block-outside-dns in Advanced VPN settings

[csmithhelena]

OK, I am sorry but I have tried the search engine here and the documentation without much luck at all. On my OpenVPN server (2.0.25) in the Advanced VPN settings, I want to add the "block-outside-dns" option to the configuration script sent to the client. I am assuming that it needs to be entered either in the Server Config Directives box or the Client Config directives box, but what do I add and where? Do I put "setenv opt block-outside-dns" in the Client Config directives box?

[Traffic]

my OpenVPN server (2.0.25)

Access Server not Community edition ..

[Pippin]

Using Community Edition, simply add

Code: Select all

block-outside-dns

to the client config file.
If it works you see

Code: Select all

us=329261 Blocking outside DNS
us=329261 Opening WFP engine
us=329261 Adding WFP sublayer
us=339261 Blocking DNS using WFP
us=339261 Tap Luid: 1688849893818368
us=339261 Filter (Block IPv4 DNS) added with ID=85103
us=339261 Filter (Block IPv6 DNS) added with ID=85104
us=339261 Filter (Permit IPv4 DNS queries from TAP) added with ID=85105
us=339261 Filter (Permit IPv6 DNS queries from TAP) added with ID=85106

appear in the log.
So I guess you have to add it to the

Client Config directives box

[csmithhelena]

Thanks! I will try it but I will not see anything usually because I'm using the bundled MSI installer that the Access Server offers for download (I am not sure where the log files for it are). I can try it with the standalone OpenVPN 2.3.10 client though and see what it says.

[csmithhelena]

OK, I have not tried the Config directives box yet. But I did try the standalone 2.3.10 client and used the "--block-outside-dns" parameter and it didn't seem to do anything when connecting from home to our OpenVPN Access Server 2.0.25 at work. The problem that I am trying to fix is that on most Windows 10 PCs (but not all? Maybe always 10 Pro but not 10 Home? I am not sure) that it always uses my local DNS server resolution instead of the one pushed by the VPN server (we have the setting enabled to tell clients to use certain DNS servers).

The only around it that I know of so far without setting the actual DNS servers on my local network adapters when connected to the VPN was to disable my Wi-Fi and do the netsh thing for both IPv4 and IPv6, e.g. (what I actually did):

netsh int ipv4 set int "Ethernet" metric=110
netsh int ipv6 set int "Ethernet" metric=110

And that worked beautifully.

But, I should say that I am on Time Warner Roadrunner and my computer is plugged directly into the cable modem and I wonder if there is something strange there. The only VPN I use is OpenVPN but my internet seems fine.

The beginning of the post here discusses my same problem: https://community.openvpn.net/openvpn/ticket/605

I don't think "block-outside-dns" is going to fix my problem. So I still need help?

[Traffic]

Please post your client log at --verb 4 (remove private data)

[csmithhelena]

I suspect it is the METRIC 101 near the bottom causing the problem, however this is just using the default setup from the Access Server 2.0.25 itself:

