OpenVPN, can ping Internet but DNS not working

Gruntruck · December 23, 2018, 11:13pm

Hi,

I have set up rather ordinary OpenVPN configuration on my router (following the old OpenWRT manual). I use iPhone OpenVPN client (in TUN mode) to tunnel into my LAN and it works just fine accessing internal IP-adresses on the network (192.168.0.x).

Unfortunately, wile being able to access my internal network, I am not able to surf through my iPhone while connected to VPN. But I can ping "external" IP adresses just fine, but it seems that DNS is not working as I cannot resolve any URL. So I can "surf" to IP-adresses only

On my LAN,my phone is assigned IP 10.8.0.6 when connecting via VPN.

This is my server config:


config openvpn 'myvpn'
	option enabled '1'
	option verb '3'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	option keepalive '10 120'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option mute 20
	list push 'route 192.168.0.0 255.255.255.0'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 10.8.0.1'
	list push 'dhcp-option WINS 10.8.0.1'
	option mute 20

And this is my phone config:


dev tun
proto udp
verb 3

ca ca.crt
cert my-client.crt
key my-client.key

client
remote-cert-tls server
remote x.x.x.x 1194
gateway-redirect def1
route 192.168.0.0 255.255.255.0

Basically, I can surf to "http://95.85.16.212/" but not to "https://ipleak.net/" (which is the same thing)

What am I missing? How do I force phone to use my own specified DNS? (or any DNS if possible)

Thanks

Gruntruck · December 24, 2018, 1:29pm

OK, I fixed it myself.

Uncheck this:
Local Service Only (Limit DNS service to subnets interfaces on which we are serving DNS.)

...and DNS will start working.

Anyone who can tell me how I can add VPN subnet to DNS? (in this case, 10.8.0.0 255.255.255.0)

psherman · December 24, 2018, 3:13pm

Assuming you have DNS on the router via its main (LAN) address (most likely this is true), just change this line in your server config to point to your router's LAN address (appears tone 192.168.0.1 in your case).

Also, you can remove the route directive from your client profile since it is already in the server push directives.

Gruntruck · December 24, 2018, 11:18pm

Thanks for response, but this was not the issue. DNS works with both 10.8.0.1, 8.8.8.8 or 192.168.0.1 as long as you uncheck "Local Service Only" for DNS.

Basically, DNS was not listening to anything outside of 192.168.0.x range and VPN is 10.8.x.x

tmomas · January 3, 2019, 11:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.