LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-10-2006, 02:29 PM   #1
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Rep: Reputation: 30
Talking OpenVPN DNS Problem


I've done a default OpenVPN install on one of the boxes at home running FreeBSD. I can connect fine from a remote location, the only problem I'm having now is surfing the net if I'm connected to the OpenVPN connection. I can surf fine if I use an IP address but FQDN does not work. I can ping hosts on the remote network when connected.
Do I need to run something like dnsmasq on my client for local DNS caching or is there a simpler solution.

TIA
 
Old 11-10-2006, 03:01 PM   #2
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
Not sure what you mean by a default OpenVPN install. Are your remote clients using DHCP to get IP addresses, DNS servers etc before the tunnel is set up and are you also using DHCP on the OpenVPN server to allocate IP addresses? If you are then it sounds like a default gateway issue. You can either configure the OpenVPN server to leave your default gateway alone - in which case surfing the Web at the same time on the client will not go though the tunnel and should work the same as always - or use the
Quote:
push "redirect-gateway"
directive to redirect the gateway to the server end of the tunnel. In this case you need also
Quote:
push "dhcp-option DNS x.x.x.x"
where x.x.x.x is the address of your DNS server at the server end of the tunnel. Web surfing will then go through the tunnel so you also need a route from the far end of the tunnel out to the Web and for the DNS server at the far end of the tunnel to work.

The way to track this down is to use ifconfig (ipconfig /all for Windows) and route (route print for windows) before and after you connect to the VPN to see what's going on.

Hope this helps.
 
Old 11-10-2006, 03:59 PM   #3
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Original Poster
Rep: Reputation: 30
My client is getting the IP address from whatever network its at. I do want to surf the internet through the vpn tunnel, don't want to use the network where i'm at. Below is my server openvpn config file:

Code:
local 192.168.1.150
port 1194
proto udp
mssfix 1400
push "dhcp-option DNS 192.168.1.1" #192.168.1.1 is the gateway
push "dhcp-option DNS 192.168.1.1"
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Don't put this in the keys directory unless user nobody can read it

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 192.168.10.0 255.255.255.128
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
verb 1
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/logl/openvpn.log
 
Old 11-11-2006, 12:14 PM   #4
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
If your gateway is not a proper DNS server then you need to change your
Quote:
push "dhcp-option DNS 192.168.1.1"
to something like
Quote:
push "dhcp-option DNS x.x.x.x"
where x.x.x.x is your ISP's DNS server. Hopefully that should work.
 
Old 11-12-2006, 03:01 AM   #5
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Original Poster
Rep: Reputation: 30
cool, thanks for the response. i'll give it a shot and see what the outcome is. The other thing I noticed, while experimenting in the office last night, I have a Mac G5 with two ethernet ports. So I enabled Internet Sharing and connected the eth cable from the 2nd eth port on the Mac to my notebook. I got an IP address (192.168.2.1) but could not do anything (ping a host on the network) or even surf the web. While I was connected to this setup, I ran openvpn and connected to the vpn at home, and it connected fine, and right after that i tried to surf. I even checked my IP address at shield's up site, and it showed my home external router IP. Weird stuff, but thought I'd let you know and i'll continue troubleshooting
 
Old 11-12-2006, 02:46 PM   #6
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
Quote:
Originally Posted by brokenflea
.. I even checked my IP address at shield's up site, and it showed my home external router IP. Weird stuff, but thought I'd let you know and i'll continue troubleshooting
That's what you would expect - the VPN gets you inside your home network and then you are effectively trying to surf out from there.

One question I didn't think to ask was can you surf the internet ok from the machine that is the VPN server? You can always set it up as a DNS server and then use it's VPN address as your DNS server address for your VPN clients.
 
Old 11-13-2006, 02:31 AM   #7
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Original Poster
Rep: Reputation: 30
yeah, that's a good suggestion. i'll try to set one up when i get off work today. I changed my server config a little, except now it lets me surf, but i'm surfing through the remote network that i'm connected to. I think it definately might be a network/subnet problem or routing problem. maybe i'm not specificying the correct route to be pushed by the vpn server.
 
