I'm trying to setup my openvpn server.
The aim is to route all traffic through my vpn server.
I've followed very nice tutorial published here: https://openvpn.net/community-resources ... gh-the-vpn
The problem I'm facing is dns resolution.
I'm able to connect to and reach local resource (e.g. my nas) once connected to vpn, the problem comes, when I try to open webpage, such as google.com.
Now the obvious problem is dns resolution.
I'm connecting via android OpenVPN Connect - Fast & Safe SSL VPN Client app.
My only workaround to make it work, is to push my routers ip explicitly:
Then it works, but setup is not very portable, and I'm affraid something is wrong with my setup.push "dhcp-option DNS 192.168.2.1"
If I understood correctly, pushing openvpns ip 10.9.0.1 should suffice.
My setup is following:
1) Raspbian stretch Openvpn
server_tcp443.conf
############################
# Server config for TCP 443#
############################
dev tun_tcp_443
topology subnet
proto tcp4
port 443
server 10.9.0.0 255.255.255.0
tls-server
ca /etc/openvpn/server/certificates/ca.crt
crl-verify /etc/openvpn/server/crl.pem
cert /etc/openvpn/server/certificates/server.crt
key /etc/openvpn/server/certificates/server.key
tls-crypt /etc/openvpn/server/certificates/tls_crypt.key
dh none
ecdh-curve secp521r1
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-tun
compress
persist-key
keepalive 10 120
user ovpn
group ovpn
auth-nocache
auth SHA512
status /var/log/openvpn-tcp443-status.log
log /var/log/openvpn-tcp443.log
push "redirect-gateway"
push "dhcp-option DNS 10.9.0.1"
push "dhcp-option WINS 10.9.0.1"
push "route-ipv6 2000::/3"
2) Client configuration
client.ovpn
##################
# OpenVPN Client #
##################
client
dev tun
remote somedomain.somewhere.com 443
proto tcp4
resolv-retry infinite
compress
nobind
verify-x509-name "Somedomain Somewhere OpenVPN Server" name
remote-cert-tls server
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
ecdh-curve secp521r1
auth-nocache
auth SHA512
persist-key
persist-tun
<ca></ca>
<cert></cert>
<key></key>
<tls-crypt></tls-crypt>
3) Persitent iptables, rules.v4
4) /etc/sysctl.d/99-sysctl.conf*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward the VPN traffic to eth0 - eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT
# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow SSH.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
# Allow NTP
-A INPUT -i eth0 -p udp --sport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
# Allow OpenVPN UDP1194 traffic.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
# Allow OpenVPN TCP443 traffic.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
# Allow outgoing 443 - for https:// eg duckdns
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
# Allow DNS resolution and limited HTTP/S on eth0.
# Necessary for updating the server and keeping time.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
# Allow traffic on the TUN interface.
-A INPUT -i tun_udp_1194 -j ACCEPT
-A OUTPUT -o tun_udp_1194 -j ACCEPT
# Allow traffic on the TUN interface.
-A INPUT -i tun_tcp_443 -j ACCEPT
-A OUTPUT -o tun_tcp_443 -j ACCEPT
# then reject them.
-A INPUT -j REJECT
-A OUTPUT -j REJECT
COMMIT
I have been searching for answer for past two weeks, without any success, thus I registered here, hoping to find an answer.net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
Do you have any idea what could be wrong, how/what to change in order to make
work without pushing my routers ip explicitly?push "dhcp-option DNS 10.9.0.1"
Thanks,
rem.