OpenWrt Forum Archive

Topic: DNS Resolution Problems over VPN

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all,

First i have to say: OpenVPN with OpenWrt works GREAT!

But i have a problem to resolve internal DNS host names in my home network if i'm connected with OpenVpn.

Here is my interface config of the OpenVpn adapter:
http://1drv.ms/1E7ZWFw

When i try an NSLookup for an internal host following happens:
http://1drv.ms/1E801Jf

But i can ping and connect to the OpenWrt Box on 192.168.20.254 without problems.
And i can ping and connect to the W10-PC host without problems

When i try an internal NSLookup (from the W10-PC host) all is fine:
http://1drv.ms/1PDadLk

Can somebody help me out here?

Thanks.
Michael

(Last edited by excelsi on 21 Aug 2015, 16:11)

My Firewall Config:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config zone
    option name 'vpn'
        option log '1'
        option masq '1'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn0'

config forwarding
    option src 'vpn'
    option dest 'lan'

My OpenVpn Config:

config openvpn 'myvpn'
    option enabled '1'
    option dev 'tun'
    option port '1194'
    option proto 'udp'
    option log '/tmp/openvpn.log'
    option verb '3'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/VPN-SRV.crt'
    option key '/etc/openvpn/VPN-SRV.key'
    option server '10.8.0.0 255.255.255.0'
    option dh '/etc/openvpn/dh2048.pem'
        list 'push' 'route 192.168.20.0 255.255.255.0'
        list 'push' 'dhcp-option DNS 192.168.20.254'

Maybe somebody can see the problem. Thanks.

excelsi wrote:

Hi all,

First i have to say: OpenVPN with OpenWrt works GREAT!

But i have a problem to resolve internal DNS host names in my home network if i'm connected with OpenVpn.

Here is my interface config of the OpenVpn adapter:
http://1drv.ms/1E7ZWFw

When i try an NSLookup for an internal host following happens:
http://1drv.ms/1E801Jf

But i can ping and connect to the OpenWrt Box on 192.168.20.254 without problems.
And i can ping and connect to the W10-PC host without problems

When i try an internal NSLookup (from the W10-PC host) all is fine:
http://1drv.ms/1PDadLk

Can somebody help me out here?

Thanks.
Michael

Is this an OpenVPN client or server running on OpenWrt?  In either case, the VPN server's network will need a DNS and the VPN clients will need to use (or be passed via the OpenVPN server's connect options)  that DNS in order to resolve hostnames.  The guy who set up our VPN at work never set up a DNS, so hostnames do not resolve when connected remotely.  No big deal for us, because we use static IPs for our build, VM, and source-control servers, but I've been nagging him about this for ages.

(Last edited by fecaleagle on 22 Aug 2015, 20:22)

Sorry, didn't realize your OpenVPN options were in your initial post:

So, 192.168.20.254 is your router IP, and DNS is running.  Can you verify via a connected VPN client that the DNS push is being honored?  Try manually using the router IP for DNS resolution after the connection is established.  That will tell you whether the problem is with the clients not getting the DNS pushed to them (or not accepting the push), or whether it is somewhere else.

If your clients are using route-noexec or route-nopull, you will definitely need to establish DNS in the client up scripts.

(Last edited by fecaleagle on 22 Aug 2015, 20:36)

Thanks for your answer. Here is my OpenVpn Client Log:

