i.e. 192.0.1.6, checked the AdGuard settings and whitelisted the 192.0.0.0/8 subnet - https://uploads.adguard.com/up04_x7u8m_AdGuard_Home.png - some example I found online how to do it. Again assuming this does the job.
So i double checked the cat /etc/config/dhcp:
...
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option resolvfile '/tmp/resolv_conf.vpn'
list server '10.1.1.3'
list server '/mydomain.com/10.1.1.3'
...
no other interface is referencing my DNS server IP.
ran the: uci get dhcp.@dnsmasq[0].resolvfile
/tmp/resolv_conf.vpn
ran the cat /tmp/resolv_conf.vpn
nameserver 10.1.1.3
nameserver 192.1.0.1
nameserver 8.8.8.8
ran nslookup google.com
nslookup: write to '127.0.0.1': Connection refused
nslookup: write to '::1': Connection refused
;; connection timed out; no servers could be reached
do you have any other ideas?
update:
i also checked the vpn from the openvpn client app as well as the mobile phone. It seems that the dns resolution is working fine on both. - the laptop gets assigned the ip from the same 192.x.x.x subnet. so i assume AdGuard is not blocking the query
nslookup home.ls
Server: UnKnown
Address: 10.1.1.11
