[solved] No DNS over VPN


I set up a openvpn server and it works, but there is no DNS possible. To ping the ip addresses works fine to extern and local hosts. How to get up DNS? :confused:
It must be a problem with unbound because using nslookup shows me that the queries are refused.
What I am doing wrong?


You need to check for configuration on both ends, on server you must have a dns forwarder like dnsmasq or bind, or a iptables rule.

On the client you must check how you have dns configured for queries:
Please check out item 5 here: https://gist.github.com/braian87b/64440dec125d2b2f0ddc600c490988db
or here (is the same post): https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client/

If you have a OpenVPN Client Configuration file .ovpn you should put in there something but I do not remember what :smile:

Thx! Hmm It must be a prolem with unbound. I set it up as described here: https://github.com/openwrt/packages/tree/master/net/unbound/files#parallel-dnsmasq

Any other ideas? Is it possible to whitelist the openvpn range in unbound?

I don't know, where is unbound? on the OpenVPN Server end? or on the client and forwards queries? have you read the item 5 on link I posted?

Unbound is installed on the lede router, where also the openvpon server is installed. unbound works well, also on other interfaces. only on the openvpn interface the queries are refused :confused:
item 5 i already checked, it didn't help me.

So, if you want unbound to resolve dnsqueries through, openvpn have nothing to do here, it just need to be working, you need to make sure that:

  • clients on lede client router when do a dns querie point to internal vpn ip where unbound is located, check doing nslookup and/or doing ifconfig/ipconfig on the clients
  • client vpn lede router has proper iptables rules in order to allow forward dns queries to that ip.
  • server vpn lede router has proper iptables rules in order to allow input dns queries from vpn clients.
  • for those ones icmp ping isn't just enought you need to be able to reach 53 port on tcp and udp
  • unbound listen and allow queries from vpn subnet ip addresses. Just in case: https://wiki.openwrt.org/doc/howto/unbound
  • the parallel unbound - dnsmasq AFAIK is to allow dhcp leases and let unbound ask to dnsmasq about those leases resolutions

Finally: Check again using nslookup while having unbound logging enabled and logread -f running in order to check if query is received successfully.

finally if you have everything working and you had plans to have other vpn clientes it will be useful to push dns config using vpn, usually doing:

push "redirect-gateway"
push "route"
push "dhcp-option DNS"    

What queries are refused using vpn interface? the local ones or the remote ones? may be you will need to use dnsmasq on the client as dns resolver, and forward requests to unbound just when vpn is up (using openvpn-up.script). enable logging of unbound and post here is there some error.

Hello braian,

thx so far, but

*there is no logging option in unbound, see: https://github.com/openwrt/packages/tree/master/net/unbound/files#parallel-dnsmasq
any suggestions so far? disable uci unbound?
*by using push "dhcp-option DNS" i got the answer: unexpected answer


have you tried to use nslookup to query a domain to the unbound ip? doing that you don't need to enable unbound logging...
if your unbound if failing and you are pretty sure that is the root cause of problems then do a firstboot start with a clean system and try again to configure just unbound to see where is the configuration problem is there is any... If not check your hw specs, if you had a slow cpu, little ram and no enough storage may be is that the source of problems.


push "dhcp-option DNS"

you should put that on your openvpn config file, and should be the unbound IP from the VPN subnet. check OpenVPN if you need it, but please try the steps marked with asterisk that I previously described first in order to discard problem, read it again on my preovious message.


option localservice '0'

to /etc/config/dhcp in the config dnsmasq section


@Menion thx, but it didn't help

@braian87b I checked all your advices, without success
there are no special iptables rules for dns
icmp works fine, the service refuses my request.

Deactivating unbound results in a working dns server for vpn, but i want to use unbound

May be if you post your configuration files or describe in better way or with a draw www.draw.io
There is some science but not rocket one, may be you are just missing something, it is difficult to us to guess about.

@braian87b no it's not that difficult, there is nothing to guess about...

I did a reconfiguration of the router and now it seems to work. for all other guys:

Recursive DNS Section:
Local Service: unchecked
Block Localhost Rebinded: unchecked

DHCP and DNS Section:
Local Service Only: checked


You did not aswer if you couldn't or not query using nslookup... are you able to ping at least? are you able to telnet to dns tcp port or check somehow if it is opened on the other end of vpn?

if is closed probably your problem is that you need some iptables rules on one or another end.
Or you are completely sure that you can reach the unbound but it does not respond as you wish.

Sorry for reviving this old thread, but the issue is still actual and I believe it's a bug/glitch in dnsmasq that should be addressed.
I'm running OpenWrt 19.07.5 on a D-Link DIR-860L B1 (ramips/mt7621) and configured a custom Point-to-Point OpenVPN instance on it (shared static key). On the client (Android) I defined the name server manually as the OpenWRT VPN end (tunnel IP - and noticed that dnsmasq, although listening on the tun0 interface and the DNS requests arriving at the router through the tunnel (verified with tcpdump), doesn't answer them.
Here are some relevant infos:

root@ow:~# ip r s | grep 10.0 dev tun0 scope link  src
root@ow:~# ip a s | grep 10.0
    inet peer scope global tun0
root@ow:~# netstat -an | grep 10.0
tcp        0      0*               LISTEN
udp        0      0*

Once I edited /etc/config/dhcp and set: option localservice '0', & restarted the router, dnsmasq would answer the requests on the tun0 interface, but it would also listen on the wan interface.
I filtered the tcp/udp port 53 on the wan (using PPPoE) in the custom firewall with:

/usr/sbin/iptables -I INPUT -i pppoe-wan -p udp --dport 53  -j DROP
/usr/sbin/iptables -I INPUT -i pppoe-wan -p tcp --dport 53  -j DROP

VPN (tun0 interface) looks treated as local, because dnsmasq starts listening on it, but it doesn't "serve" it until the option localservice is disabled (set on 0).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.