OpenVPN Connect + Local DNS lookups not working

Post Reply
vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Thu Aug 20, 2020 10:38 pm

Recently, my server that ran openvpn crashed and had to build a new server with a newer version of openvpn. Initially, the challenge was with creating higher security certificates, etc. and making sure client/server options matched. I created a basic template for the client ovpn. With a slight modification, it works fine on an Ubuntu 18.04 system. When I deploy the same configuration to android everything seems to work except for dns. There is a local dns server. The logs shows the request, but it never makes it back to the android device.

The server is running openvpn 2.4.7.

Here is server configuration file:

Server Config
local <openvpn-local-ip>
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/<openvpn-hostname>.crt
key /etc/openvpn/easy-rsa/pki/private/<openvpn-hostname>.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
tls-server
client-config-dir /etc/openvpn/clients
push "redirect-gateway def1"
push "dhcp-option DNS <local-dns-ip-addr>"
push "dhcp-option DOMAIN <local-domain-name>"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6



In the /etc/openvpn/clients there is a client configuration with the following line based on the hostname of the client:

Server Config Client Specific
ifconfig-push 10.8.0.<x> 255.255.255.0



For the client ovpn template:

Client OVPN
client
dev tun
proto udp
remote <remote-host> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings

remote-cert-tls server
tls-client
key-direction 1
cipher AES-256-CBC
auth SHA256
auth-nocache
compress lz4
verb 4
mute 20

<for ubuntu, there are up/down resolvconf options set here that are not present when importing on android>


<ca>
<CERT>
</ca>
<cert>
<CERT>
</cert>
<key>
<KEY>
</key>
<tls-auth>
<KEY>
</tls-auth>




The android client is running openvpn connect version 3.2.2 (5027)



Here is a snippet from the logs when connecting:

openvpn log

Thu Aug 20 17:56:56 2020 us=908327 MULTI: multi_create_instance called
Thu Aug 20 17:56:56 2020 us=909047 <cell-phone-carrier-assigned-ip-address>:56929 Re-using SSL/TLS context
Thu Aug 20 17:56:56 2020 us=909427 <cell-phone-carrier-assigned-ip-address>:56929 LZ4 compression initializing
Thu Aug 20 17:56:56 2020 us=910793 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Thu Aug 20 17:56:56 2020 us=911147 <cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Aug 20 17:56:56 2020 us=911923 <cell-phone-carrier-assigned-ip-address>:56929 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Aug 20 17:56:56 2020 us=912200 <cell-phone-carrier-assigned-ip-address>:56929 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Aug 20 17:56:56 2020 us=912667 <cell-phone-carrier-assigned-ip-address>:56929 TLS: Initial packet from [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929, sid=5f913f34 58d658b9
Thu Aug 20 17:56:57 2020 us=236223 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=1, CN=<openvpn-server>
Thu Aug 20 17:56:57 2020 us=241949 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=0, CN=<openvpn-client>
Thu Aug 20 17:56:57 2020 us=251104 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_VER=3.git:released:3e56f9a6:Release
Thu Aug 20 17:56:57 2020 us=252961 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PLAT=android
Thu Aug 20 17:56:57 2020 us=254998 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_NCP=2
Thu Aug 20 17:56:57 2020 us=256808 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_TCPNL=1
Thu Aug 20 17:56:57 2020 us=258596 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PROTO=2
Thu Aug 20 17:56:57 2020 us=260402 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_LZO_STUB=1
Thu Aug 20 17:56:57 2020 us=262239 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUB=1
Thu Aug 20 17:56:57 2020 us=264009 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUBv2=1
Thu Aug 20 17:56:57 2020 us=265865 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_IPv6=0
Thu Aug 20 17:56:57 2020 us=267669 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_AUTO_SESS=1
Thu Aug 20 17:56:57 2020 us=269468 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
Thu Aug 20 17:56:57 2020 us=271363 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_SSO=openurl
Thu Aug 20 17:56:57 2020 us=342827 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Aug 20 17:56:57 2020 us=344907 <cell-phone-carrier-assigned-ip-address>:56929 [<openvpn-client>] Peer Connection Initiated with [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929
Thu Aug 20 17:56:57 2020 us=347134 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/<openvpn-client>
Thu Aug 20 17:56:57 2020 us=350182 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: Learn: 10.8.0.4 -> <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929
Thu Aug 20 17:56:57 2020 us=352057 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: primary virtual IP for <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929: 10.8.0.4
Thu Aug 20 17:56:57 2020 us=354645 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 PUSH: Received control message: 'PUSH_REQUEST'
Thu Aug 20 17:56:57 2020 us=356956 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 SENT CONTROL [<openvpn-client>]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS <local-dns-server>,dhcp-option,dhcp-option DOMAIN <local-domain>,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Aug 20 17:56:57 2020 us=358938 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Aug 20 17:56:57 2020 us=360882 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Thu Aug 20 17:56:57 2020 us=364098 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 20 17:56:57 2020 us=366213 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key



