How to push DNS servers to the Windows client with net30 on the server?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

How to push DNS servers to the Windows client with net30 on the server?

Post by jamesp-brightpattern » Thu Jan 13, 2022 9:37 pm

Hi,

How do I get the ipv4 address of a DNS server which I set on my OpenVPN server to be pushed to a Windows OpenVPN client, when the server is using the net30 topology?

Thank you,
James Pedersen

User avatar
TinCanTech
Forum Team
Posts: 10711
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by TinCanTech » Thu Jan 13, 2022 9:44 pm

Are you using Openvpn-connect or are you using Openvpn-CE ?

viewtopic.php?f=30&t=22603

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by jamesp-brightpattern » Fri Jan 14, 2022 5:50 pm

I'm using OpenVPN Connect 3.3.3, and I'm using Windows 11.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 657
Joined: Tue Feb 16, 2021 10:41 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by openvpn_inc » Sat Jan 15, 2022 3:07 pm

Hello James,

I think I should inform you that net30 is deprecated and really should not be used anymore.

But anyway, that was not your question. You want to know the IP of the DNS server in net30. You can either take the IP that the server itself gets in this range, which you can find by for example looking at your route table on the client side, to see where traffic is routed to, and use that to implement parameters for having the client implement a DNS server on the client side with that IP. Or you can just take an IP that the server itself has on its main ethernet interface for example and push that as DNS server to the VPN clients. Packet forwarding will need to be enabled for that but I figure that's already enabled if it's serving as a VPN server.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by jamesp-brightpattern » Mon Jan 17, 2022 6:37 pm

Jacob,

How do I push the DNS server IP address to the clients?

I’ve already got

push “dhcp-option DNS X.X.X.X”

set on the server, where X.X.X.X is the WAN address of the router, but the DNS server address isn’t showing up in the OpenVPN adapter on windows clients. I’m guessing this is because net30 isn’t using DHCP.

Thank you,
James Pedersen

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 657
Joined: Tue Feb 16, 2021 10:41 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by openvpn_inc » Wed Jan 19, 2022 7:04 pm

Hi James,

I of course agree with Johan (I have to! He hired me! ;) ) about letting --net 30 die in peace. It was an ugly kludge to work with Windows in the early days of openvpn Windows support.

Anyway, that said, yes, --dhcp-option is a Windows thing, because Windows thinks a layer-3 tun adapter is DHCP. And yes, that's how you would push it from a server to clients. As for why it's not being pushed, there could be any number of reasons for that. Show the logging, which should tell us what is being pushed.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by jamesp-brightpattern » Thu Jan 20, 2022 8:55 pm

Ok.

My server config and my client logs are given below.

I'm using OpenVPN Connect 3.3.3 on Windows 11 for the client. Please note that I have the DNS cache (the DNS client service) disabled on the client machine.

Server config:

Code: Select all

dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh pl.acme.com"
local <ROUTER_PUBLIC_IP>
tls-server
server 172.16.122.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user <REDACTED> false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'router.pl.acme.com' 1"
lport 1194
management /var/etc/openvpn/b/sock unix
push "route 10.0.0.0 255.255.0.0"
push "route 10.1.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.255.0"
...
<PUSH_ROUTES_DIRECTIVES_REDACTED>
...
push "dhcp-option DOMAIN pl.acme.com"
push "dhcp-option DNS 10.1.0.1"
push "dhcp-option NTP 10.1.0.1"
duplicate-cn
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC
data-ciphers-fallback AES-128-CBC
allow-compression asym
persist-remote-ip
float
topology net30
reneg-sec 36000
Client logs:

Code: Select all

[Jan 20, 2022, 19:58:35] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Nov 12 2021 10:45:12
⏎[Jan 20, 2022, 19:58:35] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Jan 20, 2022, 19:58:35] UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
3 [data-ciphers] [AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC]
4 [data-ciphers-fallback] [AES-128-CBC]
6 [tls-client]
8 [resolv-retry] [infinite]
13 [explicit-exit-notify]
⏎[Jan 20, 2022, 19:58:35] EVENT: RESOLVE ⏎[Jan 20, 2022, 19:58:35] Contacting <ROUTER_PUBLIC_IP>:1194 via UDP
⏎[Jan 20, 2022, 19:58:35] EVENT: WAIT ⏎[Jan 20, 2022, 19:58:35] WinCommandAgent: transmitting bypass route to <ROUTER_PUBLIC_IP>
{
	"host" : "<ROUTER_PUBLIC_IP>",
	"ipv6" : false
}

⏎[Jan 20, 2022, 19:58:35] Connecting to [<ROUTER_PUBLIC_IP>]:1194 (<ROUTER_PUBLIC_IP>) via UDPv4
⏎[Jan 20, 2022, 19:58:35] EVENT: CONNECTING ⏎[Jan 20, 2022, 19:58:35] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
⏎[Jan 20, 2022, 19:58:35] Creds: Username/Password
⏎[Jan 20, 2022, 19:58:35] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_GUI_VER=OCWindows_3.3.3-2562
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

⏎[Jan 20, 2022, 19:58:36] SSL Handshake: peer certificate: CN=router.pl.acme.com, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

