Have OpenVPN but DNS not being forwarded

Hi, I'm not a network engineer but spent many years getting a OpenWRT OpenVPN server running at my home OpenWRT router to access from Windows 7/10 on the road. But I don't believe the DNS is being forwarded. I believe this because my local ISP DNS shows up that I am connected on the WIn 7 laptop when doing leak tests. The client is Windows 7 and the server is a Buffalo 32/64M version. Can anyone offer suggestion to resolve without my having to understand routing tables and complicated trace routines?

Portion of Client ovpn file: (remote router gateway address: 192.168.7.1)

remote-cert-tls server
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.7.1"

Portion of Server ovpn file:


	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	list push 'route 192.168.7.0 255.255.255.0'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.7.1'

The firewall on the OpenVPN server allows LAN to VPN and VPN to LAN, plus a open 1194 port on the WAN. The IP address changes to the remote OpenVPN server (my home network IP is the one shown) but the DNS is still defaulting to the one on the laptop client, as reported by leaktest websites.

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#dns_over_vpn
Also, your client config is incorrect because it should not push settings and those push lines are redundant anyway.

Thanks, I removed the 2 push lines from the client config, everything still works but when I check speedtest, the IP is of the remote OpenVPN server but dnsleaktest still shows the ISP that the laptop is attached to.

head -n -0 /etc/resolv.* /tmp/resolv.*

fwiw, if 'ipconfig /all' command shows your DNS servers are correctly listed in Windows, a quick google search reveals you may perhaps have to alter the metric on the LAN interface of your Windows computer to solve your DNS resolver issue.

Other observations:

Adding block-outside-dns causes all DNS resolution to stop.

Regarding changing metrics, I have done this: https://arador.com/how-to-install-discourse-in-an-lxd-docker-container/

It may be when the block-outside-dns actually is working and the remote server is then not handling the DNS request. It's hard to diagnose when you have no mental base to compare it to or experience to know what is good vs. bad and right vs. wrong. Still searching and experimenting.

Note that ipconfig /all shows 192.168.7.1 for the TAP to be the sole DNS server which to me would seem logical as bill888 says that it would be resolving through that. Note that this address is the address of the remote router and if I link to it I get luci on the remote router on the other side of the tunnel.

Establish the VPN connection and check from the VPN client:

nslookup openwrt.org
nslookup openwrt.org 192.168.7.1

Here is the response:


C:\Windows\system32>nslookup openwrt.org
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.7.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Windows\system32>nslookup openwrt.org 192.168.7.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.7.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Something has failed with this forum where I cannot properly edit or mark special text any longer.

Either DNS server is not listening on the VPN interface, or it is blocked by firewall.

Here is the dhcp config of the openwrt openvpn server (v 18.06.4):

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Only the port 1194 is open on the OpenWRT OpenVPN server and not 53 but I was thinking 53 came through the tunnel.

I changed localservice to '0' on the remote OpenVPN server, rebooted the remote server and now I get the following from the command line query on the Windows 7 client while attached to the remote server via OpenVPN:

C:\Windows\system32>nslookup openwrt.org
Server:  OpenWrt.lan
Address:  192.168.7.1

Non-authoritative answer:
Name:    openwrt.org
Addresses:  2a03:b0c0:3:d0::1af1:1
          139.59.209.225


C:\Windows\system32>nslookup openwrt.org 192.168.7.1
Server:  OpenWrt.lan
Address:  192.168.7.1

Non-authoritative answer:
Name:    openwrt.org
Addresses:  2a03:b0c0:3:d0::1af1:1
          139.59.209.225

However, with the Windows 7 client profile set as normal, the dsnleaktest still shows the local DNS server name.

If I go into the Windows 7 client profile, set the parameter ,to " block-outside-dns " then the following conditions appear:

a) no DNS resolution takes place
b) the result of the two nslookup command still yield exactly the same results even though normal DNS resollution does not occur

****** Other notes, the Windows Local Network 2 (TUN) has been moved to the top of the queue and the Metric setting has had the "Automatic" box un-checked and the hop change to "1"

I have resolved the issue. The combination of this got the remote server name resolution working:
Set remote OpenVPN server dhcp configuration file

option localservice '1'

to: option localservice '0'

This worked along with the combination of these two steps which have been recommended in various searches:

Under Windows 7, Control Panel, Network and Internet, Network Connections, (select TAP windows adapter) Click Advanced on tool bar (right click and set toolbar on if it is off), move TAP adapter to the top of the list,

Under Windows 7, Control Panel\Network and Internet\Network Connections, right click on TAP virtual adapter, select Properties, double cliick Internet Protocol Version 4, click Advanced, un-check "Automatic" and change metric to "1"

Now this works.

I was here "once before" but I found that somehow during my iterations of testing, that in the virtual TAP adapter settings, somehow the value of the IP address of my remote OpenVPN server got listed as the TAP adapter DNS server. Retoring it to Obtain automatically resolved the issue.

Dnsleak now shows the DNS servers of my remote OpenVPN server.

Thank you profusely to all of those who helped. Also windows 10 users who may land here in the future, realize there are a couple of extra things you will need to do if what I read is accurate. If Windows 10, please pass by here:

1 Like

Here is another tip for peotple debugging DNS problems. I found a tool called DNSquerySniffer that is a stand-alone program which can be started in multiple instances. In other words the program exe is a simple click-and-run and doesn't load the app into Windows itself. You start it twice, once with the TAP adapter selected and the next time with either the LAN (not the TAP veritual one, usually LAN adapter 2), but instead for the second instance of the program, select the adapter you are using, either the wired LAN ethernet connector if your system is hard wired or the Wireless adapter if you are running wireless. This shows you when and if DNS queries are going out and on which adapter.

Most likely, this is a Windows-specific TAP-related issue.
When I tested TUN Windows client some time ago, block-outside-dns was enough to resolve DNS leak.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.