OpenConnect works but no DNS

I can VPN into my network with OpenConnect but DNS resolution does not work.
I'm able to http and ssh to my router and connect to devices on my home network, but only by IP address. Below is what happens when I try to do a DNS lookup over the VPN via the router which is at 192.168.1.1 through my split tunnel.

O N T H E C L I E N T :

C:\Users\spooky>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  192.168.1.1

> nas.internal.home
Server:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
> exit

C:\Users\spooky>ipconfig /all
Windows IP Configuration
    Host Name . . . . . . . . . . . . : MK026MA1
    Primary Dns Suffix  . . . . . . . : VIHI.CA
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : VIHI.CA
                                        dynamic.VIHI.ca

Ethernet adapter Local Area Connection 3:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : TAP-Windows Adapter V9
    Physical Address. . . . . . . . . : 00-FF-7D-39-77-35
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : 
    IPv4 Address. . . . . . . . . . . : 192.168.200.193(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.1.1
                                        192.168.0.1
                                        8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . : dynamic.VIHI.ca
    Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I218-LM
    Physical Address. . . . . . . . . : 44-39-C7-51-9B-E4
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : 
    IPv4 Address. . . . . . . . . . . : 10.32.70.252(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.254.0
    Lease Obtained. . . . . . . . . . : February-11-19 3:09:58 PM
    Lease Expires . . . . . . . . . . : March-13-19 12:41:38 PM
    Default Gateway . . . . . . . . . : 10.32.70.1
    DHCP Server . . . . . . . . . . . : 192.168.3.5
    DNS Servers . . . . . . . . . . . : 192.168.3.46
                                        192.168.3.38
                                        192.168.3.254
                                        192.168.3.246
    Primary WINS Server . . . . . . . : 192.168.3.46
    Secondary WINS Server . . . . . . : 192.168.3.38
                                        192.168.3.254
                                        192.168.3.246
    NetBIOS over Tcpip. . . . . . . . : Enabled

O N T H E R O U T E R :

root@corezero:/etc/config# cat ocserv
config ocserv 'config'
         option dpd '180'
         option max_clients '8'
         option max_same '2'
         option zone 'vpn'
         option auth 'plain'
         option compression '1'
         option ipaddr '192.168.200.0'
         option netmask '255.255.255.0'
         option enable '1'
         option port '443'
         option split_dns '1'
         option default_domain 'internal.home'
         option _ca ' '
config dns
         option ip '192.168.1.1'
config dns
         option ip '192.168.0.1'
config dns
         option ip '8.8.8.8'
config routes
         option ip '192.168.1.0'
         option netmask '255.255.255.0'
config routes
         option ip '192.168.0.0'
         option netmask '255.255.255.0'
config ocservusers
         option name 'user'
         option password '$1$48912178$ivc3ob61Wf.95pkGYJcjk0'
config ocservusers

root@corezero:/etc/config# cat dhcp
config dnsmasq
         option domainneeded '1'
         option boguspriv '1'
         option filterwin2k '0'
         option localise_queries '1'
         option rebind_protection '1'
         option rebind_localhost '1'
         option expandhosts '1'
         option nonegcache '0'
         option authoritative '1'
         option readethers '1'
         option leasefile '/tmp/dhcp.leases'
         option resolvfile '/tmp/resolv.conf.auto'
         option nonwildcard '1'
         option localservice '1'
         option local '/internal.home/'
         option domain 'internal.home'
config dhcp 'lan1'
         option interface 'lan1'
         option start '100'
         option leasetime '12h'
         option dhcpv6 'server'
         option ra 'server'
         option limit '50'
config dhcp 'lan0'
        option interface 'lan0'
        option start '100'
        option limit '50'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
config dhcp 'wan'
         option interface 'wan'
         option ignore '1'
config odhcpd 'odhcpd'
         option maindhcp '0'
         option leasefile '/tmp/hosts/odhcpd'
         option leasetrigger '/usr/sbin/odhcpd-update'
         option loglevel '4'
config domain
         option name 'printer'
         option ip '192.168.1.252'

Any idea why the DNS service on the router doesn't respond through VPN?
Thanks ...Stepan

https://openwrt.org/docs/guide-user/base-system/dns_configuration

1 Like
  • Did you ACCEPT INPUT to the router from the tunnel firewall zone?
  • Who are 192.168.0.1 and 192.168.1.1?
  • Why do you additionally use 8.8.8.8?
  • Where is the 192.168.3.0 network!?!?
  • Where is the 10.32.64.0/21 network!?!?
  • 192.168.200.0 in the /24 is not a valid IP address in that case, it's a network identification number
  • Why do your config routes have no source or destination interfaces?

  • It seems you've failed to provide enough informaiton to assist you.
  • Thanks for editing your post to use the </> button to place your data in codeboxes

2 Likes

Wow, that's a huge red flag but I'm not sure how to fix it. My router has 4 separate VLANS on 4 different subnets 192.168.0/1/2/3.0 and these are served by DHCP so therefore the DNS server knows about them. The VPN on the other hand is being served a DHCP address by OCserver on subnet 192.168.200.0 and therefore the DNS does not know that it's also a local subnet. I've read through the information you linked but I don't see any way to tell DNS that 192.168.200.0 is a local subnet,or that interface "vpns+" is local.

config zone 'zone_vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn'
        option device 'vpns+'

Yes I did accept input, and in fact I can connect to other services on my router, just not to DNS.

