OpenWrt Forum Archive

Topic: OpenVPN DNS resolving doesn't work

The content of this topic has been archived on 14 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello there everybody

Well it seems I have some kind of Problem with my OpenVPN Configuration.
A while ago I had an OpenVPN-Connection set up and running, everything worked fine.
A few weeks ago i changed my ISP and had some Problems with me OpenWRT-Router so I reinstalled it.
After setting up everything the way it was, I decided to finally had to get my VPN running.
So i installed the opnevpn package and copied back my old config files.

Well this is where I am stuck:
1. I can connect to my VPN
2. I can ping clients on my remote (the network I connected via VPN to) network
3. I can access the Internet (But with the local DNS of the device and not the DNS of my router)

My Network is basically:
192.168.0.0 /24 local net
192.168.1.0 /24 guest net
192.168.3.0 /24 VPN

Network configuration:
----------------------------

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdab:45db:aa88::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.0.1'

config interface 'wan'
    option ifname 'eth0.2'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
    option proto 'pppoe'
    option username 'somestuff'
    option password 'secret'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 5t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0 5t'

config 'interface' 'guest'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'

config interface 'vpn0'
    option proto 'none'
    option ifname 'tun0'

Firewall Configuration:
-----------------------------

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdab:45db:aa88::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.0.1'

config interface 'wan'
    option ifname 'eth0.2'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
root@router:/etc/config# cat network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdab:45db:aa88::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.0.1'

config interface 'wan'
    option ifname 'eth0.2'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
    option proto 'pppoe'
    option username '002702375248551126881693#0001@t-online.de'
    option password '13512767'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
root@router:/etc/config# cat network 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'
root@router:/etc/config# cat firewall 
config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    list   network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT

config zone
    option name        wan
    list   network        'wan'
    list   network        'wan6'
    option input        REJECT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1

config forwarding
    option src        lan
    option dest        wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

config rule
    option name        Allow-IGMP
    option src        wan
    option proto        igmp
    option family        ipv4
    option target        ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name        Allow-DHCPv6
    option src        wan
    option proto        udp
    option src_ip        fe80::/10
    option src_port        547
    option dest_ip        fe80::/10
    option dest_port    546
    option family        ipv6
    option target        ACCEPT

config rule
    option name        Allow-MLD
    option src        wan
    option proto        icmp
    option src_ip        fe80::/10
    list icmp_type        '130/0'
    list icmp_type        '131/0'
    list icmp_type        '132/0'
    list icmp_type        '143/0'
    option family        ipv6
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Input
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    list icmp_type        router-advertisement
    list icmp_type        neighbour-advertisement
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Forward
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

config 'zone'
   option 'name' 'guest'
   option 'network' 'guest'
   option 'input' 'REJECT'
   option 'forward' 'REJECT'
   option 'output' 'ACCEPT'
  
  # Allow Guest -> Internet
config 'forwarding'
   option 'src' 'guest'
   option 'dest' 'wan'
   
  # Allow DNS Guest -> Router
  # Client DNS queries ordinate from dynamic UDP ports (>1023) 
config 'rule'
   option 'name' 'Allow DNS Queries'
   option 'src' 'guest'
   option 'dest_port' '53'
   option 'proto' 'tcpudp'
   option 'target' 'ACCEPT'
  
  # Allow DHCP Guest -> Router
  # DHCP communication uses UDP ports 67-68
config 'rule'
   option 'name' 'Allow DHCP request'
   option 'src' 'guest'
   option 'src_port' '67-68'
   option 'dest_port' '67-68'
   option 'proto' 'udp'
   option 'target' 'ACCEPT'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '1194'
    option src '*'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option network 'vpn0'

config forwarding
    option src 'vpn'
    option dest 'wan'

OpenVPN Server Config:
--------------------------------

config openvpn 'myvpn'

        option enabled '1'
        option dev   'tun'
        option proto 'udp'

        option server    '192.168.3.0 255.255.255.0'
    list push    'redirect-gateway def1'
    
    option port      '1194'
        option keepalive '10 120'

        option ca   '/etc/openvpn/keys/ca.crt'
        option key  '/etc/openvpn/keys/router.key'
        option cert '/etc/openvpn/keys/router.crt'
        option dh   '/etc/openvpn/keys/dh2048.pem'

        option log  '/tmp/openvpn.log'
        option verb '3'

Openvpn Client Config:
------------------------------

client

dev tun
proto udp

remote domain port
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert smartphone-e.crt
key smartphone-e.key
ns-cert-type server

verb 3

I've read myself through all of the openvpn related articals but I'm stuck.
Hopefully someone can help me with this strange problem.


