DNS forwarding issue

antoha295 · Post by **antoha295** » Fri Mar 31, 2017 7:34 pm

Hi!
I've set up OpenVPN on OpenVZ VPS, pushig all traffic trough it - connection is established succesfully, though I cannot resolve any domain.
While connected to VPN:

Code: Select all

root@localhost:~ $ host google.com
Host google.com not found: 5(REFUSED)

In my server.conf I have following line for DNS pushing:

Code: Select all

push "dhcp-option DNS 10.8.0.1"

Where 10.8.0.1 is my dnsmasq gateway. If I state it while resolving, everything seem to be working as supposed (so it is for 8.8.8.8):

Code: Select all

root@localhost:~ $ host google.com 10.8.0.1 
Using domain server:
Name: 10.8.0.1
Address: 10.8.0.1#53
Aliases: 

google.com has address 172.217.3.46
google.com has IPv6 address 2607:f8b0:4004:80e::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.

Changing lines in server config for 8.8.8.8 didn't affect anything. Can this be related to iptables on the machine? Server or local? Contents are below.

Server:

Code: Select all

root@server:/etc/openvpn # iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o venet0 -j ACCEPT

root@server:/etc/openvpn # ifconfig 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:456465 (445.7 KiB)  TX bytes:456465 (445.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:880 errors:0 dropped:0 overruns:0 frame:0
          TX packets:876 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:53253 (52.0 KiB)  TX bytes:53411 (52.1 KiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: 2602:ffc5:40::1:b52b/128 Scope:Global
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:106498 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42520 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:106434333 (101.5 MiB)  TX bytes:7636902 (7.2 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:103.11.65.111  P-t-P:103.11.65.111  Bcast:103.11.65.111  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

Host:

Code: Select all

root@localhost:~ $ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
root@localhost:~ $ ifconfig 

enp1s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 4c:cc:6a:8b:6f:31  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 282874  bytes 452198674 (431.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 282874  bytes 452198674 (431.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::2fcb:41de:b78b:ec6e  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 87  bytes 5156 (5.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 169  bytes 9440 (9.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1280
        inet 192.168.1.135  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a20f:2333:3e16:4d30  prefixlen 64  scopeid 0x20<link>
        ether e4:a7:a0:b5:5a:b8  txqueuelen 1000  (Ethernet)
        RX packets 2094861  bytes 2447357540 (2.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 971963  bytes 132338513 (126.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Though, adding a line nameserver 10.8.0.1 to local resolv.conf solves the problem - everything works as it should, but I want to figure out what have I done wrong (or is it a bug?) and fix it.
Thanks in advance.

TiTex · Post by **TiTex** » Sat Apr 01, 2017 6:43 pm

i think it might be because you're using 'topology net30' instead of 'topology subnet' which could make things harder to figure out when it comes to routing, firewalling
see the documentation here https://community.openvpn.net/openvpn/wiki/Topology

antoha295 · Post by **antoha295** » Sun Apr 02, 2017 2:36 pm

I've added 'topology subnet' line to server config, nothing changed. Also tried to add it to client config, still getting "Host google.com not found: 5(REFUSED)" though.

TiTex · Post by **TiTex** » Mon Apr 03, 2017 5:43 am

is ip forwarding enabled on your vpnserver ? https://openvpn.net/index.php/open-sour ... rding.html
is your dnsmasq listening and accepting queries on the interface you are trying to connect to ? , tun interface in this case

antoha295 · Post by **antoha295** » Mon Apr 03, 2017 4:41 pm

1. Yes, of course it is enabled.
2. Check my first message please - I've provided listing of my interfaces, where tun0 listens on 10.8.0.1. In this very message, I've also shown that lookup works correctly through dnsmasq when set manually.

TiTex · Post by **TiTex** » Mon Apr 03, 2017 6:52 pm

oh yeah , i've misread the first message
you haven't posted client/server configs , logs ... so i can only assume that you have not configured a script like this to update your DNS servers
https://github.com/masterkorp/openvpn-u ... esolv-conf

antoha295 · Post by **antoha295** » Tue Apr 04, 2017 7:12 pm

My bad - used this instuctions on server-side, not client (used https://github.com/jonathanio/update-systemd-resolved). Thanks!
Is it a workaround for DNS pushing, or it is supposed to work this way (with the script)?

By the way, I am totally confused now. The reason is that I still get:

Code: Select all

root@localhost:~ $ host google.com
Host google.com not found: 5(REFUSED)

But somehow domain name get resolved through my VPN:

Code: Select all

root@localhost:~ $ ping google.com
PING google.com (216.58.217.110) 56(84) bytes of data.
64 bytes from iad23s42-in-f110.1e100.net (216.58.217.110): icmp_seq=1 ttl=55 time=293 ms
64 bytes from iad23s42-in-f110.1e100.net (216.58.217.110): icmp_seq=2 ttl=55 time=413 ms
64 bytes from iad23s42-in-f110.1e100.net (216.58.217.110): icmp_seq=3 ttl=55 time=333 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 293.272/347.061/413.914/50.115 ms

All traffic gets pushed through VPN and everything I need works fine. Any ideas maybe?

Server config:

Code: Select all

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 9

Client config:

Code: Select all

push "redirect-gateway def1"

script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre

client 
dev tun 
proto tcp 
remote 103.11.65.111 1194 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
ca /home/master/vpn/ca.crt 
cert /home/master/vpn/client.crt
key /home/master/vpn/client.key 
comp-lzo 
verb 3

TiTex · Post by **TiTex** » Wed Apr 05, 2017 6:05 am

yes , it should work that way with a script

i don't know then , maybe it's a network-manager issue , check if on your client (i mean if it's a linux client os with GUI and stuff) network-manager is using dnsmasq to resolve DNS.
http://askubuntu.com/questions/233222/h ... 223#233223

anyway , i think this topic has gone out of the scope of these forums

TinCanTech · Post by **TinCanTech** » Wed Apr 05, 2017 1:05 pm

antoha295 wrote:I've set up OpenVPN on OpenVZ VPS

Use iptables SNAT like so:

Code: Select all

iptables -t nat -A POSTROUTING -o INTERFACE -j SNAT --to-source 12.34.56.78

Customise the command to fit your network:

INTERFACE would be something like eth0
12.34.56.78 would be the public ip of your server

antoha295 · Post by **antoha295** » Mon Apr 10, 2017 11:43 am

Ok, thanks anyway.
Problem is solved.

OpenVPN Support Forum

DNS forwarding issue

DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue

Re: DNS forwarding issue