I took a look at server logs. Seems it's pushing the DNS correctly to the client, but for some unknown reason the client refuses to use the DNS-server provided and insists to use 8.8.8.8 instead. Here is the log:
Code: Select all
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 OPTIONS IMPORT: reading client specific options from: /config/user-data/openvpn/ccd/MyPhoneCN
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 MULTI: Learn: 10.10.0.2 -> MyPhoneCN/x.y.109.11:45184
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 MULTI: primary virtual IP for MyPhoneCN/x.y.109.11:45184: 10.10.0.2
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 PUSH: Received control message: 'PUSH_REQUEST'
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 SENT CONTROL [MyPhoneCN]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 10.10.0.1,topology subnet,ping 15,ping-restart 60,dhcp-option DNS 10.0.0.1,ifconfig 10.10.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 24 14:02:12 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 SIGTERM[soft,remote-exit] received, client-instance exiting
Edit:
Investigated a bit more and noticed that the client actually seems to start using the DNS-server provided, but for some unknown reason it rejects it. Here is my tcpdump:
Code: Select all
tcpdump -eni any port 53 |grep 10.10.0.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:45:56.814314 In ethertype IPv4 (0x0800), length 133: 10.10.0.2.6877 > 10.0.0.1.53: 45284+ A? fr-app-chat-global-xiaomi-net-1516654448.eu-central-1.elb.amazonaws.com. (89)
16:45:56.839306 In ethertype IPv4 (0x0800), length 77: 10.10.0.2.43529 > 10.0.0.1.53: 51681+ A? spoc.norton.com. (33)
16:45:56.853313 In ethertype IPv4 (0x0800), length 134: 10.10.0.2.17801 > 10.0.0.1.53: 55543+ A? fr-resolver-msg-global-xiaomi-n-916220403.eu-central-1.elb.amazonaws.com. (90)
16:45:57.687416 In ethertype IPv4 (0x0800), length 73: 10.10.0.2.14791 > 10.0.0.1.53: 27642+ A? example.org. (29)
16:45:57.695485 In ethertype IPv4 (0x0800), length 86: 10.10.0.2.50654 > 10.0.0.1.53: 56711+ A? detectportal.firefox.com. (42)
16:45:57.696241 In ethertype IPv4 (0x0800), length 75: 10.10.0.2.50220 > 10.0.0.1.53: 13827+ A? ipv4only.arpa. (31)
16:45:59.467375 In ethertype IPv4 (0x0800), length 78: 10.10.0.2.31079 > 10.0.0.1.53: 59569+ A? mtalk.google.com. (34)
16:46:01.851540 In ethertype IPv4 (0x0800), length 133: 10.10.0.2.27802 > 8.8.8.8.53: 45284+ A? fr-app-chat-global-xiaomi-net-1516654448.eu-central-1.elb.amazonaws.com. (89)
16:46:01.867272 In ethertype IPv4 (0x0800), length 77: 10.10.0.2.21534 > 8.8.8.8.53: 51681+ A? spoc.norton.com. (33)
16:46:01.868280 In ethertype IPv4 (0x0800), length 134: 10.10.0.2.61221 > 8.8.8.8.53: 55543+ A? fr-resolver-msg-global-xiaomi-n-916220403.eu-central-1.elb.amazonaws.com. (90)
16:46:01.868896 Out ethertype IPv4 (0x0800), length 261: 8.8.8.8.53 > 10.10.0.2.27802: 45284 8/0/0 A 18.195.58.3, A 18.196.177.71, A 18.193.4.130, A 18.158.8.177, A 3.125.88.4, A 3.127.8.149, A 52.28.182.107, A 18.157.249.124 (217)
16:46:01.892370 Out ethertype IPv4 (0x0800), length 191: 8.8.8.8.53 > 10.10.0.2.21534: 51681 3/0/0 CNAME spoc.trafficmanager.net., CNAME mue1-ncs-spoc-prod-green.eastus.cloudapp.azure.com., A 13.68.168.63 (147)
16:46:01.894022 Out ethertype IPv4 (0x0800), length 262: 8.8.8.8.53 > 10.10.0.2.61221: 55543 8/0/0 A 18.185.237.85, A 35.158.171.253, A 52.58.233.238, A 35.157.48.127, A 52.29.52.233, A 52.28.128.9, A 35.156.148.179, A 35.157.92.50 (218)
16:46:02.682240 In ethertype IPv4 (0x0800), length 73: 10.10.0.2.14687 > 8.8.8.8.53: 27642+ A? example.org. (29)
16:46:02.683294 In ethertype IPv4 (0x0800), length 86: 10.10.0.2.18077 > 8.8.8.8.53: 56711+ A? detectportal.firefox.com. (42)
16:46:02.683458 In ethertype IPv4 (0x0800), length 75: 10.10.0.2.35992 > 8.8.8.8.53: 13827+ A? ipv4only.arpa. (31)
16:46:02.697727 Out ethertype IPv4 (0x0800), length 89: 8.8.8.8.53 > 10.10.0.2.14687: 27642 1/0/0 A 93.184.216.34 (45)
So first couple requests are to 10.0.0.1.53, but then it switches to 8.8.8.8.53. So my educated guess is that this is not an OpenVPN issue, but instead my phone is trying to be too smart. Any help is appriciated, but I know this is the wrong forum for my problem.