can't push dns server to clients

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
kosvi
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 24, 2021 12:40 pm

can't push dns server to clients

Post by kosvi » Tue Aug 24, 2021 12:59 pm

I am running OpenVPN server on EdgeRouter. I am running OpenVPN client on Android. I route all traffic from phone trough openvpn and I can use internet just fine. I can also connect private servers behind the OpenVPN-firewall, but only by their IP. When I use tcpdump on EdgeRouter to listen DNS traffic, I see that that my phone uses 8.8.8.8 to resolv it's name requests. Not my DNS server I am trying to push to it (10.0.0.1).

My server config is following:

Code: Select all

daemon
server 10.10.0.0 255.255.255.0
proto udp
port 1194
dev vtun0
cipher AES-128-CBC
comp-lzo yes
keepalive 15 60
verb 3
push "route 10.0.0.0 255.255.255.0"
ca /config/user-data/openvpn/ca.crt
dh /config/user-data/openvpn/dh.pem
cert /config/user-data/openvpn/server.crt
key /config/user-data/openvpn/server.key
status-version 2
status status
client-config-dir /config/user-data/openvpn/ccd
client-to-client
topology subnet
route 10.0.1.0 255.255.255.0
route 10.0.2.0 255.255.255.0
My phone has the following configuration:

Code: Select all

client
dev tun
proto udp
remote <server-host-name> 1194
redirect-gateway def1
resolv-retry infinite
pull
nobind
persist-key
persist-tun
cipher AES-128-CBC
verb 1
comp-lzo
route 10.0.1.0 255.255.255.0
route 10.0.2.0 255.255.255.0
In addition to these, I have a client config in the ccd directory that holds the following

Code: Select all

push "dhcp-option DNS 10.0.0.1"
But for some reason, everything else works but the DNS. I've tried to set it directly in the client config by adding dhcp-option directly there instead of pushing it from server. But I can't get DNS to work. The phone is Xiaomi and OpenVPN Connect version is 3.2.5.(7182)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: can't push dns server to clients

Post by TinCanTech » Tue Aug 24, 2021 1:15 pm

Maybe your CCD file is not being read ..

kosvi
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 24, 2021 12:40 pm

Re: can't push dns server to clients

Post by kosvi » Tue Aug 24, 2021 1:36 pm

TinCanTech wrote:
Tue Aug 24, 2021 1:15 pm
Maybe your CCD file is not being read ..
I thought of this and might well be the case. However, even if I add

Code: Select all

dhcp-option DNS 10.0.0.1
to clients config it doesn't work. It still uses 8.8.8.8. I am starting to believe this is something to do with Xiaomi and that they don't let OpenVPN Connect change the DNS-server. I see no reason for using 8.8.8.8 since I've unchecked the "DNS Fallback" from OpenVPN Connect settings.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: can't push dns server to clients

Post by TinCanTech » Tue Aug 24, 2021 1:47 pm

If you add the DNS to the client config then it will at least have that server in it's list.

Sorry, I don't know very much about the Connect app for Android.

kosvi
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 24, 2021 12:40 pm

Re: can't push dns server to clients

Post by kosvi » Tue Aug 24, 2021 4:39 pm

I took a look at server logs. Seems it's pushing the DNS correctly to the client, but for some unknown reason the client refuses to use the DNS-server provided and insists to use 8.8.8.8 instead. Here is the log:

Code: Select all

Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 OPTIONS IMPORT: reading client specific options from: /config/user-data/openvpn/ccd/MyPhoneCN
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled)
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 MULTI: Learn: 10.10.0.2 -> MyPhoneCN/x.y.109.11:45184
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 MULTI: primary virtual IP for MyPhoneCN/x.y.109.11:45184: 10.10.0.2
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 PUSH: Received control message: 'PUSH_REQUEST'
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 SENT CONTROL [MyPhoneCN]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 10.10.0.1,topology subnet,ping 15,ping-restart 60,dhcp-option DNS 10.0.0.1,ifconfig 10.10.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 24 13:58:40 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 24 14:02:12 ER-12 openvpn[3867]: MyPhoneCN/x.y.109.11:45184 SIGTERM[soft,remote-exit] received, client-instance exiting
Edit:

Investigated a bit more and noticed that the client actually seems to start using the DNS-server provided, but for some unknown reason it rejects it. Here is my tcpdump:

