Hello Forum,
I just upgraded from Openwrt 19 to 21 on my Linksys Wrt 1900acs V2.
I'm having difficulties to setup the OpenVPN Server and client's usage of the routers DNS.
Openvpn connection is successfully established by clients, but DNS is not working until I add the push option like:
dhcp-option DNS 8.8.8.8
Without it, Internet is not usable by OpenVPN clients, as DNS is not resolved by clients.
Openvpn Server extra client settings
list push 'redirect-gateway def1'
list push 'block-outside-dns'
list push 'dhcp-option DNS [router_ip]'
list push 'route 192.168.[x].0 255.255.255.0
where router_ip is the router's IP and x is the router's local subnet.
It used to work, with these settings in Openwrt 19.
Thanks for hints on how to get DNS working for OpenVPN clients without using an external DNS server (like 8.8.8.8)
Have a wonderful Christmas and thanks in advance,
Sklerotraficon
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn
You don't need to redact RFC1918 addresses (like 192.168.1.1, etc.).
Have the client configs changed at all? Do the logs reveal anything?logread -e openvpn
Hi psherman,
Client settings are unchanged.
Will post command outputs on Sunday, as I'm not at home and can't access the router (even via OpenVPN) from here...
Hi psherman,
config is as follows:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb6:595f:c141::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.253'
config device
option name 'wan'
option macaddr '5a:ef:68:0f:bd:af'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'wlan0-1'
config interface 'tun0'
option proto 'none'
option device 'tun0'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'tun0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'lan'
config forwarding
option dest 'wan'
config forwarding
option dest 'lan'
config forwarding
option dest 'wan'
config zone
option name 'tun0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tun0'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option src 'tun0'
option dest 'wan'
config forwarding
option src 'tun0'
option dest 'lan'
cat /etc/config/openvpn
config openvpn 'OpenVPN'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option port '1194'
option keepalive '10 120'
option log '/var/log/openvpn.log'
option status '/var/log/openvpn-status.log'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option tls_server '1'
option tls_version_min '1.2'
option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
option auth_nocache '1'
option persist_tun '1'
option verb '11'
option enabled '1'
option dev 'tun0'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.2.253'
list push 'route 192.168.2.0 255.255.255.0'
list push 'block-outside-dns'
list push 'dhcp-option DNS 8.8.8.8'
As I said, I would like to
Have OpenVPN use the local DNS server under 192.168.2.253 (router IP), without a need for dhcp-option DNS 8.8.8.8
and be able to connect to local IP adresses at 192.168.2.*, especially the router IP itself (which is currrently not working either)
Thanks a lot you for your assistance
It seems like everything should be generally okay based on my quick read of the config.
What does the client config file look like? Do the logs reveal anything? Can you share both of these things?
What happens if you remove the following 2 lines:
I assume that this the only/main router on your network (i.e. directly connected to your ISP)? Please correct this assumption if it is wrong.
I don't think that these will likely cause any issues, but there are some strange forwarding fragments in the firewall file that should be removed.
Hi psherman,
Removing these lines results in not being able to connect to any internet server by clients connected via VPN.
Removing the lines:
from the firewall settings didn't change anything so far...
Thanks again, for any hints...
let's take a look at the logs and the client configuration.
Also, on the client system, can you run some ping tests to the following destinations:
10.8.0.1
192.168.2.253
192.168.2.x where x is another host on your network (ideally not a windows machine)
8.8.8.8
google.com
pavelgl
December 26, 2021, 5:56pm
8
Remove the vpn interface (tun0) from the wan zone.push "dhcp-option DNS 10.8.0.1"
3 Likes
pavelgl:
dhcp-option DNS 10.8.0.1
@pavelgl ,
that did the trick for me!
@psherman thanks for your support
Thanks!
1 Like
Good catch on this one @pavelgl . I l overlooked that one entirely.
system
January 5, 2022, 7:57pm
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
