Pulling dns setting from openvpn server

I'm running OpenWrt 21.02-SNAPSHOT on a Raspberry Pi 4b and after a clean install and setup I'm running into something I can't figure out somehow.

I use this for pulling the openvpn server dns settings;

echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto.test
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto.test
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto.test

This work flawlessly, but after the clean install it's not pulling anything, the (test) file stays empty

Did I miss some firewall setting?

Did some reading in my log and found this.

Wed Apr 14 19:13:22 2021 daemon.notice openvpn(Den_Haag)[3276]: SENT CONTROL [Server-4317-0a]: 'PUSH_REQUEST' (status=1)
Wed Apr 14 19:13:22 2021 daemon.notice openvpn(Den_Haag)[3276]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.57.0.1,comp-lzo no,route 10.57.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.57.0.174 10.57.0.173,peer-id 40,cipher AES-256-GCM'

I'm using openvpn-openssl and vpn-policy-router. And if the openvpn (tun0) is up, all users using the openvpn dns. And when down the dns from my isp.

Collect the relevant logs as follows:

logger -t ${0##*/} ${@} $(env)

Hi @vgaetera, thanks for your help.

Thu Apr 15 06:28:09 2021 user.notice logger.sh: USER=root SSH_CLIENT=10.0.1.12 65324 22 SHLVL=2 HOME=/root SSH_TTY=/dev/pts/0 PS1=\[\e]0;\u@\h: \w\a\]\u@\h:\w\$ ENV=/etc/shinit LOGNAME=root TERM=xterm PATH=/usr/sbin:/usr/bin:/sbin:/bin SHELL=/bin/ash PWD=/root SSH_CONNECTION=10.0.1.12 65324 10.0.1.1 22

Is this what you expect, when executing the script?

Include the given command in the VPN script.

Ooh sorry, didn't understand that, this is the log after vpn is comming up. (vpn-policy-routing is down for the moment)

Thu Apr 15 11:25:09 2021 daemon.notice openvpn(Den_Haag)[5802]: TUN/TAP device tun0 opened
Thu Apr 15 11:25:09 2021 daemon.notice openvpn(Den_Haag)[5802]: net_iface_mtu_set: mtu 1500 for tun0
Thu Apr 15 11:25:09 2021 daemon.notice openvpn(Den_Haag)[5802]: net_iface_up: set tun0 up
Thu Apr 15 11:25:09 2021 daemon.notice netifd: Interface 'vpnclient' is enabled
Thu Apr 15 11:25:09 2021 daemon.notice netifd: Network device 'tun0' link is up
Thu Apr 15 11:25:09 2021 daemon.notice netifd: Interface 'vpnclient' has link connectivity
Thu Apr 15 11:25:09 2021 daemon.notice netifd: Interface 'vpnclient' is setting up now
Thu Apr 15 11:25:09 2021 daemon.notice openvpn(Den_Haag)[5802]: net_addr_ptp_v4_add: 10.123.0.238 peer 10.123.0.237 dev tun0
Thu Apr 15 11:25:09 2021 daemon.notice openvpn(Den_Haag)[5802]: /usr/libexec/openvpn-hotplug up Den_Haag tun0 1500 1557 10.123.0.238 10.123.0.237 init
Thu Apr 15 11:25:09 2021 daemon.notice netifd: Interface 'vpnclient' is now up
Thu Apr 15 11:25:09 2021 daemon.debug dnsmasq[5296]: listening on tun0(#24): 10.123.0.238 port 53
Thu Apr 15 11:25:09 2021 daemon.debug dnsmasq[5296]: listening on tun0(#24): fe80::1dbe:a86:bb69:6678%tun0 port 53
Thu Apr 15 11:25:09 2021 user.notice logger.sh: tun0 1500 1557 10.123.0.238 10.123.0.237 init route_vpn_gateway=10.123.0.237 X509_0_emailAddress=support@expressvpn.com daemon_log_redirect=0 USER=root X509_1_emailAddress=support@expressvpn.com script_type=up proto_1=udp ACTION=up daemon=0 SHLVL=4 foreign_option_1=dhcp-option DNS 10.123.0.1 dev_type=tun route_network_1=10.123.0.1 user_down=/etc/openvpn/logger.sh remote_1=netherlands-thehague-ca-version-2.expressnetw.com dev=tun0 X509_0_CN=Server-3917-0a X509_0_C=VG remote_port_1=1195 X509_1_CN=ExpressVPN CA X509_1_C=VG INSTANCE=Den_Haag HOTPLUG_TYPE=openvpn tls_digest_sha256_0=e5:83:a5:3f:30:3d:11:da:7f:de:b6:59:f8:88:a3:51:a5:50:04:b8:7f:4a:61:77:f8:c5:9b:c6:d5:6e:a6:74 daemon_start_time=1618485908 script_context=init ifconfig_local=10.123.0.238 common_name=Server-3917-0a tls_digest_sha256_1=c7:aa:a9:c1:55:9d:e2:34:dc:2b:09:86:b1:81:b0:a6:95:59:5e:18:e1:e9:57:ac:14:7d:b0:c7:88:39:71:54 LOGNAME=root DEVICENAME= verb=3 PATH=/usr/sbin:/usr/bin:/sbin:/bin link_mtu=1557 X509_0_O=E
Thu Apr 15 11:25:09 2021 user.notice firewall: Reloading firewall due to ifup of vpnclient (tun0)

The log contains the variable, so it should work if processed properly.
There's likely some issue with your VPN script or DNS settings.

