OpenConnect works but no DNS

Stepan · February 20, 2019, 10:04pm

I can VPN into my network with OpenConnect but DNS resolution does not work.
I'm able to http and ssh to my router and connect to devices on my home network, but only by IP address. Below is what happens when I try to do a DNS lookup over the VPN via the router which is at 192.168.1.1 through my split tunnel.

O N T H E C L I E N T :

C:\Users\spooky>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  192.168.1.1

> nas.internal.home
Server:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
> exit

C:\Users\spooky>ipconfig /all
Windows IP Configuration
    Host Name . . . . . . . . . . . . : MK026MA1
    Primary Dns Suffix  . . . . . . . : VIHI.CA
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : VIHI.CA
                                        dynamic.VIHI.ca

Ethernet adapter Local Area Connection 3:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : TAP-Windows Adapter V9
    Physical Address. . . . . . . . . : 00-FF-7D-39-77-35
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : 
    IPv4 Address. . . . . . . . . . . : 192.168.200.193(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.1.1
                                        192.168.0.1
                                        8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . : dynamic.VIHI.ca
    Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I218-LM
    Physical Address. . . . . . . . . : 44-39-C7-51-9B-E4
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : 
    IPv4 Address. . . . . . . . . . . : 10.32.70.252(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.254.0
    Lease Obtained. . . . . . . . . . : February-11-19 3:09:58 PM
    Lease Expires . . . . . . . . . . : March-13-19 12:41:38 PM
    Default Gateway . . . . . . . . . : 10.32.70.1
    DHCP Server . . . . . . . . . . . : 192.168.3.5
    DNS Servers . . . . . . . . . . . : 192.168.3.46
                                        192.168.3.38
                                        192.168.3.254
                                        192.168.3.246
    Primary WINS Server . . . . . . . : 192.168.3.46
    Secondary WINS Server . . . . . . : 192.168.3.38
                                        192.168.3.254
                                        192.168.3.246
    NetBIOS over Tcpip. . . . . . . . : Enabled

O N T H E R O U T E R :

root@corezero:/etc/config# cat ocserv
config ocserv 'config'
         option dpd '180'
         option max_clients '8'
         option max_same '2'
         option zone 'vpn'
         option auth 'plain'
         option compression '1'
         option ipaddr '192.168.200.0'
         option netmask '255.255.255.0'
         option enable '1'
         option port '443'
         option split_dns '1'
         option default_domain 'internal.home'
         option _ca ' '
config dns
         option ip '192.168.1.1'
config dns
         option ip '192.168.0.1'
config dns
         option ip '8.8.8.8'
config routes
         option ip '192.168.1.0'
         option netmask '255.255.255.0'
config routes
         option ip '192.168.0.0'
         option netmask '255.255.255.0'
config ocservusers
         option name 'user'
         option password '$1$48912178$ivc3ob61Wf.95pkGYJcjk0'
config ocservusers

root@corezero:/etc/config# cat dhcp
config dnsmasq
         option domainneeded '1'
         option boguspriv '1'
         option filterwin2k '0'
         option localise_queries '1'
         option rebind_protection '1'
         option rebind_localhost '1'
         option expandhosts '1'
         option nonegcache '0'
         option authoritative '1'
         option readethers '1'
         option leasefile '/tmp/dhcp.leases'
         option resolvfile '/tmp/resolv.conf.auto'
         option nonwildcard '1'
         option localservice '1'
         option local '/internal.home/'
         option domain 'internal.home'
config dhcp 'lan1'
         option interface 'lan1'
         option start '100'
         option leasetime '12h'
         option dhcpv6 'server'
         option ra 'server'
         option limit '50'
config dhcp 'lan0'
        option interface 'lan0'
        option start '100'
        option limit '50'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
config dhcp 'wan'
         option interface 'wan'
         option ignore '1'
config odhcpd 'odhcpd'
         option maindhcp '0'
         option leasefile '/tmp/hosts/odhcpd'
         option leasetrigger '/usr/sbin/odhcpd-update'
         option loglevel '4'
config domain
         option name 'printer'
         option ip '192.168.1.252'

