DNS not resolving - redirect gateway / route all traffic through vpn

Use this forum to share your network setup and what's been working for you.
Post Reply
remusator
OpenVpn Newbie
Posts: 1
Joined: Sat Aug 24, 2019 2:10 pm

DNS not resolving - redirect gateway / route all traffic through vpn

Post by remusator » Sat Aug 24, 2019 2:37 pm

Hello,
I'm trying to setup my openvpn server.
The aim is to route all traffic through my vpn server.

I've followed very nice tutorial published here: https://openvpn.net/community-resources ... gh-the-vpn

The problem I'm facing is dns resolution.
I'm able to connect to and reach local resource (e.g. my nas) once connected to vpn, the problem comes, when I try to open webpage, such as google.com.
Now the obvious problem is dns resolution.

I'm connecting via android OpenVPN Connect - Fast & Safe SSL VPN Client app.
My only workaround to make it work, is to push my routers ip explicitly:
push "dhcp-option DNS 192.168.2.1"
Then it works, but setup is not very portable, and I'm affraid something is wrong with my setup.

If I understood correctly, pushing openvpns ip 10.9.0.1 should suffice.

My setup is following:
1) Raspbian stretch Openvpn
server_tcp443.conf

############################
# Server config for TCP 443#
############################

dev tun_tcp_443
topology subnet

proto tcp4

port 443
server 10.9.0.0 255.255.255.0
tls-server

ca /etc/openvpn/server/certificates/ca.crt
crl-verify /etc/openvpn/server/crl.pem
cert /etc/openvpn/server/certificates/server.crt
key /etc/openvpn/server/certificates/server.key

tls-crypt /etc/openvpn/server/certificates/tls_crypt.key

dh none
ecdh-curve secp521r1
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM

tls-version-min 1.2
persist-tun
compress

persist-key
keepalive 10 120

user ovpn
group ovpn

auth-nocache
auth SHA512

status /var/log/openvpn-tcp443-status.log
log /var/log/openvpn-tcp443.log

push "redirect-gateway"
push "dhcp-option DNS 10.9.0.1"
push "dhcp-option WINS 10.9.0.1"
push "route-ipv6 2000::/3"


2) Client configuration
client.ovpn

##################
# OpenVPN Client #
##################
client
dev tun
remote somedomain.somewhere.com 443
proto tcp4
resolv-retry infinite
compress
nobind
verify-x509-name "Somedomain Somewhere OpenVPN Server" name
remote-cert-tls server
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
ecdh-curve secp521r1
auth-nocache
auth SHA512
persist-key
persist-tun

<ca></ca>
<cert></cert>
<key></key>
<tls-crypt></tls-crypt>


3) Persitent iptables, rules.v4
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward the VPN traffic to eth0 - eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

COMMIT

*filter

# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow SSH.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# Allow NTP
-A INPUT -i eth0 -p udp --sport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT

# Allow OpenVPN UDP1194 traffic.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT

# Allow OpenVPN TCP443 traffic.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT

# Allow outgoing 443 - for https:// eg duckdns
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT

# Allow DNS resolution and limited HTTP/S on eth0.
# Necessary for updating the server and keeping time.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT

# Allow traffic on the TUN interface.
-A INPUT -i tun_udp_1194 -j ACCEPT
-A OUTPUT -o tun_udp_1194 -j ACCEPT

# Allow traffic on the TUN interface.
-A INPUT -i tun_tcp_443 -j ACCEPT
-A OUTPUT -o tun_tcp_443 -j ACCEPT

# then reject them.
-A INPUT -j REJECT
-A OUTPUT -j REJECT

COMMIT
4) /etc/sysctl.d/99-sysctl.conf
net.ipv4.ip_forward = 1

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
I have been searching for answer for past two weeks, without any success, thus I registered here, hoping to find an answer.

Do you have any idea what could be wrong, how/what to change in order to make
push "dhcp-option DNS 10.9.0.1"
work without pushing my routers ip explicitly?

Thanks,
rem.

Post Reply