Sat Aug 22 22:21:01 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sat Aug 22 22:21:01 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Sat Aug 22 22:21:01 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Aug 22 22:21:01 2015 Need hold release from management interface, waiting...
Sat Aug 22 22:21:01 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Aug 22 22:21:02 2015 MANAGEMENT: CMD 'state on'
Sat Aug 22 22:21:02 2015 MANAGEMENT: CMD 'log all on'
Sat Aug 22 22:21:02 2015 MANAGEMENT: CMD 'hold off'
Sat Aug 22 22:21:02 2015 MANAGEMENT: CMD 'hold release'
Sat Aug 22 22:21:02 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Aug 22 22:21:02 2015 MANAGEMENT: >STATE:1440274862,RESOLVE,,,
Sat Aug 22 22:21:02 2015 UDPv4 link local (bound): [undef]
Sat Aug 22 22:21:02 2015 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Aug 22 22:21:02 2015 MANAGEMENT: >STATE:1440274862,WAIT,,,
Sat Aug 22 22:21:02 2015 MANAGEMENT: >STATE:1440274862,AUTH,,,
Sat Aug 22 22:21:02 2015 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=376925ad d3c6c8c4
Sat Aug 22 22:21:04 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Sat Aug 22 22:21:04 2015 Validating certificate key usage
Sat Aug 22 22:21:04 2015 ++ Certificate has key usage  00a0, expects 00a0
Sat Aug 22 22:21:04 2015 VERIFY KU OK
Sat Aug 22 22:21:04 2015 Validating certificate extended key usage
Sat Aug 22 22:21:04 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Aug 22 22:21:04 2015 VERIFY EKU OK
Sat Aug 22 22:21:04 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=VPN-SRV, name=EasyRSA, emailAddress=me@myhost.mydomain
Sat Aug 22 22:21:05 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Aug 22 22:21:05 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 22 22:21:05 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Aug 22 22:21:05 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 22 22:21:05 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Aug 22 22:21:05 2015 [VPN-SRV] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Aug 22 22:21:07 2015 MANAGEMENT: >STATE:1440274867,GET_CONFIG,,,
Sat Aug 22 22:21:08 2015 SENT CONTROL [VPN-SRV]: 'PUSH_REQUEST' (status=1)
Sat Aug 22 22:21:08 2015 PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,dhcp-option DNS 192.168.20.254,route 10.8.0.1,topology net30,ifconfig 10.8.0.6 10.8.0.5'
Sat Aug 22 22:21:08 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug 22 22:21:08 2015 OPTIONS IMPORT: route options modified
Sat Aug 22 22:21:08 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Aug 22 22:21:08 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Aug 22 22:21:08 2015 MANAGEMENT: >STATE:1440274868,ASSIGN_IP,,10.8.0.6,
Sat Aug 22 22:21:08 2015 open_tun, tt->ipv6=0
Sat Aug 22 22:21:08 2015 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{BB37DD1E-0F4F-46BC-9A41-53A7B236079E}.tap
Sat Aug 22 22:21:08 2015 TAP-Windows Driver Version 9.21
Sat Aug 22 22:21:08 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {BB37DD1E-0F4F-46BC-9A41-53A7B236079E} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat Aug 22 22:21:08 2015 Successful ARP Flush on interface [82] {BB37DD1E-0F4F-46BC-9A41-53A7B236079E}
Sat Aug 22 22:21:13 2015 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Aug 22 22:21:13 2015 MANAGEMENT: >STATE:1440274873,ADD_ROUTES,,,
Sat Aug 22 22:21:13 2015 C:\Windows\system32\route.exe ADD 192.168.20.0 MASK 255.255.255.0 10.8.0.5
Sat Aug 22 22:21:13 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sat Aug 22 22:21:13 2015 Route addition via IPAPI succeeded [adaptive]
Sat Aug 22 22:21:13 2015 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Aug 22 22:21:13 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sat Aug 22 22:21:13 2015 Route addition via IPAPI succeeded [adaptive]
Sat Aug 22 22:21:13 2015 Initialization Sequence Completed
Sat Aug 22 22:21:13 2015 MANAGEMENT: >STATE:1440274873,CONNECTED,SUCCESS,10.8.0.6,XXX.XXX.XXX.XXX

For me everything seems working correct here...

At the moment i try to determine if it can be a firewall issue but i haven't found yet ...

I am struggling with a similar problem (OpenVPN Client on OpenWRT device running TAP). 

I have not explicitly configured anything for DNSMASQ, nor have I changed any of the defaults for the DHCP and DNS tabs.  I do NOT have the routers IP set as "Use custom DNS Servers" for the LAN, but Windows shows a DNS server at my routers IP (how?). I have set Static IP addresses in the /etc/config/dhcp file for all known clients on the LAN (ie config "host entries").  I push the route and dhcp-option parameter in the OpenVPN server config.  I can access shares by their IP.

Reading the DNS Masq page, I am wondering if I need to add the some entries to the /etc/hosts file or /etc/dnsmasq.conf file.
http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq

It appears to me that I have a DNS Server (DNSMASQ) which is running and advertising itself, but there is nothing to serve.  Is this correct?

I am currently inside my LAN and can not test this, otherwise I would stuff something in the file.

Regarding the firewall, see this wiki.  http://wiki.openwrt.org/doc/howto/openv … rver-setup

While I do not think this is a firewall issue, I had an issue where I could connect but not pass traffic.  You have not stated if you can or can not access the internet. 

