[Nottingham] Issues with DNS and OpenVPN

[Jason Irwin]

Configured by DD-WRT router to run an OpenVPN for routing (TUN). Was
surprisingly easy.

Minor fiddle with "iptables" to allow traffic between the VPN tunnel and
the LAN. DNS remains the issue with the test client (Android phone).

I can ping the DNS server OK (dnsmasq and OpenVPN both run on the router).
In fact I can ping anything I want by IP, what I can't do is resolve any
hostnames. The latest "improvement" has stopped any name (LAN or WAN) being
resolved and I'm totally stumped.I'm not seeing any obvious errors in the
logs either.

The problem could lie in dnsmasq, OpenVPN or iptables I guess. I've tried
Googling an can see loads of people with the exact same problem, but all
the solutions seem to say "Just push your DNS" which is what I am doing and
I can see that the client is picking this up A-OK.

Anyone any ideas? (Anything is square brackets is just me doing obfuscation
in this email)

OpenVPN:
Redirect default gateway:- Yes

Additonal config:-
push "dhcp-option DNS 192.168.[my.dns]"
push "dhcp-option DNS 194.168.4.100"
push "dhcp-option DNS 194.168.8.100"

iptables (fragement):
# VPN Support
iptables -I INPUT 1 -p udp --dport [vpn-port] -j ACCEPT
iptables -I FORWARD 1 --source 192.168.[vpn.net]/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEP

dnsmasq:
All default, nothing crazy

Log after ping attempt
Nov 16 12:14:36 DD-WRT kern.warn kernel: [175007.750000] ACCEPT IN=tun0
OUT= MAC= SRC=192.168.[vpn.client] DST=192.168.[my.dns] LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=18039 DF PROTO=UDP SPT=23257 DPT=53 LEN=32

Do I need to allow port 53 in the firewall maybe? How do I do that but only
allow it for connected VPN clients?

Cheers,

J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20141116/76233921/attachment.html>