192.168.0.1 and 192.168.1.1 are two subnets which are local to my home router.

192.168.3.0 is at the network away from home. These are not my subnets.

10.32.64.0/21 is on the network away from home. It's not one of my home subnets.

192.168.200.0 is assigned to my VPN client by OCserver, so the machine from which I'm VPN'ing has this address and also 10.32.70.252 being a split tunnel.

The routes have no source r destination interfaces because it's a TAP device.

Thanks.

If you don't masquerade on the far-end, you need to make a route there. It's also important information if they exist on the OpenWrt router, or downstream.

Don't see how it was involved, thanks for the clarity. I also don't see on the client where you established a connection, then.

So?
You still have to say in a route [on a Layer 3 device] what interface the network is on.

That doesn't change that .0 is invalid as an IP; and so this means they assigned you a network?
You need to fix it.

  • Then you can use the valid IP you assign as your DNS server.

:wink:

2 Likes

Not quite so bleak, OCserver has assigned 192.168.200.193 to me per my initial post.

OK then this is what you use...and you enable masquerade on it's firewall Interface.

But where does the Windows computer come in here???

To be clear, we are working with OpenWrt, correct???

Where does this "OCserver" become involved with a remote Windows machine???

That's not it: All other connectivity is working, only DNS does not want to reply. My problem must be related to "localservice" in the post by vgaetera directly below my opening post. I just don't know how to fix that. I suppose I could configure DHCP on 192.168.200.0 but that would screw up OCservers built-in DHCP server.

WTF are you talking about!?!?

Are you linking link your personal VPN Interface to your VPN provider????

That's ocserv which is OpenWRT's official OpenConnect server daemon. This VPN service is running on my router, it's not a VPN service provider at all.

For a Class C, yes.

1 Like

Let'e be clear here for the OP; because you're correct too.

1 Like

Okay, basic orientation: I'm at work on a windows machine, using OpenConnect client on Windows to connect to my OpenWRT router running ocserv. Everything works great except my router's DNS service is refusing to respond to DNS queries from my PC at work. lol :blush:

Then, again:

  • assign a proper IP to the 200.0 VPN
  • use ONLY that router's IP as the DNS server
  • Done!

That's exactly what I've done, the IP assigned by ocserv being 192.168.200.193 as can be seen from my original post. The following must be the problem, I just don't know how to fix it:

And thanks for your efforts everyone. I appreciate all the troubleshooting and suggestions.

Is this valid?


Regardless...

Then why haven't you assigned this IP as the DNS server???

Again, assign the 192.168.200.x IP as the ONLY DNS server; and inform us of your results.

Regarding "Is this valid? vpns+":

Yes, certainly per below:

FROM /etc/config/network:

config interface 'vpn'
	option proto 'none'
	option ifname 'vpns+'

FROM /etc/config/firewall:

config zone 'zone_vpn'
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'vpn'
	option device 'vpns+'

Regarding " use ONLY that router's IP as the DNS server":

Yes, that's what's currently configured per the Windows10 ipconfig code snippet in my initial post. Router config info below shows that the router has 5 IP addresses and I can confirm that all of them respond to DNS queries when I'm at home:

FROM /etc/config/network:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option macaddr '58:6D:8F:2E:0E:D1'

config interface 'lan2'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.3'
	option ipaddr '192.168.2.1'
	option macaddr '48:F8:B3:8E:E0:F7'

config interface 'lan3'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.4'
	option ipaddr '192.168.3.1'
	option macaddr '48:F8:B3:8D:E1:F7'

config interface 'lan4'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.5'
	option ipaddr '192.168.0.1'
	option macaddr '48:F8:B3:5D:E0:F7'

config interface 'lan5'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.4.1'

Regarding " Again, assign the 192.168.200.x IP as the ONLY DNS server; and inform us of your results."

Okay, if I'm understanding correctly then tomorrow when I get to work, I'll connect to my home VPN and will query DNS on 192.168.200.1 instead of on 192.168.1.1 or 192.168.1.2 but I'm thinking it won't work because 192.168.200.1 is not defined on any network interface and the router doesn't have any IP on the 200 subnet. The hope is that it will come out at the router end as 192.168.1.1 but I'm not holding my breath overnight because I can't see why it would do that.

EXTRA:

I will also try setting localservice to off, but I'm not crazy about that solution from a security perspective.

config dnsmasq
option localservice '1'

No, it's not.

You need to fix that.

Those are on the local interface, not on my VPN interface. I'll disable the local interface DNS servers completely and that will leave only the the VPN interface in place, which already references the correct servers.

It's a split tunnel so I do need to be able to resolve DNS both via my router and by the DNS servers at my place of work.

...thanks, I'll try all these things and will report back tomorrow.