⏎[Jan 20, 2022, 19:58:36] Session is ACTIVE
⏎[Jan 20, 2022, 19:58:36] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future⏎[Jan 20, 2022, 19:58:36] EVENT: GET_CONFIG ⏎[Jan 20, 2022, 19:58:36] Sending PUSH_REQUEST to server...
⏎[Jan 20, 2022, 19:58:36] Options continuation...
⏎[Jan 20, 2022, 19:58:36] Options continuation...
⏎[Jan 20, 2022, 19:58:36] OPTIONS:
0 [route] [10.0.0.0] [255.255.0.0]
1 [route] [10.1.0.0] [255.255.0.0]
2 [route] [10.10.0.0] [255.255.255.0]
....
<ROUTES_PUSHED_REDACTED>
....
49 [dhcp-option] [DOMAIN] [pl.acme.com]
50 [dhcp-option] [DNS] [10.1.0.1]
51 [dhcp-option] [NTP] [10.1.0.1]
52 [route] [172.16.122.1]
53 [topology] [net30]
54 [ping] [10]
55 [ping-restart] [60]
56 [push-continuation] [2]
57 [ifconfig] [172.16.122.42] [172.16.122.41]
58 [peer-id] [9]
59 [cipher] [AES-256-GCM]
60 [push-continuation] [1]

⏎[Jan 20, 2022, 19:58:36] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: 9
  control channel: tls-auth enabled
⏎[Jan 20, 2022, 19:58:36] EVENT: ASSIGN_IP ⏎[Jan 20, 2022, 19:58:36] Unknown pushed DHCP option: [dhcp-option] [NTP] [10.1.0.1]
⏎[Jan 20, 2022, 19:58:36] CAPTURED OPTIONS:
Session Name: <ROUTER_PUBLIC_IP>
Layer: OSI_LAYER_3
Remote Address: <ROUTER_PUBLIC_IP>
Tunnel Addresses:
  172.16.122.42/30 -> 172.16.122.41 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
  10.0.0.0/16
  10.1.0.0/16
  10.10.0.0/24
....
ROUTES_REDACTED>
....
  172.16.122.1/32
Exclude Routes:
DNS Servers:
  10.1.0.1
Search Domains:
  pl.acme.com

⏎[Jan 20, 2022, 19:58:37] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
	"allow_local_dns_resolvers" : false,
	"confirm_event" : "4c12000000000000",
	"destroy_event" : "6c0d000000000000",
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"add_routes" : 
		[
			{
				"address" : "10.0.0.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 16
			},
			{
				"address" : "10.1.0.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 16
			},
			{
				"address" : "10.10.0.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			},
			....
				<ADDRESES_REDACTED>
			....
		],
		"block_ipv6" : false,
		"dns_servers" : 
		[
			{
				"address" : "10.1.0.1",
				"ipv6" : false
			}
		],
		"layer" : 3,
		"mtu" : 0,
		"remote_address" : 
		{
			"address" : "<ROUTER_PUBLIC_IP>",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 256,
			"ipv4" : false,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"search_domains" : 
		[
			{
				"domain" : "pl.acme.com"
			}
		],
		"session_name" : "<ROUTER_PUBLIC_IP>",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "172.16.122.42",
				"gateway" : "172.16.122.41",
				"ipv6" : false,
				"metric" : -1,
				"net30" : true,
				"prefix_length" : 30
			}
		]
	},
	"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{92153C18-52CC-4B8D-B54E-A3738D97B3C6}' index=24 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{92153C18-52CC-4B8D-B54E-A3738D97B3C6}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=24
netsh interface ip set interface 24 metric=1
Ok.
netsh interface ip set address 24 static 172.16.122.42 255.255.255.252 gateway=172.16.122.41 store=active
IPHelper: add route 10.0.0.0/16 24 172.16.122.41 metric=-1
IPHelper: add route 10.1.0.0/16 24 172.16.122.41 metric=-1
IPHelper: add route 10.10.0.0/24 24 172.16.122.41 metric=-1
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
cannot modify route: error 5010
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
cannot modify route: error 5010
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: <REDACTED>
IPHelper: add route 172.16.122.1/32 24 172.16.122.41 metric=-1
NRPT::ActionCreate names=[.pl.acme.com] dns_servers=[10.1.0.1]
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: 340f000000000000
⏎[Jan 20, 2022, 19:58:37] Connected via TUN_WIN
⏎[Jan 20, 2022, 19:58:37] EVENT: CONNECTED james.pedersen@<ROUTER_PUBLIC_IP>:1194 (<ROUTER_PUBLIC_IP>) via /UDPv4 on TUN_WIN/172.16.122.42/ gw=[172.16.122.41/]⏎
Images:
https://ibb.co/pKJcT2B
https://ibb.co/w6ynRW1

Thank you,
James Pedersen

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by jamesp-brightpattern » Wed Jan 26, 2022 7:47 pm

Hi guys,

Any ideas at to what could be going wrong here?

Thank you,
James Pedersen

bdsr
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 30, 2022 1:52 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by bdsr » Sun Jan 30, 2022 1:53 am

Hello!

I'm getting the same issue.

bdsr
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 30, 2022 1:52 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by bdsr » Sun Jan 30, 2022 1:57 am

jamesp-brightpattern wrote:
Wed Jan 26, 2022 7:47 pm
Hi guys,

Any ideas at to what could be going wrong here?

Thank you,
James Pedersen
I solved changing the line

push "dhcp-option DNS x.x.x.x"

to

dhcp-option DNS x.x.x.x

And then execute ipconfig /all and you will see the DNS server ip in TAP interface.

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to push DNS servers to the Windows client with net30 on the server?

Post by jamesp-brightpattern » Wed Feb 02, 2022 6:42 pm

bdsr,

Thank you for this suggestion.

I would like to understand your solution better.

Is dhcp-option a client side option or a server side option? Johan or someone else from OpenVPN, could you please weigh in here?

Thank you,
James Pedersen

Post Reply