tl;dr: Openvpn connection from computer to company vpn with openvpn is successful but I cannot connect to any of the companies server. openwrt router's DNS seems to be the problem.
On my computer
$ cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 192.168.1.1
If I manually change it to
# Generated by NetworkManager
nameserver 8.8.8.8
it works.
I am using a TL_WDR4300 with openWRT 19.07.2. Thanks in advance for any help!
Instead of configuring on each client, use DHCP option 6 to push that setting to your LAN clients. That is the same as setting it on each LAN machine, but more automatic.
There is also a way for OpenVPN server to push a DNS setting (pointing clients to the corporate internal DNS) but that depends on proper configuration of the server.
Just as a quick aside... many companies use VPNs to allow remote access/remote work options, but typically that is intended for individual computer(s) and not as much for the router to form what is sort-of a site-to-site network.
It may not be a problem for your network, but consider that it is possible that your other local network devices may now have access to your company network (security + privacy considerations here), and may even end up sending all of the traffic through the tunnel (depending on the configuration). This can present security risks, slow down overall performance on your own network, and increase bandwidth on your company network/internet connection. There are configuration options that can help, such as policy based routing or certain options in OpenVPN. It probably becomes irrelevant if only 'work' machines are connected to the router, too. (another issue is that most routers are fairly slow dealing with OpenVPN, but a full computer has a much more powerful processor that can handle OpenVPN without significantly reducing bandwidth -- this obviously only matters if you have high bandwidth needs between the office and remote locations).
Take these for what they are -- just some thoughts, not saying you should or shouldn't configure your environment in this way.
I think the OP has the openvpn client on a laptop not in the openwrt router, so the company network is only exposed to traffic from the laptop. I assume the laptop is connecting to the openwrt router for internet access.
In that case the router should run a standard configuration, do all VPN related settings on the laptop.
And if there is no VPN client running on the router but you want to use a different DNS server for the entire network, set that in the OpenWrt WAN settings. Check the box to not use the ISP DNS received by DHCP or PPP.
I was in contact with our admin and he diagnosed that there must be something wrong with my router since the company servers could be accessed when I changed my laptop's resolvconf pointing to googles DNS (nameserver 8.8.8.8) while the openvpn connect was already established. Since my admin blames the router and I found the aforementioned thread, it seems to me that openwrt's configuration could be the cause of the problem. My lack of networking knowledge does not seem to help either
So here is my setup: ISP-Cable-Router <-> openWRT router (WAN Port, set to DHCP) <-> personal computer (connection to company network via openVPN)
Because the access to the company servers works when I switch the DNS server address on my personal computer from the openWRT router to google's DNS, the openWRTrouter must somehow behave differently. The openWRT router uses the ISP-Cable-Router as the DNS, so maybe there is the culprit?
Although you only get the problem when connecting through your open vpn router, it my not be entirely to blame.
What type of vpn adaptor are you using (TAP or TUN) and are you routing all of the clients network traffic through the vpn? ( redirect-gateway in the local config or push(ed) from the server).
The company supplies a openvpn configuration and I am just supposed to do sudo openvpn --config <configuration>. This command seems to be successful, ending with Initialization Sequence Completed. ifconfig's output shows a new tun0 device.
Changing the nameserver to 8.8.8.8 does not solve the problem entirely. I was only able to access the self serving password portal, not other company-run servers.
I tried the supplied configuration with Windows 10 on another computer in my local network and got the same result. Connection successful established not able to reach company servers.
This makes sense - you probably need to have the DNS server that is maintained by the company (internally) rather than a public DNS server which would have no knowledge of the internal network of your company. You want this only when the tunnel is active, of course, because it won't even be available when the tunnel is down.
Sorry for the long delay. Right now I am using a workaround. If I use my phone's internet connection and connect my laptop to it, name resolution of the company servers via VPN works. Right now I have gathered all the necessary IP addresses while using the phone's internet and put them into /etc/hosts.
I have also investigated a little further on my side:
skipping the openWRT router and connecting directly to the ISP's cable modem/router:
name resolution of the company servers via VPN does not work either
my internet connection is using dual stack lite according to the ISP's cable modem/router
Looking at the search result for "dual stack lite vpn" it seems that this may be the source of my problem. But right now I cannot tell for sure.
BTW: my ISP is Vodafone Germany and cable modem/router is a "cbn CH7466CE WLAN Gateway"
If your company servers' hostname resolves to internal IP, e.g. 192.168.x.x, 10.x.x.x, 172.x.x.x, and they cannot be resolved by openwrt DNS server, did you ensure your company's domain is whitelisted in "Domain whitelist" under Network/ DHCP and DNS?
