OpenVPN connection to company network

Hi everyone,

I have exactly the same problem as described here: Laptop with OpenVPN client has the VPN's DNS blocked but the solution did not work (Network->DHCP and DNS->General Settings-> Untick "Rebind protection" ).

tl;dr: Openvpn connection from computer to company vpn with openvpn is successful but I cannot connect to any of the companies server. openwrt router's DNS seems to be the problem.

On my computer

$ cat /etc/resolv.conf
# Generated by NetworkManager
search lan

If I manually change it to

# Generated by NetworkManager

it works.

I am using a TL_WDR4300 with openWRT 19.07.2. Thanks in advance for any help!

Instead of configuring on each client, use DHCP option 6 to push that setting to your LAN clients. That is the same as setting it on each LAN machine, but more automatic.

There is also a way for OpenVPN server to push a DNS setting (pointing clients to the corporate internal DNS) but that depends on proper configuration of the server.

How would I do that? The only thing I can think of is the "DNS forwardings" in Network -> DHCP and DNS -> General Settings

Network-Interfaces-(LAN edit)-DHCP Server

Enter 6, in the box.

Just as a quick aside... many companies use VPNs to allow remote access/remote work options, but typically that is intended for individual computer(s) and not as much for the router to form what is sort-of a site-to-site network.

It may not be a problem for your network, but consider that it is possible that your other local network devices may now have access to your company network (security + privacy considerations here), and may even end up sending all of the traffic through the tunnel (depending on the configuration). This can present security risks, slow down overall performance on your own network, and increase bandwidth on your company network/internet connection. There are configuration options that can help, such as policy based routing or certain options in OpenVPN. It probably becomes irrelevant if only 'work' machines are connected to the router, too. (another issue is that most routers are fairly slow dealing with OpenVPN, but a full computer has a much more powerful processor that can handle OpenVPN without significantly reducing bandwidth -- this obviously only matters if you have high bandwidth needs between the office and remote locations).

Take these for what they are -- just some thoughts, not saying you should or shouldn't configure your environment in this way.

I think the OP has the openvpn client on a laptop not in the openwrt router, so the company network is only exposed to traffic from the laptop. I assume the laptop is connecting to the openwrt router for internet access.

1 Like

You may be right. Thanks for thinking of that!

In that case the router should run a standard configuration, do all VPN related settings on the laptop.

And if there is no VPN client running on the router but you want to use a different DNS server for the entire network, set that in the OpenWrt WAN settings. Check the box to not use the ISP DNS received by DHCP or PPP.

1 Like

Thanks for the answers so far. I am glad to see users ready to help.

Exactly, it is the same situation as described in the linked discussion (see Laptop with OpenVPN client has the VPN's DNS blocked). In this discussion the solution was to untick "Rebind Protection".

I was in contact with our admin and he diagnosed that there must be something wrong with my router since the company servers could be accessed when I changed my laptop's resolvconf pointing to googles DNS (nameserver while the openvpn connect was already established. Since my admin blames the router and I found the aforementioned thread, it seems to me that openwrt's configuration could be the cause of the problem. My lack of networking knowledge does not seem to help either :smiley:

So here is my setup:
ISP-Cable-Router <-> openWRT router (WAN Port, set to DHCP) <-> personal computer (connection to company network via openVPN)

Because the access to the company servers works when I switch the DNS server address on my personal computer from the openWRT router to google's DNS, the openWRTrouter must somehow behave differently. The openWRT router uses the ISP-Cable-Router as the DNS, so maybe there is the culprit?

So this is a problem initially connecting to the VPN through the portal at the company, before you even get to having a VPN tunnel?

That portal must have a public name since Google DNS can find it. It should also work with your regular ISP like other public sites.

On the CLI of your PC, try nslookup and ping to the portal.

Although you only get the problem when connecting through your open vpn router, it my not be entirely to blame.

What type of vpn adaptor are you using (TAP or TUN) and are you routing all of the clients network traffic through the vpn? ( redirect-gateway in the local config or push(ed) from the server).

The company supplies a openvpn configuration and I am just supposed to do sudo openvpn --config <configuration>. This command seems to be successful, ending with Initialization Sequence Completed. ifconfig's output shows a new tun0 device.

Changing the nameserver to does not solve the problem entirely. I was only able to access the self serving password portal, not other company-run servers.

I tried the supplied configuration with Windows 10 on another computer in my local network and got the same result. Connection successful established not able to reach company servers.

This makes sense - you probably need to have the DNS server that is maintained by the company (internally) rather than a public DNS server which would have no knowledge of the internal network of your company. You want this only when the tunnel is active, of course, because it won't even be available when the tunnel is down.

There is a feature in OpenVPN to automate this (at least on Windows).

You should see what the server pushed (if anything) in the client log leading up to "initialization complete".

I think you are right. Neither the client openVPN configuration has a DNS setting nor is in the settings received by the openVPN server:

PUSH: Received control message: 'PUSH_REPLY,route,route,route-gateway,topology subnet,ping 1,ping-restart 20,ifconfig,peer-id 1,cipher ***********'

I will chat with our admin about this.

Sorry for the long delay. Right now I am using a workaround. If I use my phone's internet connection and connect my laptop to it, name resolution of the company servers via VPN works. Right now I have gathered all the necessary IP addresses while using the phone's internet and put them into /etc/hosts.

I have also investigated a little further on my side:

  • skipping the openWRT router and connecting directly to the ISP's cable modem/router:
    name resolution of the company servers via VPN does not work either
  • my internet connection is using dual stack lite according to the ISP's cable modem/router

Looking at the search result for "dual stack lite vpn" it seems that this may be the source of my problem. But right now I cannot tell for sure.

BTW: my ISP is Vodafone Germany and cable modem/router is a "cbn CH7466CE WLAN Gateway"

If your company servers' hostname resolves to internal IP, e.g. 192.168.x.x, 10.x.x.x, 172.x.x.x, and they cannot be resolved by openwrt DNS server, did you ensure your company's domain is whitelisted in "Domain whitelist" under Network/ DHCP and DNS?

Hi Raymond, thanks for the suggestion. As suggested here Laptop with OpenVPN client has the VPN's DNS blocked I have disabled rebind protection so the Domain whitelist option is not even available.

1 Like

What I have failed to state was that it did not help with the problem :upside_down_face: