OpenVPN DNS Problem

brokenflea · 11-10-2006, 02:29 PM

I've done a default OpenVPN install on one of the boxes at home running FreeBSD. I can connect fine from a remote location, the only problem I'm having now is surfing the net if I'm connected to the OpenVPN connection. I can surf fine if I use an IP address but FQDN does not work. I can ping hosts on the remote network when connected.
Do I need to run something like dnsmasq on my client for local DNS caching or is there a simpler solution.

TIA

andrewdodsworth · 11-10-2006, 03:01 PM

Not sure what you mean by a default OpenVPN install. Are your remote clients using DHCP to get IP addresses, DNS servers etc before the tunnel is set up and are you also using DHCP on the OpenVPN server to allocate IP addresses? If you are then it sounds like a default gateway issue. You can either configure the OpenVPN server to leave your default gateway alone - in which case surfing the Web at the same time on the client will not go though the tunnel and should work the same as always - or use the

Quote:

push "redirect-gateway"

directive to redirect the gateway to the server end of the tunnel. In this case you need also

Quote:

push "dhcp-option DNS x.x.x.x"

where x.x.x.x is the address of your DNS server at the server end of the tunnel. Web surfing will then go through the tunnel so you also need a route from the far end of the tunnel out to the Web and for the DNS server at the far end of the tunnel to work.

The way to track this down is to use ifconfig (ipconfig /all for Windows) and route (route print for windows) before and after you connect to the VPN to see what's going on.

Hope this helps.

brokenflea · 11-10-2006, 03:59 PM

My client is getting the IP address from whatever network its at. I do want to surf the internet through the vpn tunnel, don't want to use the network where i'm at. Below is my server openvpn config file:

Code:

local 192.168.1.150
port 1194
proto udp
mssfix 1400
push "dhcp-option DNS 192.168.1.1" #192.168.1.1 is the gateway
push "dhcp-option DNS 192.168.1.1"
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Don't put this in the keys directory unless user nobody can read it

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 192.168.10.0 255.255.255.128
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
verb 1
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/logl/openvpn.log

andrewdodsworth · 11-11-2006, 12:14 PM

If your gateway is not a proper DNS server then you need to change your

Quote:

push "dhcp-option DNS 192.168.1.1"

to something like

Quote:

push "dhcp-option DNS x.x.x.x"

where x.x.x.x is your ISP's DNS server. Hopefully that should work.

brokenflea · 11-12-2006, 03:01 AM

cool, thanks for the response. i'll give it a shot and see what the outcome is. The other thing I noticed, while experimenting in the office last night, I have a Mac G5 with two ethernet ports. So I enabled Internet Sharing and connected the eth cable from the 2nd eth port on the Mac to my notebook. I got an IP address (192.168.2.1) but could not do anything (ping a host on the network) or even surf the web. While I was connected to this setup, I ran openvpn and connected to the vpn at home, and it connected fine, and right after that i tried to surf. I even checked my IP address at shield's up site, and it showed my home external router IP. Weird stuff, but thought I'd let you know and i'll continue troubleshooting

andrewdodsworth · 11-12-2006, 02:46 PM

Quote:

Originally Posted by brokenflea

.. I even checked my IP address at shield's up site, and it showed my home external router IP. Weird stuff, but thought I'd let you know and i'll continue troubleshooting

That's what you would expect - the VPN gets you inside your home network and then you are effectively trying to surf out from there.

One question I didn't think to ask was can you surf the internet ok from the machine that is the VPN server? You can always set it up as a DNS server and then use it's VPN address as your DNS server address for your VPN clients.

brokenflea · 11-13-2006, 02:31 AM

yeah, that's a good suggestion. i'll try to set one up when i get off work today. I changed my server config a little, except now it lets me surf, but i'm surfing through the remote network that i'm connected to. I think it definately might be a network/subnet problem or routing problem. maybe i'm not specificying the correct route to be pushed by the vpn server.

brokenflea · 11-13-2006, 03:05 AM

ok, looks like I figured the problem out. Its was definately DNS related. Once I connected to the openvpn server at home, i copied contents of the resolv.conf file with the one that was already on my laptop. and it worked like a charm. My question though, in the server config file, when I specify

Code:

push "dhcp-option DNS a.b.c.d"

shouldn't that normally suffice. Is there a way to automate the replacement of the resolv.conf file on the client machine ?

andrewdodsworth · 11-13-2006, 11:58 AM

Yes the

Quote:

push "dhcp-option DNS a.b.c.d"

should do exactly that. Did you check what route shows on the client before and after starting the VPN?

brokenflea · 11-14-2006, 02:47 AM

for some reason my resolv.conf file remains the same before and after connecting to the VPN. here's the routing tables before and after connecting:

Before connecting

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.167.60.0     *               255.255.255.0   U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         10.167.60.1     0.0.0.0         UG        0 0          0 e

After Connecting

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.5        *               255.255.255.255 UH        0 0          0 tun0
oakmount        10.167.60.1     255.255.255.255 UGH       0 0          0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0 tun0
10.167.60.0     *               255.255.255.0   U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         10.8.0.5        128.0.0.0       UG        0 0          0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0
default         10.167.60.1     0.0.0.0         UG        0 0          0 eth0

PS. Oakmount is the entry in the /etc/host file that I have for my home IP address. However the client.conf file for OpenVPN only contains the IP address.

brokenflea · 11-14-2006, 05:49 AM

From some of the articles/posts I checked on Google, for some reason it seems for Linux hosts, even if the server is pushing DNS for some reason Linux host doesn't accept or change the DNS in resolv.conf. I might be wrong though.

So I basically setup two scripts, on my client, one which copies the original resolv.conf file and saves it as a backup and then copies nameservers from another file and echo's it to the resolv.conf file. for now that seems to be a quick fix.

The other thing I was concerned about, in my client.conf file for openvpn, i have set the script to pass on control to user nobody and group nobody. Initially that control was not letting me to modify resolv.conf through the two scripts I had setup, so I disabled user nobody and group nobody. is that a security risk on the client end ?

andrewdodsworth · 11-14-2006, 06:10 AM

Strange - what should happen is that it deletes the existing gateway and then replaces it with the one in the dhcp-option. The only thing I noticed is that in your server config you have

Quote:

push "redirect-gateway def1"

- in my conf it's just

Quote:

push "redirect-gateway"

. The other thing to check is the client log - you should see it trying to remove the existing default gateway and replacing it - there has to be a default gateway to start with for this to work. The only other thing is permissions - the OpenVPN client has to be able to change routes - this is more a problem with Windows clients I think you're using a linux client?

andrewdodsworth · 11-14-2006, 06:21 AM

My previous post answered the one previous to your last!

Not sure about the linux client issue on changing resolv.conf - from previous experience with wireless cards it should only depend on the DHCP client settings. On my system there're some settings in /etc/sysconfig/network/dhcp that affect whether DHCP can modify resolv.conf and default gateways. Could be a permissions issue with the OpenVPN client.

The user/group nobody should only be relevant AFAIK to the server. Unless you log on as root on your client you should be fine!

Your client VPN log should tell you what's happening on the default gateway.