Actually there's a tested and working method:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#dns_and_domain

Followed your link, but get the same results. (The file is empty) Very strange. There must be something I have done different after my last clean install en config. But no idea what. I'll keep searching.

I stopped Adblock / Banip / vpn-policy-routing to see if they are the ones to blame, I think I am the one myself...

Because the variables are there when I start the VPN I'm clueless at the moment.

One thing I did, because it wasn't working. I removed openvpn-openssl and luci-app-openvpn, removed the interface and the firewall settings and installed all again and overwrite all settings.

Is it possible that I did something there?

Is resolv.conf.auto in 21.02-snapshot located in /tmp/resolv.conf.d/ instead of in /tmp as in 19.07-snapshot?

@vgaetera ok an update /workaround, but not how it should work i think.

I use the script in my vpn script for up and down (from the link in your post)

When the VPN goes up, the file /tmp/resolv.conf.vpn is made and the DNS server is in there. So vpn works with correct DNS.

When the VPN goed down, the file /tmp/resolv.conf.auto is made, but empty.
So as an temperary solution I copied the content of /tmp/resolv.conf.d/resolv.conf.d/resolv.conf.auto to that file and now it works.

I didn't had a previous file resolv.conf.auto in /tmp by the way.

You need to specify the following path in the VPN script when it goes down:

If the down event is not triggered by the VPN script, use hotplug instead.

That did the trick, thanks for your help

If I eventualy have the need to give the vpn connected clients the vpn's dns server and the normal wan users the dns who is given in the interface setting. (the thing I said was not needed at first)

Do I need a multiple instance dnsmasq then? I asume I have to edit the client.sh file so that only one instance of dnsmasq is altered?

That's correct if you need dynamic configuration and/or process DNS queries with Dnsmasq.
Another option is to provide custom static DNS with DHCP bypassing Dnsmasq DNS.

• Multiple DHCP/DNS server/forwarder instances
• Providing custom DNS with DHCP

I'm trying to follow your first link form the wiki.

I've got two instances lan (eth0.1) for normal users and vpnclient (tun0) for my vpn users.

When I want to make multiple instances, I tried to do the following in /etc/config/dhcp,
but the differents with the wiki example is that tun0 uses the dhcp settings for lan, because tun0 hasn't any. So my config can't be correct like this, I only have no clue what to edit to make it work.

config dnsmasq 'lan'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	list interface 'lan'

config dnsmasq 'tun0'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/vpnclient/'
	option domain 'vpnclient'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.vpn'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d/vpn/'
	list interface 'vpnclient'
	list notinterface 'loopback'
	option resolvfile '/tmp/resolv.conf.vpn'

If this works, the client.sh script who is executed on VPN up/down needs to editted so only the tun0 instance is changed, or at least updated with the last dns settings form my vpn provider. (i think up and down command have to be the same and have to point to the tun0 instance?

Somewhere after @dnsmasq[0] ?

#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p

" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.d/resolv.conf.auto" ;;
esac
/etc/init.d/dnsmasq restart &

my current /etc/config/dhcp file (there is no dhcp for tun0)

#config dnsmasq 'lan'
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	list interface 'lan'

#config dnsmasq 'tun0'
#	option domainneeded '1'
#	option boguspriv '1'
#	option filterwin2k '0'
#	option localise_queries '1'
#	option rebind_protection '1'
#	option rebind_localhost '1'
#	option local '/vpnclient/'
#	option domain 'vpnclient'
#	option expandhosts '1'
#	option nonegcache '0'
#	option authoritative '1'
#	option readethers '1'
#	option leasefile '/tmp/dhcp.leases.vpn'
#	option nonwildcard '1'
#	option localservice '1'
#	option ednspacket_max '1232'
#	option confdir '/tmp/dnsmasq.d/vpn/'
#	list interface 'vpnclient'
#	list notinterface 'loopback'
#	option resolvfile '/tmp/resolv.conf.vpn'


config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'
	option start '48'
	option limit '207'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option leasetime '12h'
	option limit '155'
	option force '1'

Am I on the right track, or am I completely missing it.

You can address the second DNS instance by its name or by incrementing the UCI section ID.

Ok, I'm a bit lost here, nothing worked anymore, so I'm back to my default to make it work again.

The client.sh script does make the next thing happen;
-If al users are on WAN, so VPN is down the DNS from my network (etc/config/network) is being used.
-If al users are on VPN (so tun0 is up) the DNS from my VPN provider is used.

So far so good

On my vpn-policy-routing I set all clients op VPN that needs VPN and on WAN when it is not needed.

But the non VPN users now have to use the VPN providers DNS, this is in some cases not working well.

So what I need is that my clients that go over WAN, use the VPN provided in /etc/config/network

/tmp/resolv.conf.vpn is my VPN DNS server setting.
/tmp/resolv.conf.d/resolv.conf.auto is my own DNS setting.

I asume I need multiple instances of dnsmasq, but my tun0 does not serve IP's, my normal LAN does.

How can I config my /etc/config/dhcp file that normal LAN to WAN users use the file /tmp/resolv.conf.d/resolv.conf.auto and my VPN users use /tmp/resolv.conf.vpn

You need to force the VPN clients to use different resolvers.
A common approach is to route the guest network to VPN, and LAN to WAN.
This way you can easily configure separate DHCP and DNS instances for each network.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.