Any idea why the DNS service on the router doesn't respond through VPN?
Thanks ...Stepan

vgaetera · February 20, 2019, 10:16pm

lleachii · February 20, 2019, 10:19pm

Did you ACCEPT INPUT to the router from the tunnel firewall zone?
Who are 192.168.0.1 and 192.168.1.1?
Why do you additionally use 8.8.8.8?
Where is the 192.168.3.0 network!?!?
Where is the 10.32.64.0/21 network!?!?
192.168.200.0 in the /24 is not a valid IP address in that case, it's a network identification number
Why do your config routes have no source or destination interfaces?

It seems you've failed to provide enough informaiton to assist you.
Thanks for editing your post to use the </> button to place your data in codeboxes

Per the Community Guidelines, please refrain from signing your posts

Stepan · February 21, 2019, 1:16am

Wow, that's a huge red flag but I'm not sure how to fix it. My router has 4 separate VLANS on 4 different subnets 192.168.0/1/2/3.0 and these are served by DHCP so therefore the DNS server knows about them. The VPN on the other hand is being served a DHCP address by OCserver on subnet 192.168.200.0 and therefore the DNS does not know that it's also a local subnet. I've read through the information you linked but I don't see any way to tell DNS that 192.168.200.0 is a local subnet,or that interface "vpns+" is local.

config zone 'zone_vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn'
        option device 'vpns+'

Stepan · February 21, 2019, 1:25am

Yes I did accept input, and in fact I can connect to other services on my router, just not to DNS.

192.168.0.1 and 192.168.1.1 are two subnets which are local to my home router.

192.168.3.0 is at the network away from home. These are not my subnets.

10.32.64.0/21 is on the network away from home. It's not one of my home subnets.

192.168.200.0 is assigned to my VPN client by OCserver, so the machine from which I'm VPN'ing has this address and also 10.32.70.252 being a split tunnel.

The routes have no source r destination interfaces because it's a TAP device.

Thanks.

lleachii · February 21, 2019, 1:32am

If you don't masquerade on the far-end, you need to make a route there. It's also important information if they exist on the OpenWrt router, or downstream.

Don't see how it was involved, thanks for the clarity. I also don't see on the client where you established a connection, then.

So?
You still have to say in a route [on a Layer 3 device] what interface the network is on.

That doesn't change that .0 is invalid as an IP; and so this means they assigned you a network?
You need to fix it.

Then you can use the valid IP you assign as your DNS server.

Stepan · February 21, 2019, 1:37am

Not quite so bleak, OCserver has assigned 192.168.200.193 to me per my initial post.

lleachii · February 21, 2019, 1:39am

OK then this is what you use...and you enable masquerade on it's firewall Interface.

But where does the Windows computer come in here???

To be clear, we are working with OpenWrt, correct???

Where does this "OCserver" become involved with a remote Windows machine???

Stepan · February 21, 2019, 1:40am

That's not it: All other connectivity is working, only DNS does not want to reply. My problem must be related to "localservice" in the post by vgaetera directly below my opening post. I just don't know how to fix that. I suppose I could configure DHCP on 192.168.200.0 but that would screw up OCservers built-in DHCP server.

lleachii · February 21, 2019, 1:41am

WTF are you talking about!?!?

Are you linking link your personal VPN Interface to your VPN provider????

Stepan · February 21, 2019, 1:43am

That's ocserv which is OpenWRT's official OpenConnect server daemon. This VPN service is running on my router, it's not a VPN service provider at all.

Hegabo · February 21, 2019, 1:43am

For a Class C, yes.

lleachii · February 21, 2019, 1:45am

Let'e be clear here for the OP; because you're correct too.