Code: Select all

Sun May 01 12:44:36 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016
Sun May 01 12:44:36 2016 Windows version 6.2 (Windows 8 or greater)
Sun May 01 12:44:36 2016 library versions: OpenSSL 1.0.1s  1 Mar 2016, LZO 2.09
Sun May 01 12:44:36 2016 Control Channel Authentication: tls-auth using INLINE static key file
Sun May 01 12:44:36 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 01 12:44:36 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 01 12:44:36 2016 Socket Buffers: R=[65536->100000] S=[65536->100000]
Sun May 01 12:44:36 2016 UDPv4 link local: [undef]
Sun May 01 12:44:36 2016 UDPv4 link remote: [AF_INET]209.64.126.30:1194
Sun May 01 12:44:36 2016 TLS: Initial packet from [AF_INET]209.64.126.30:1194, sid=7b57c301 96c7f993
Sun May 01 12:44:36 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May 01 12:44:36 2016 VERIFY OK: depth=1, CN=OpenVPN CA
Sun May 01 12:44:36 2016 VERIFY OK: nsCertType=SERVER
Sun May 01 12:44:36 2016 VERIFY OK: depth=0, CN=OpenVPN Server
Sun May 01 12:44:36 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 01 12:44:36 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 01 12:44:36 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 01 12:44:36 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 01 12:44:36 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun May 01 12:44:36 2016 [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.64.126.30:1194
Sun May 01 12:44:39 2016 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Sun May 01 12:44:39 2016 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-token SESS_ID,comp-lzo yes,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,route-gateway 5.5.8.1,route 5.5.0.0 255.255.240.0,route 172.16.0.0 255.240.0.0,dhcp-option DNS 172.16.1.4,dhcp-option DNS 172.16.1.3,dhcp-option WINS 172.16.1.3,dhcp-option WINS 172.17.1.4,dhcp-option DOMAIN helena.com,dhcp-option NBT 1,register-dns,block-ipv6,peer-id 0,ifconfig 5.5.8.179 255.255.252.0'
Sun May 01 12:44:39 2016 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Sun May 01 12:44:39 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:25: block-ipv6 (2.3.10)
Sun May 01 12:44:39 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: explicit notify parm(s) modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: LZO parms modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: route options modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: route-related options modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 01 12:44:39 2016 OPTIONS IMPORT: peer-id set
Sun May 01 12:44:39 2016 OPTIONS IMPORT: adjusting link_mtu to 1545
Sun May 01 12:44:39 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=7 HWADDR=34:17:eb:b0:56:f8
Sun May 01 12:44:39 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun May 01 12:44:39 2016 open_tun, tt->ipv6=0
Sun May 01 12:44:39 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{8B0867BF-950C-4F3D-9566-C57C38FC0847}.tap
Sun May 01 12:44:39 2016 TAP-Windows Driver Version 9.21 
Sun May 01 12:44:39 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 5.5.8.0/5.5.8.179/255.255.252.0 [SUCCEEDED]
Sun May 01 12:44:39 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 5.5.8.179/255.255.252.0 on interface {8B0867BF-950C-4F3D-9566-C57C38FC0847} [DHCP-serv: 5.5.11.254, lease-time: 31536000]
Sun May 01 12:44:39 2016 Successful ARP Flush on interface [23] {8B0867BF-950C-4F3D-9566-C57C38FC0847}
Sun May 01 12:44:39 2016 TAP: DHCP address released
Sun May 01 12:44:39 2016 TAP: DHCP address renewal succeeded
Sun May 01 12:44:44 2016 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sun May 01 12:44:44 2016 ROUTE remote_host is NOT LOCAL
Sun May 01 12:44:44 2016 C:\Windows\system32\route.exe ADD 209.64.126.30 MASK 255.255.255.255 192.168.0.1
Sun May 01 12:44:44 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Sun May 01 12:44:44 2016 Route addition via IPAPI succeeded [adaptive]
Sun May 01 12:44:44 2016 C:\Windows\system32\route.exe ADD 5.5.0.0 MASK 255.255.240.0 5.5.8.1 METRIC 101
Sun May 01 12:44:44 2016 Route addition via IPAPI succeeded [adaptive]
Sun May 01 12:44:44 2016 C:\Windows\system32\route.exe ADD 172.16.0.0 MASK 255.240.0.0 5.5.8.1 METRIC 101
Sun May 01 12:44:44 2016 Route addition via IPAPI succeeded [adaptive]
Sun May 01 12:44:44 2016 Initialization Sequence Completed
Sun May 01 12:44:44 2016 Start net commands...
Sun May 01 12:44:44 2016 C:\Windows\system32\net.exe stop dnscache
Sun May 01 12:44:54 2016 C:\Windows\system32\net.exe start dnscache
Sun May 01 12:44:54 2016 ERROR: Windows ipconfig command failed: returned error code 2
Sun May 01 12:44:54 2016 C:\Windows\system32\ipconfig.exe /flushdns
Sun May 01 12:44:54 2016 C:\Windows\system32\ipconfig.exe /registerdns
Sun May 01 12:44:57 2016 End net commands...
Sun May 01 12:46:56 2016 SIGTERM received, sending exit notification to peer
Sun May 01 12:46:57 2016 C:\Windows\system32\route.exe DELETE 172.16.0.0 MASK 255.240.0.0 5.5.8.1
Sun May 01 12:46:57 2016 Route deletion via IPAPI succeeded [adaptive]
Sun May 01 12:46:57 2016 C:\Windows\system32\route.exe DELETE 5.5.0.0 MASK 255.255.240.0 5.5.8.1
Sun May 01 12:46:57 2016 Route deletion via IPAPI succeeded [adaptive]
Sun May 01 12:46:57 2016 C:\Windows\system32\route.exe DELETE 209.64.126.30 MASK 255.255.255.255 192.168.0.1
Sun May 01 12:46:57 2016 Route deletion via IPAPI succeeded [adaptive]
Sun May 01 12:46:57 2016 Closing TUN/TAP interface
Sun May 01 12:46:57 2016 TAP: DHCP address released
Sun May 01 12:46:57 2016 SIGTERM[soft,exit-with-notification] received, process exiting

[Traffic]

PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-token SESS_ID,comp-lzo yes,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,route-gateway 5.5.8.1,route 5.5.0.0 255.255.240.0,route 172.16.0.0 255.240.0.0,dhcp-option DNS 172.16.1.4,dhcp-option DNS 172.16.1.3,dhcp-option WINS 172.16.1.3,dhcp-option WINS 172.17.1.4,dhcp-option DOMAIN helena.com,dhcp-option NBT 1,register-dns,block-ipv6,peer-id 0,ifconfig 5.5.8.179 255.255.252.0'

• --explicit-exit-notify requires a number parameter (eg: --explicit-exit-notify 3)
  
  block-ipv6 .. unknown option .. ?
  
  You are not pushing --block-outside-dns .. are you using it in the client config ?

[csmithhelena]

I don't know about explicit-exit-notify. I just used the client script that came with the Access Server 2.0.25 except I modified auth-user-pass to point to a local text file with my login information. The rest all came pre-generated (supposedly from our server configuration). And I didn't use --block-outside-dns as I didn't see where it did anything noticeable, and I still had my DNS problem that I have to use the netsh commands for. Do you want me to run a new log with the --block-outside-dns option turned on? I am at work but can do it as soon as I get home later tonight.

EDIT: I forgot to add, that I just noticed that OpenVPN has released 2.0.26 which claims to fix my DNS problem so I plan to upgrade the server here at work before I go home tonight, and that might fix my problem.

https://openvpn.net/index.php/access-se ... -v200.html

[csmithhelena]

I think upgrading to version 2.0.26 of the Access Server and using the latest client that it bundles fixed my DNS issue! My only problem now is, command-line "nslookup" still does not work right (it still uses my LAN DNS servers) unless I manually specify which DNS server to use. Because I already know how to do this, looking up the IP address for something on the VPN network isn't really a problem, but it's a continuing irritation.