Hi there, bear with me here as I'm a new user to OpenWRT and a novice Linux user in general. Spent most of my career on Windows world.
I have two small vms running OpenWRT at my home lab ESXi (CHAOS CALMER (15.05, r46767)). Each one connects to a different VPN at work. These vpns are in different geographical locations very far apart (over 6000 miles). The reason why two is because once you are connected to one you can reach any other location from there, which in my case I don't want. If I'm connected to the 6K mile location I don't want to route from there to the assets I have 5 miles from home. I imagine there's some way to tinker with the routes on the OpenWRT device to reroute requests to one VPN or another, but I prefer the simpler approach of adding static routes in my layer 3 switch to one OpenWRT instance or another.
Anyway, the above works well, I have no problem with it.
What brings me here is the fact that once I establish the OpenConnect tunnel to either one of these locations the DNS resolution of the router itself stops working. Simple test is going to the diagnostics tool and try to ping dev.openwrt.org. It just replies with:
ping: bad address 'dev.openwrt.org
The second "bad thing" happening is that even if the VPN disconnects, most times I can't reconnect on the same boot of OpenWRT. Even with the VPN disconnected it can't resolve DNS therefore I can't OpenConnect back to the original VPN. The only option I'm left with is rebooting the vm.
This router is NOT doing DCHP or DNS to the devices in my network. It's only purpose is to tunnel connections specifically configured in my switch to the two VPNs I mentioned above. The only purpose of DNS working is so it can itself resolve the address of the VPN tunnels.
The configuration is pretty plan vanilla with the addition of the vpn connection. I have two virtual NICs, one for LAN and one for WAN.
Before someone asks, I do have a route in my switch to 129.168.2.0 network which works fine.
This is the network config:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option _orig_ifname 'eth0'
option _orig_bridge 'true'
option proto 'static'
option ipaddr '192.168.8.85'
option netmask '255.255.255.0'
option gateway '192.168.8.1'
option dns '192.168.2.1'
config globals 'globals'
option ula_prefix 'fd26:eabb:1009::/48'
config interface 'wan'
option proto 'dhcp'
option _orig_ifname 'eth1'
option _orig_bridge 'true'
option ifname 'eth1'
option macaddr '00:0c:29:00:fb:9d'
option hostname 'openwrt'
config interface 'MVD'
option proto 'openconnect'
option server <server>
option username <user>
option password <pwd>
option authgroup <group>
option interface 'wan'
option port '443'
option serverhash <hash>
This is my firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'lan'
option network 'lan'
option forward 'ACCEPT'
config zone
option output 'ACCEPT'
option name 'wan'
option input 'REJECT'
option network 'wan'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'mvdvpn'
option network 'MVD'
option forward 'REJECT'
config forwarding
option dest 'lan'
option src 'mvdvpn'
config forwarding
option dest 'mvdvpn'
option src 'lan'
I'm not very familiar yet understanding the different options to configure in the firewall. For the most part I followed google links and trial and error until I got the stuff working... except for DNS resolution of the device itself.
Any help appreciated.