EDIT 2: Maybe I should make my intensions with this project clear

I want to access my LAN (Server, PC, etc.) via my VPN to access files on my Server on the fly.
Furthermore I want to use to VPN to browse safely while I am connected to a public WIFI.
So basicly route all traffic from my client throught my LAN

Thank you in advance
Elopsm

(Last edited by elopsm on 8 Feb 2017, 18:00)

OpenVPN acts as a DHCP server for the clients, and you forgot to add a DNS to that configuration, so your clients are not getting any DNS to use; you should add a line like "list 'push' 'dhcp-option DNS 192.168.x.y'".

Thank you smile
I will try that and report back here soon

Well I updated my Configuration:


OPENVPN-SERVER:

config openvpn 'myvpn'

        option enabled '1'
        option dev   'tun'
        option proto 'udp'

        option server    '192.168.3.0 255.255.255.0'
        list push    'redirect-gateway def1'
    [u]list push    'dhcp-option DNS 192.168.0.1'[/u]
    
        option port      '1194'
        option keepalive '10 120'

        option ca   '/etc/openvpn/keys/ca.crt'
        option key  '/etc/openvpn/keys/router.key'
        option cert '/etc/openvpn/keys/router.crt'
        option dh   '/etc/openvpn/keys/dh2048.pem'

        option log  '/tmp/openvpn.log'
        option verb '3'

And also added forwarding between lan and vpn in my firewall configuration

config forwarding
    option src 'vpn'
    option dest 'wan'

config forwarding
    option src 'vpn'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'vpn'

But still it doesn't seem to work


Do I have to forward the DNS Server Address from my Lan oder my VPN Network?

Thanks

From an external device connected to the VPN:

  • Check it gets the DNS and is using it.

  • Try to PING the DNS.

I tested it

seems like the DNS is leaking
I'm getting a different DNS Server on my Android Device


Is this a common issue?

(Last edited by elopsm on 5 Oct 2016, 15:54)

FWIW, some Android devices starting with Lollipop have DNS servers hardcoded in the system. Have you tried DNS hijacking?

Sorry for the late repsonse

I tried connecting with my laptop to my VPN
Same issues here:
-I can browse the web
-I can ping devices in my LAN using IP-Addresses
-I cannot reach devices in my LAN using hostnames

Any resolution to this? I'm having the same problem...

Watch the router's log while trying to resolve names from the device. If option localservice is set in /etc/config/dhcp dnsmasq will not respond to clients that are outside local subnets. Try disabling this option.

DNS or WINS?

Thanks i will try this

AndreL wrote:

Watch the router's log while trying to resolve names from the device. If option localservice is set in /etc/config/dhcp dnsmasq will not respond to clients that are outside local subnets. Try disabling this option.


PERFECT

Thank you very much that was the solution

AndreL wrote:

Watch the router's log while trying to resolve names from the device. If option localservice is set in /etc/config/dhcp dnsmasq will not respond to clients that are outside local subnets. Try disabling this option.

Thanks, AndreL.

Thanks to that, and some alterations to /etc/config/openvpn, I can confirm after testing that this does work. This was difficult and VERY time-consuming to solve, so if it helps someone else, here's a template of what I needed do:

In /etc/config/dhcp, I needed to append the line:

option localservice '0'

to the "config dnsmasq" stanza.

Then, in /etc/config/openvpn, I'm using this as a template:

config openvpn 'myvpn'
        option enabled '1'
        option verb '3'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option server '10.8.0.0 255.255.255.0'
        option keepalive '10 120'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        list push 'redirect-gateway def1'
        list push 'dhcp-option DNS 192.168.x.1'
        list push 'route 192.168.x.0 255.255.255.0'

Does openVPN firewall rules were setup correctly?

willieaames wrote:

Does openVPN firewall rules were setup correctly?

For me, they were set up correctly.
I didn't need to change anything.

The discussion might have continued from here.