Openvpn not working for local dns hostnames

I have set up my openwrt router like this (note that much of my notes are from here):

  • Removed all of the files in the Backup File List (LUCI -> System -> Backup/Flash Firmware -> Configuration (I think there were too many conflicts as #ulmwind suggested.)
  • Completely reset the router:
    1. Unplug router from cable modem
    2. Reboot router
    3. Press & hold WPS button when light starts to blink (other light should blink very fast)
    4. Set PC IP address to manual (192.168.1.2/255.255.255.0)
    5. connect PC to LAN port
    6. ssh -p 22 root@192.168.1.1
    7. firstboot -y
    8. mtd -r erase rootfs_data (router reboots)
    9. ssh -p22 root@192.168.1.1
    10. rm -r /overlay/*
    11. reboot -f
  • Reinstalled from my backup (make sure you make a backup!!!)
  • Connect router to WAN again
  • Add Luci interface for open vpn
    1. Navigate to System->Software
    2. Search for luci-app-openvpn and install it
  • Followed the instructions from here (as suggested by #trendy) (See Below)
  • Note that I did comment out the following lines in /etc/config/firewall because it looked like there was some overlap:
 # config rule
 # option name 'Allow-OpenVPN-Inbound'
 # option target 'ACCEPT'
 # option src '*'
 # option proto 'tcpudp'
 # option dest_port '1194'
  • I did have to modify /etc/config/openvpn as follows (as suggested by #trendy):
config openvpn 'home'
option config '/etc/openvpn/vpnserver.conf'
option enabled '1'
  • I also had to change /etc/openvpn/vpnclient.ovpn because the scripts had it pointing to the server's IPaddress rather than the host.domain name (because I am on a DHCP connection out of my house I wanted to make sure I can access it when the my ISP changes my IP address):
    remote myhost.mydomain 1194 udp
    The following comes (mostly) from here:
    https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
##################################
# Configure firewall
##################################
uci set firewall.@zone[0].device="tun0"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart

##################################
# Setup PKI
##################################
# Install packages
opkg update
opkg install openvpn-easy-rsa
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="vpnca"
# Remove and re-initialize the PKI directory
easyrsa --batch init-pki
# Generate DH parameters
# May take a while to complete (~25m on WRT3200ACM)
easyrsa --batch gen-dh
# Create a new CA
easyrsa --batch build-ca nopass
# Generate a keypair and sign locally for vpnserver
easyrsa --batch build-server-full vpnserver nopass
# Generate a keypair and sign locally for vpnclient
easyrsa --batch build-client-full vpnclient nopass

##################################
# Basic server setup
##################################
# Install packages
opkg update
opkg install openvpn-openssl
 # Generate TLS PSK
EASYRSA_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret "${EASYRSA_PKI}/tc.pem"
# Configuration parameters
VPN_DEV="$(uci get firewall.@zone[0].device)"
VPN_POOL="10.13.8.0 255.255.255.0"
# VPN_POOL="192.168.8.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
# Configure VPN server
grep -l -r -e "TLS Web Server Authentication" "${EASYRSA_PKI}/issued" | sed -e "s/^.*\///;s/\.\w*$//" |while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.conf"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
user nobody
group nogroup
dev ${VPN_DEV}
port 1194
proto udp
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
push "route 10.13.0.0 255.255.252.0" 
push "dhcp-option DNS 10.13.0.1"
<dh>${NL}${DH_KEY}${NL}</dh>
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
service openvpn restart

#############################
# Create client profiles:
#############################
# Fetch IP address
source /lib/functions/network.sh
network_find_wan NET_IF
network_get_ipaddr VPN_SERV "${NET_IF}"
 
# Fetch FQDN from DDNS client
VPN_FQDN="$(uci -q get "$(uci -q show ddns \
| sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \
| sed -n -e "1p")")"
if [ -n "${VPN_FQDN}" ]
then
VPN_SERV="${VPN_FQDN}"
fi

# Configuration parameters
VPN_CONF="/etc/openvpn/vpnserver.conf"
VPN_PORT="$(sed -n -e "/^port\s/s///p" "${VPN_CONF}")"
VPN_PROTO="$(sed -n -e "/^proto\s/s///p" "${VPN_CONF}")"
VPN_DEV="$(sed -n -e "/^dev\s/s///p" "${VPN_CONF}")"
EASYRSA_PKI="/etc/easy-rsa/pki"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
 
# Generate VPN client profiles
grep -l -r -e "TLS Web Client Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.ovpn"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
dev ${VPN_DEV%%[0-9]*}
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
ls /etc/openvpn/*.ovpn
# this comes from here:
# https://forum.openwrt.org/t/cannot-access-host-by-hostname-from-phone/17788/11
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 10.13.0.1
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 10.13.0.1
/etc/init.d/dnsmasq restart

Everything is working great (more or less):

When connected normally to my network:

  • I can ping by IP inside my 10.13.0.1/22 network
  • I can ping by hostname inside my 10.13.0.1/22 network
  • I can ping by host/domain outside my network

When I connect to my VPN from outside the network:

  • I can ping by host/domain to the outside network
  • I can ping by IP in my 10.13.0.1/22 network

BUT:

  • I CANNOT ping by hostname inside my 10.13.0.1/22 network

Any suggestions would be MOST welcome

  • When I remotely connect to my router with my phone running the actual openvpn android app, I am able to connect to my local hosts by name (everything works fine.)
  • I tried from my Windows laptop running OpenVPN and it works fine.
  • The problem I am having ONLY occurs on my remotely connected macbook (running tunnelblick).

All three devices are using the same .ovpn file. I connected my windows and mac laptops through the same wifi hotspot.

How about localservice=0?
https://openwrt.org/docs/guide-user/base-system/dhcp

I hesitate to change my dns settings for my openwrt instance because everything is working fine there. I think that problem lies in the openvpn settings somewhere.
On the other hand, it's an easy test; I'll make the change later today when I get a chance.
Based on the testing I just completed (see the bottom of my question, above), I don't believe it is a server-side issue.

This problem only exists on a macbook running tunnelblick... Now to see if there are other OVPN clients available for the Macbook...

I have replaced Tunnelblick with pritunl on my macbook and everything seems to be working fine.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.