DNS not resolving - redirect gateway / route all traffic through vpn
Posted: Sat Aug 24, 2019 2:37 pm
Hello,
I'm trying to setup my openvpn server.
The aim is to route all traffic through my vpn server.
I've followed very nice tutorial published here: https://openvpn.net/community-resources ... gh-the-vpn
The problem I'm facing is dns resolution.
I'm able to connect to and reach local resource (e.g. my nas) once connected to vpn, the problem comes, when I try to open webpage, such as google.com.
Now the obvious problem is dns resolution.
I'm connecting via android OpenVPN Connect - Fast & Safe SSL VPN Client app.
My only workaround to make it work, is to push my routers ip explicitly:
If I understood correctly, pushing openvpns ip 10.9.0.1 should suffice.
My setup is following:
1) Raspbian stretch Openvpn
############################
# Server config for TCP 443#
############################
dev tun_tcp_443
topology subnet
proto tcp4
port 443
server 10.9.0.0 255.255.255.0
tls-server
ca /etc/openvpn/server/certificates/ca.crt
crl-verify /etc/openvpn/server/crl.pem
cert /etc/openvpn/server/certificates/server.crt
key /etc/openvpn/server/certificates/server.key
tls-crypt /etc/openvpn/server/certificates/tls_crypt.key
dh none
ecdh-curve secp521r1
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-tun
compress
persist-key
keepalive 10 120
user ovpn
group ovpn
auth-nocache
auth SHA512
status /var/log/openvpn-tcp443-status.log
log /var/log/openvpn-tcp443.log
push "redirect-gateway"
push "dhcp-option DNS 10.9.0.1"
push "dhcp-option WINS 10.9.0.1"
push "route-ipv6 2000::/3"
2) Client configuration
##################
# OpenVPN Client #
##################
client
dev tun
remote somedomain.somewhere.com 443
proto tcp4
resolv-retry infinite
compress
nobind
verify-x509-name "Somedomain Somewhere OpenVPN Server" name
remote-cert-tls server
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
ecdh-curve secp521r1
auth-nocache
auth SHA512
persist-key
persist-tun
<ca></ca>
<cert></cert>
<key></key>
<tls-crypt></tls-crypt>
3) Persitent iptables, rules.v4
Do you have any idea what could be wrong, how/what to change in order to make
Thanks,
rem.
I'm trying to setup my openvpn server.
The aim is to route all traffic through my vpn server.
I've followed very nice tutorial published here: https://openvpn.net/community-resources ... gh-the-vpn
The problem I'm facing is dns resolution.
I'm able to connect to and reach local resource (e.g. my nas) once connected to vpn, the problem comes, when I try to open webpage, such as google.com.
Now the obvious problem is dns resolution.
I'm connecting via android OpenVPN Connect - Fast & Safe SSL VPN Client app.
My only workaround to make it work, is to push my routers ip explicitly:
Then it works, but setup is not very portable, and I'm affraid something is wrong with my setup.push "dhcp-option DNS 192.168.2.1"
If I understood correctly, pushing openvpns ip 10.9.0.1 should suffice.
My setup is following:
1) Raspbian stretch Openvpn
server_tcp443.conf
############################
# Server config for TCP 443#
############################
dev tun_tcp_443
topology subnet
proto tcp4
port 443
server 10.9.0.0 255.255.255.0
tls-server
ca /etc/openvpn/server/certificates/ca.crt
crl-verify /etc/openvpn/server/crl.pem
cert /etc/openvpn/server/certificates/server.crt
key /etc/openvpn/server/certificates/server.key
tls-crypt /etc/openvpn/server/certificates/tls_crypt.key
dh none
ecdh-curve secp521r1
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-tun
compress
persist-key
keepalive 10 120
user ovpn
group ovpn
auth-nocache
auth SHA512
status /var/log/openvpn-tcp443-status.log
log /var/log/openvpn-tcp443.log
push "redirect-gateway"
push "dhcp-option DNS 10.9.0.1"
push "dhcp-option WINS 10.9.0.1"
push "route-ipv6 2000::/3"
2) Client configuration
client.ovpn
##################
# OpenVPN Client #
##################
client
dev tun
remote somedomain.somewhere.com 443
proto tcp4
resolv-retry infinite
compress
nobind
verify-x509-name "Somedomain Somewhere OpenVPN Server" name
remote-cert-tls server
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
ecdh-curve secp521r1
auth-nocache
auth SHA512
persist-key
persist-tun
<ca></ca>
<cert></cert>
<key></key>
<tls-crypt></tls-crypt>
3) Persitent iptables, rules.v4
4) /etc/sysctl.d/99-sysctl.conf*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward the VPN traffic to eth0 - eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT
# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow SSH.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
# Allow NTP
-A INPUT -i eth0 -p udp --sport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
# Allow OpenVPN UDP1194 traffic.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
# Allow OpenVPN TCP443 traffic.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
# Allow outgoing 443 - for https:// eg duckdns
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
# Allow DNS resolution and limited HTTP/S on eth0.
# Necessary for updating the server and keeping time.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
# Allow traffic on the TUN interface.
-A INPUT -i tun_udp_1194 -j ACCEPT
-A OUTPUT -o tun_udp_1194 -j ACCEPT
# Allow traffic on the TUN interface.
-A INPUT -i tun_tcp_443 -j ACCEPT
-A OUTPUT -o tun_tcp_443 -j ACCEPT
# then reject them.
-A INPUT -j REJECT
-A OUTPUT -j REJECT
COMMIT
I have been searching for answer for past two weeks, without any success, thus I registered here, hoping to find an answer.net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
Do you have any idea what could be wrong, how/what to change in order to make
work without pushing my routers ip explicitly?push "dhcp-option DNS 10.9.0.1"
Thanks,
rem.