Stepan · February 21, 2019, 1:46am

Okay, basic orientation: I'm at work on a windows machine, using OpenConnect client on Windows to connect to my OpenWRT router running ocserv. Everything works great except my router's DNS service is refusing to respond to DNS queries from my PC at work. lol

lleachii · February 21, 2019, 1:47am

Then, again:

assign a proper IP to the 200.0 VPN
use ONLY that router's IP as the DNS server
Done!

Stepan · February 21, 2019, 1:50am

That's exactly what I've done, the IP assigned by ocserv being 192.168.200.193 as can be seen from my original post. The following must be the problem, I just don't know how to fix it:

Stepan:

vgaetera:

https://openwrt.org/docs/guide-user/base-system/dns_configuration

localservice

Wow, that's a huge red flag but I'm not sure how to fix it. My router has 4 separate VLANS on 4 different subnets 192.168. 0/1/2/3 .0 and these are served by DHCP so therefore the DNS server knows about them. The VPN on the other hand is being served a DHCP address by OCserver on subnet 192.168.200.0 and therefore the DNS does not know that it's also a local subnet. I've read through the information you linked but I don't see any way to tell DNS that 192.168.200.0 is a local subnet,or that interface "vpns+" is local.
config zone 'zone_vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn'
        option device 'vpns+'

And thanks for your efforts everyone. I appreciate all the troubleshooting and suggestions.

lleachii · February 21, 2019, 1:54am

Is this valid?

Regardless...

Then why haven't you assigned this IP as the DNS server???

Again, assign the 192.168.200.x IP as the ONLY DNS server; and inform us of your results.

Stepan · February 21, 2019, 3:37am

Regarding "Is this valid? vpns+":

Yes, certainly per below:

FROM /etc/config/network:

config interface 'vpn'
	option proto 'none'
	option ifname 'vpns+'

FROM /etc/config/firewall:

config zone 'zone_vpn'
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'vpn'
	option device 'vpns+'

Regarding " use ONLY that router's IP as the DNS server":

Yes, that's what's currently configured per the Windows10 ipconfig code snippet in my initial post. Router config info below shows that the router has 5 IP addresses and I can confirm that all of them respond to DNS queries when I'm at home:

FROM /etc/config/network:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option macaddr '58:6D:8F:2E:0E:D1'

config interface 'lan2'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.3'
	option ipaddr '192.168.2.1'
	option macaddr '48:F8:B3:8E:E0:F7'

config interface 'lan3'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.4'
	option ipaddr '192.168.3.1'
	option macaddr '48:F8:B3:8D:E1:F7'

config interface 'lan4'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.5'
	option ipaddr '192.168.0.1'
	option macaddr '48:F8:B3:5D:E0:F7'

config interface 'lan5'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.4.1'

Regarding " Again, assign the 192.168.200.x IP as the ONLY DNS server; and inform us of your results."

Okay, if I'm understanding correctly then tomorrow when I get to work, I'll connect to my home VPN and will query DNS on 192.168.200.1 instead of on 192.168.1.1 or 192.168.1.2 but I'm thinking it won't work because 192.168.200.1 is not defined on any network interface and the router doesn't have any IP on the 200 subnet. The hope is that it will come out at the router end as 192.168.1.1 but I'm not holding my breath overnight because I can't see why it would do that.

EXTRA:

I will also try setting localservice to off, but I'm not crazy about that solution from a security perspective.

config dnsmasq
option localservice '1'

lleachii · February 21, 2019, 3:46am

No, it's not.

You need to fix that.

Stepan · February 21, 2019, 3:50am

Those are on the local interface, not on my VPN interface. I'll disable the local interface DNS servers completely and that will leave only the the VPN interface in place, which already references the correct servers.

It's a split tunnel so I do need to be able to resolve DNS both via my router and by the DNS servers at my place of work.

...thanks, I'll try all these things and will report back tomorrow.