When attempting a dns query from android, I see the following in the query log:

Local DNS Query Log

20-Aug-2020 18:03:02.549 client <openvpn-server-ip-address>#32434: query: <hostname-query-fqdn> IN A + (<dns-ip-address>)


If I run tcpdump on the tun interface, the output shows:

tcpdump output

18:04:56.872248 IP <openvpn-tun-ip-address>.10921 > <local-dns-fqdn>.domain: 31155+ A? <hostname-query-fqdn>. (43)
18:04:56.875049 IP <local-dns-fqdn>.domain > <openvpn-tun-ip-address>.10921: 31155* 1/1/1 A <found-ip-address-query> (102)



I have tried different iptables commands such as:

Attempt #1

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <openvpn-server-ip-address>

Attempt #2

Code: Select all

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <openvpn-server-ip-address>

Attempt #3

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Attempt #4

Code: Select all

iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

None of which worked.

Let me know if you need more information. Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8385
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by TinCanTech » Thu Aug 20, 2020 10:43 pm

vpnreguser wrote:
Thu Aug 20, 2020 10:38 pm
When I deploy the same configuration to android everything seems to work except for dns
And no android logs provided what-so-ever ..

vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Fri Aug 21, 2020 4:33 pm

Android OpenVPN Connect Log
12:11:44.351 -- ----- OpenVPN Start -----

12:11:44.352 -- EVENT: CORE_THREAD_ACTIVE

12:11:44.359 -- OpenVPN core 3.git:released:3e56f9a6:Release android armv7a thumb2 32-bit PT_PROXY

12:11:44.360 -- Frame=512/2048/512 mssfix-ctrl=1250

12:11:44.368 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
8 [mute-replay-warnings]
10 [tls-client]
14 [auth-nocache]
16 [verb] [4]
17 [mute] [20]

12:11:44.371 -- EVENT: RESOLVE

12:11:44.568 -- Contacting [2607:7700:0:7::4748:2349]:<port> via UDP

12:11:44.569 -- EVENT: WAIT

12:11:44.596 -- Connecting to [<external-ip-address>]:<port> (2607:7700:0:7::4748:2349) via UDPv6

12:11:44.668 -- EVENT: CONNECTING

12:11:44.678 -- Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client

12:11:44.679 -- Creds: UsernameEmpty/PasswordEmpty

12:11:44.680 -- Peer Info:
IV_VER=3.git:released:3e56f9a6:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_IPv6=0
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
IV_SSO=openurl


12:11:44.848 -- VERIFY OK: depth=1, /CN=<openvpn-hostname>

12:11:44.850 -- VERIFY OK: depth=0, /CN=<openvpn-hostname>

12:11:44.974 -- SSL Handshake: CN=<openvpn-hostname>, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

12:11:44.976 -- Session is ACTIVE

12:11:44.978 -- EVENT: GET_CONFIG

12:11:45.004 -- Sending PUSH_REQUEST to server...

12:11:45.055 -- OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [<local-dns-ip-addr>]
2 [dhcp-option] [DOMAIN] [<local-domain-name>]
3 [route-gateway] [10.8.0.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [10.8.0.4] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]
10 [block-ipv6]


12:11:45.056 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: COMP_STUB
peer ID: 0

12:11:45.059 -- EVENT: ASSIGN_IP

12:11:45.168 -- Connected via tun

12:11:45.174 -- LZO-ASYM init swap=0 asym=1

12:11:45.177 -- Comp-stub init swap=1

12:11:45.179 -- EVENT: CONNECTED info='<external-ip-address>:<port> (2607:7700:0:7::4748:2349) via /UDPv6 on tun/10.8.0.4/ gw=[10.8.0.1/]'


Thanks.

vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Tue Sep 15, 2020 2:23 am

Any additional information needed? Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8385
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by TinCanTech » Tue Sep 15, 2020 2:39 am

vpnreguser wrote:
Fri Aug 21, 2020 4:33 pm

Code: Select all

[dhcp-option] [DNS] [<local-dns-ip-addr>]
[dhcp-option] [DOMAIN] [<local-domain-name>]
No errors detected .. could be your DNS server ?

vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Thu Dec 03, 2020 3:55 am

The local DNS server is working. From the system running openvpn server, I can ping local hosts either with the short hostname or FQDN. From the tcpdump output listed above, dns requests from the android device are hitting the DNS server but the response doesn't seem to be making it back to the android device even though the iptable commands looks correct and tcpdump is showing an attempt to send the data back to the device. Thanks.

Post Reply