Old 11-13-2006, 03:05 AM   #8
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Original Poster
Rep: Reputation: 30
ok, looks like I figured the problem out. Its was definately DNS related. Once I connected to the openvpn server at home, i copied contents of the resolv.conf file with the one that was already on my laptop. and it worked like a charm. My question though, in the server config file, when I specify

Code:
push "dhcp-option DNS a.b.c.d"
shouldn't that normally suffice. Is there a way to automate the replacement of the resolv.conf file on the client machine ?
 
Old 11-13-2006, 11:58 AM   #9
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
Yes the
Quote:
push "dhcp-option DNS a.b.c.d"
should do exactly that. Did you check what route shows on the client before and after starting the VPN?

Last edited by andrewdodsworth; 11-13-2006 at 11:59 AM.
 
Old 11-14-2006, 02:47 AM   #10
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Original Poster
Rep: Reputation: 30
for some reason my resolv.conf file remains the same before and after connecting to the VPN. here's the routing tables before and after connecting:

Before connecting
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.167.60.0     *               255.255.255.0   U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         10.167.60.1     0.0.0.0         UG        0 0          0 e
After Connecting

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.5        *               255.255.255.255 UH        0 0          0 tun0
oakmount        10.167.60.1     255.255.255.255 UGH       0 0          0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0 tun0
10.167.60.0     *               255.255.255.0   U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         10.8.0.5        128.0.0.0       UG        0 0          0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0
default         10.167.60.1     0.0.0.0         UG        0 0          0 eth0
PS. Oakmount is the entry in the /etc/host file that I have for my home IP address. However the client.conf file for OpenVPN only contains the IP address.

Last edited by brokenflea; 11-14-2006 at 02:50 AM.
 
Old 11-14-2006, 05:49 AM   #11
brokenflea
Member
 
Registered: Nov 2003
Distribution: Slackware 11.0, FreeBSD
Posts: 284

Original Poster
Rep: Reputation: 30
From some of the articles/posts I checked on Google, for some reason it seems for Linux hosts, even if the server is pushing DNS for some reason Linux host doesn't accept or change the DNS in resolv.conf. I might be wrong though.

So I basically setup two scripts, on my client, one which copies the original resolv.conf file and saves it as a backup and then copies nameservers from another file and echo's it to the resolv.conf file. for now that seems to be a quick fix.

The other thing I was concerned about, in my client.conf file for openvpn, i have set the script to pass on control to user nobody and group nobody. Initially that control was not letting me to modify resolv.conf through the two scripts I had setup, so I disabled user nobody and group nobody. is that a security risk on the client end ?
 
Old 11-14-2006, 06:10 AM   #12
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
Strange - what should happen is that it deletes the existing gateway and then replaces it with the one in the dhcp-option. The only thing I noticed is that in your server config you have
Quote:
push "redirect-gateway def1"
- in my conf it's just
Quote:
push "redirect-gateway"
. The other thing to check is the client log - you should see it trying to remove the existing default gateway and replacing it - there has to be a default gateway to start with for this to work. The only other thing is permissions - the OpenVPN client has to be able to change routes - this is more a problem with Windows clients I think you're using a linux client?
 
Old 11-14-2006, 06:21 AM   #13
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
My previous post answered the one previous to your last!

Not sure about the linux client issue on changing resolv.conf - from previous experience with wireless cards it should only depend on the DHCP client settings. On my system there're some settings in /etc/sysconfig/network/dhcp that affect whether DHCP can modify resolv.conf and default gateways. Could be a permissions issue with the OpenVPN client.

The user/group nobody should only be relevant AFAIK to the server. Unless you log on as root on your client you should be fine!

Your client VPN log should tell you what's happening on the default gateway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 03:20 AM
OpenVPN problem Rognon Linux - Networking 2 09-25-2006 07:33 PM
Openvpn TUN Problem odie_chan Linux - Networking 2 06-20-2006 10:23 AM
Openvpn problem kingisthebest Linux - Networking 1 03-07-2006 06:23 AM
Problem with OpenVPN eantoranz Linux - Networking 8 10-10-2005 05:49 PM


All times are GMT -5. The time now is 10:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration