I can VPN into my network with OpenConnect but DNS resolution does not work.
I'm able to http and ssh to my router and connect to devices on my home network, but only by IP address. Below is what happens when I try to do a DNS lookup over the VPN via the router which is at 192.168.1.1 through my split tunnel.
Wow, that's a huge red flag but I'm not sure how to fix it. My router has 4 separate VLANS on 4 different subnets 192.168.0/1/2/3.0 and these are served by DHCP so therefore the DNS server knows about them. The VPN on the other hand is being served a DHCP address by OCserver on subnet 192.168.200.0 and therefore the DNS does not know that it's also a local subnet. I've read through the information you linked but I don't see any way to tell DNS that 192.168.200.0 is a local subnet,or that interface "vpns+" is local.
Yes I did accept input, and in fact I can connect to other services on my router, just not to DNS.
192.168.0.1 and 192.168.1.1 are two subnets which are local to my home router.
192.168.3.0 is at the network away from home. These are not my subnets.
10.32.64.0/21 is on the network away from home. It's not one of my home subnets.
192.168.200.0 is assigned to my VPN client by OCserver, so the machine from which I'm VPN'ing has this address and also 10.32.70.252 being a split tunnel.
The routes have no source r destination interfaces because it's a TAP device.
If you don't masquerade on the far-end, you need to make a route there. It's also important information if they exist on the OpenWrt router, or downstream.
Don't see how it was involved, thanks for the clarity. I also don't see on the client where you established a connection, then.
So?
You still have to say in a route [on a Layer 3 device] what interface the network is on.
That doesn't change that .0 is invalid as an IP; and so this means they assigned you a network? You need to fix it.
Then you can use the valid IP you assign as your DNS server.
That's not it: All other connectivity is working, only DNS does not want to reply. My problem must be related to "localservice" in the post by vgaetera directly below my opening post. I just don't know how to fix that. I suppose I could configure DHCP on 192.168.200.0 but that would screw up OCservers built-in DHCP server.
Okay, basic orientation: I'm at work on a windows machine, using OpenConnect client on Windows to connect to my OpenWRT router running ocserv. Everything works great except my router's DNS service is refusing to respond to DNS queries from my PC at work. lol
That's exactly what I've done, the IP assigned by ocserv being 192.168.200.193 as can be seen from my original post. The following must be the problem, I just don't know how to fix it:
And thanks for your efforts everyone. I appreciate all the troubleshooting and suggestions.
FROM /etc/config/network:
config interface 'vpn'
option proto 'none'
option ifname 'vpns+'
FROM /etc/config/firewall:
config zone 'zone_vpn'
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpn'
option device 'vpns+'
Regarding " use ONLY that router's IP as the DNS server":
Yes, that's what's currently configured per the Windows10 ipconfig code snippet in my initial post. Router config info below shows that the router has 5 IP addresses and I can confirm that all of them respond to DNS queries when I'm at home:
Regarding " Again, assign the 192.168.200.x IP as the ONLY DNS server; and inform us of your results."
Okay, if I'm understanding correctly then tomorrow when I get to work, I'll connect to my home VPN and will query DNS on 192.168.200.1 instead of on 192.168.1.1 or 192.168.1.2 but I'm thinking it won't work because 192.168.200.1 is not defined on any network interface and the router doesn't have any IP on the 200 subnet. The hope is that it will come out at the router end as 192.168.1.1 but I'm not holding my breath overnight because I can't see why it would do that.
EXTRA:
I will also try setting localservice to off, but I'm not crazy about that solution from a security perspective.
Those are on the local interface, not on my VPN interface. I'll disable the local interface DNS servers completely and that will leave only the the VPN interface in place, which already references the correct servers.
It's a split tunnel so I do need to be able to resolve DNS both via my router and by the DNS servers at my place of work.
...thanks, I'll try all these things and will report back tomorrow.