[Nottingham] Issues with DNS and OpenVPN

Martin martin at ml1.co.uk
Sun Nov 16 15:24:25 UTC 2014


On 16/11/14 12:17, Jason Irwin wrote:
> Configured by DD-WRT router to run an OpenVPN for routing (TUN). Was
> surprisingly easy.
> 
> Minor fiddle with "iptables" to allow traffic between the VPN tunnel and
> the LAN. DNS remains the issue with the test client (Android phone).
> 
> I can ping the DNS server OK (dnsmasq and OpenVPN both run on the
> router). In fact I can ping anything I want by IP, what I can't do is
> resolve any hostnames. The latest "improvement" has stopped any name
> (LAN or WAN) being resolved and I'm totally stumped.I'm not seeing any
> obvious errors in the logs either. ...

Where do you want your DNS to come from?...


If you have your own DNS that you maintain yourself, then fine, you know
all about that.

If instead you are relying on external DNS or some new DNS from the
other end of the VPN... Then you are at the mercy of those and must use
hosts files for listing anything internal.

Is dd-wrt being default sensible and assumes your new VPN is to act just
"as a VPN should and connect" with you as a client subjugated to the
full control of the far end?...


So... What gateway address and what DNS address does your confused
machine pick up?...

And a good check is to enable logging of anything and everything that
gets dropped or rejected on the firewall.

A final check is to print out and read through:

route

iptables -L -v



Hope that gives a few clues,

Cheers,
Martin







> ... The problem could lie in dnsmasq, OpenVPN or iptables I guess. I've
> tried Googling an can see loads of people with the exact same problem,
> but all the solutions seem to say "Just push your DNS" which is what I
> am doing and I can see that the client is picking this up A-OK.
> 
> Anyone any ideas? (Anything is square brackets is just me doing
> obfuscation in this email)
> 
> OpenVPN:
> Redirect default gateway:- Yes
> 
> Additonal config:-
> push "dhcp-option DNS 192.168.[my.dns]"
> push "dhcp-option DNS 194.168.4.100"
> push "dhcp-option DNS 194.168.8.100"
> 
> iptables (fragement):
> # VPN Support
> iptables -I INPUT 1 -p udp --dport [vpn-port] -j ACCEPT
> iptables -I FORWARD 1 --source 192.168.[vpn.net <http://vpn.net>]/24 -j
> ACCEPT
> iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
> iptables -I FORWARD -i tun0 -o br0 -j ACCEP
> 
> dnsmasq:
> All default, nothing crazy
> 
> Log after ping attempt
> Nov 16 12:14:36 DD-WRT kern.warn kernel: [175007.750000] ACCEPT IN=tun0
> OUT= MAC= SRC=192.168.[vpn.client] DST=192.168.[my.dns] LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=18039 DF PROTO=UDP SPT=23257 DPT=53 LEN=32
> 
> Do I need to allow port 53 in the firewall maybe? How do I do that but
> only allow it for connected VPN clients?
> 
> Cheers,
> 
> J.
> 
> 
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham


-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg



More information about the Nottingham mailing list