Code: Select all

tcpdump -eni any port 53 |grep 10.10.0.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:45:56.814314  In ethertype IPv4 (0x0800), length 133: 10.10.0.2.6877 > 10.0.0.1.53: 45284+ A? fr-app-chat-global-xiaomi-net-1516654448.eu-central-1.elb.amazonaws.com. (89)
16:45:56.839306  In ethertype IPv4 (0x0800), length 77: 10.10.0.2.43529 > 10.0.0.1.53: 51681+ A? spoc.norton.com. (33)
16:45:56.853313  In ethertype IPv4 (0x0800), length 134: 10.10.0.2.17801 > 10.0.0.1.53: 55543+ A? fr-resolver-msg-global-xiaomi-n-916220403.eu-central-1.elb.amazonaws.com. (90)
16:45:57.687416  In ethertype IPv4 (0x0800), length 73: 10.10.0.2.14791 > 10.0.0.1.53: 27642+ A? example.org. (29)
16:45:57.695485  In ethertype IPv4 (0x0800), length 86: 10.10.0.2.50654 > 10.0.0.1.53: 56711+ A? detectportal.firefox.com. (42)
16:45:57.696241  In ethertype IPv4 (0x0800), length 75: 10.10.0.2.50220 > 10.0.0.1.53: 13827+ A? ipv4only.arpa. (31)
16:45:59.467375  In ethertype IPv4 (0x0800), length 78: 10.10.0.2.31079 > 10.0.0.1.53: 59569+ A? mtalk.google.com. (34)
16:46:01.851540  In ethertype IPv4 (0x0800), length 133: 10.10.0.2.27802 > 8.8.8.8.53: 45284+ A? fr-app-chat-global-xiaomi-net-1516654448.eu-central-1.elb.amazonaws.com. (89)
16:46:01.867272  In ethertype IPv4 (0x0800), length 77: 10.10.0.2.21534 > 8.8.8.8.53: 51681+ A? spoc.norton.com. (33)
16:46:01.868280  In ethertype IPv4 (0x0800), length 134: 10.10.0.2.61221 > 8.8.8.8.53: 55543+ A? fr-resolver-msg-global-xiaomi-n-916220403.eu-central-1.elb.amazonaws.com. (90)
16:46:01.868896 Out ethertype IPv4 (0x0800), length 261: 8.8.8.8.53 > 10.10.0.2.27802: 45284 8/0/0 A 18.195.58.3, A 18.196.177.71, A 18.193.4.130, A 18.158.8.177, A 3.125.88.4, A 3.127.8.149, A 52.28.182.107, A 18.157.249.124 (217)
16:46:01.892370 Out ethertype IPv4 (0x0800), length 191: 8.8.8.8.53 > 10.10.0.2.21534: 51681 3/0/0 CNAME spoc.trafficmanager.net., CNAME mue1-ncs-spoc-prod-green.eastus.cloudapp.azure.com., A 13.68.168.63 (147)
16:46:01.894022 Out ethertype IPv4 (0x0800), length 262: 8.8.8.8.53 > 10.10.0.2.61221: 55543 8/0/0 A 18.185.237.85, A 35.158.171.253, A 52.58.233.238, A 35.157.48.127, A 52.29.52.233, A 52.28.128.9, A 35.156.148.179, A 35.157.92.50 (218)
16:46:02.682240  In ethertype IPv4 (0x0800), length 73: 10.10.0.2.14687 > 8.8.8.8.53: 27642+ A? example.org. (29)
16:46:02.683294  In ethertype IPv4 (0x0800), length 86: 10.10.0.2.18077 > 8.8.8.8.53: 56711+ A? detectportal.firefox.com. (42)
16:46:02.683458  In ethertype IPv4 (0x0800), length 75: 10.10.0.2.35992 > 8.8.8.8.53: 13827+ A? ipv4only.arpa. (31)
16:46:02.697727 Out ethertype IPv4 (0x0800), length 89: 8.8.8.8.53 > 10.10.0.2.14687: 27642 1/0/0 A 93.184.216.34 (45)
So first couple requests are to 10.0.0.1.53, but then it switches to 8.8.8.8.53. So my educated guess is that this is not an OpenVPN issue, but instead my phone is trying to be too smart. Any help is appriciated, but I know this is the wrong forum for my problem.

kosvi
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 24, 2021 12:40 pm

Re: can't push dns server to clients

Post by kosvi » Wed Aug 25, 2021 4:32 am

Ok, took another look at tcpdump output and realized that there are no responses from 10.0.0.1, so I guess the phone decided to switch to Googles DNS servers as given DNS didn't respond. Would have been easier to debug the error if the phone wasn't this smart :)

Anyways, problems was that my dns-server wasn't listening requests from VPN-interface/network. I have fixed this and will test later today, but I am fairly confident it will work. Thanks to everyone who has spend their time reading my posts and thanks to TinCanTech for taking the time to help me out.

Post Reply