I changed the order of the firewall rules this did allow me to pass traffic.  The most specific (VPN rules) went to the top.

I tried to insert an "Allow DNS Queries" Rule in the Firewall Config in the bottom section:

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config rule
        option name 'Allow DNS Queries'
        option src 'vpn'
        option dest_port '53'
        option proto 'tcpudp'
        option target 'ACCEPT'

config zone
    option name 'vpn'
        option masq '1'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn0'

config forwarding
    option src 'vpn'
    option dest 'lan'

But it didn't help. Maybe it is something wrong in the defintion or the rule has wrong position.
I'm not really a firewall expert... ;-)

(Last edited by excelsi on 22 Aug 2015, 22:25)

Please try adding

192.168.20.167 w10-pc.lan

to the etc/hosts file and retest.

The Wiki article also indicates that Port 53 needs to be open for TCP and UDP
http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq

Entries in /etc/hosts doesn't solve the problem.
The firewall settings i tried, i have already posted.

(Last edited by excelsi on 23 Aug 2015, 08:06)

Too bad, thanks

Hm no more experts in here...? :-(

In your client you have DNS pushed its OK.

but seems like your DNS is still in the other network card.

Take a look at this

https://forums.openvpn.net/topic7847.html


Best regards.

The link discusses 2 alternatives. The first is net stop dnscache and net start dnscache.  The discussion is based around a windows TAP connection and performing this in Windows. 

Is this the same nomenclature in the OpenWRT shell, and can I perform this manually in Luci by restarting an initscript or adding this to the local startup.

The second alternative, adding register-dns (option register-dns) to the OpenVPN script causes the OpenVPN script to become unreadable to the system (error in Luci on Services=>OpenVPN)

RangerZ wrote:

The link discusses 2 alternatives. The first is net stop dnscache and net start dnscache.  The discussion is based around a windows TAP connection and performing this in Windows. 

Is this the same nomenclature in the OpenWRT shell, and can I perform this manually in Luci by restarting an initscript or adding this to the local startup.

The second alternative, adding register-dns (option register-dns) to the OpenVPN script causes the OpenVPN script to become unreadable to the system (error in Luci on Services=>OpenVPN)

Hi RangerZ !
Sorry for the short link.

I don't have time at this moment to search but try a google search about dns+openvpn+linux and then take a look at the examples.

I believe the answer to stop and start is at the CLI
# stopservice dnsmasq
# startservice dnsmasq

Or in Luci System=>Startup=>dnsmasq "Restart"

I see the following in the system log.

Mon Aug 31 19:19:39 2015 daemon.info dnsmasq[1720]: exiting on receipt of SIGTERM
Mon Aug 31 19:19:42 2015 daemon.info dnsmasq[1525]: started, version 2.73rc8 cachesize 150

Today I tried adding entries to the /etc/hosts file for the clients I want to access inside the OpenVPN Server (LAN clients).  I am now able to access these mapped clients in Windows by share name.  I sometimes see the local clients in the Network Neighborhood and sometimes I do not.  I have not done enough testing, and did not know the above commands when I tested.

It's unbelievable....
No matter what i try it doesnt work...

I added the Register-DNS Option to my Client config like in here:
https://forums.openvpn.net/topic7847.html
I restarted the dnsmasq through the LUCI Interface..

All what i get when i trigger an NSlookup for an internal name to the OpenWrt Router is:

DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.20.254

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

(Last edited by excelsi on 3 Sep 2015, 17:33)

Could it be possible that i can "publish" the OpenWrt Router as DNS Server in my VPN Network 10.8.0.0 and hopefully getting an answer from NSLookup after that?
I tried also to set the DNS Server Entry on my TAP Adapter to 10.8.0.5 which is also my Gateway for the Route to my Internal Network 192.168.20.0, but i get the same error as above.

An option was added not long ago to the standard dnsmasq configuration, that doesn't allow lookups from non-local subnets:

option localservice     1  # disable to allow DNS requests from non-local subnets

This should be set to 0 to allow lookups from connected VPN networks.

You are my hero!
Ist working :-)

mine to! :-) You made my day! Thanks arokh!

arokh wrote:

An option was added not long ago to the standard dnsmasq configuration, that doesn't allow lookups from non-local subnets:

option localservice     1  # disable to allow DNS requests from non-local subnets

This should be set to 0 to allow lookups from connected VPN networks.

thank you! it worked here too!

The discussion might have continued from here.