Potential bug with DNS on OpenVPN Connect v3.2.3

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
fh29
OpenVpn Newbie
Posts: 12
Joined: Tue May 18, 2021 5:55 pm

Potential bug with DNS on OpenVPN Connect v3.2.3

Post by fh29 » Tue May 18, 2021 7:12 pm

Hello,

There seems to be an issue with OpenVPN Connect (at least in v3.2.3 on Windows 10) not being able to set the DNS on the TAP adapter and silently failing after the command 'NRPT::ActionCreate names=[.somedomain.com] dns_servers=[192.168.1.11]'. The equivalent netsh command works fine however:

Code: Select all

netsh interface ipv4 set dns 49 static 192.168.1.11 primary
This has been discussed multiple times on this forum already but with no clear solution:
viewtopic.php?f=5&t=30124
viewtopic.php?f=6&t=30960
viewtopic.php?f=24&t=29626

The issue doesn't exist in the OpenVPN GUI "Community Edition" client.

Please advise.

fh29
OpenVpn Newbie
Posts: 12
Joined: Tue May 18, 2021 5:55 pm

Re: Potential bug with DNS on OpenVPN Connect v3.2.3

Post by fh29 » Tue Jun 22, 2021 8:46 am

Additional info from original thread for more clarity:

My server is pushing a DNS IPv4 to my OpenVPN Connect v3.2.3 client on Windows 10. The pushed DNS is received by OpenVPN connect (I can see the correct DNS in the log), but the DNS is not set in the TAP v9 adapter.
Every configuration option is correctly set on the adapter (via netsh commands).
The only option not being set via a netsh command is the DNS:

Code: Select all

NRPT::ActionCreate names=[.somedomain.com] dns_servers=[192.168.1.11]
If I try that command in Powershell I get:

Code: Select all

The term 'NRPT::ActionCreate' is not recognized as the name of a cmdlet
Whereas if I try the equivalent with netsh in Powershell, '192.168.1.11' is correctly set as the DNS value for the TAP adapter:

Code: Select all

netsh interface ipv4 set dns 49 static 192.168.1.11 primary
Without changing anything in the client or server config, but using the community edition client "OpenVPN GUI" instead of "OpenVPN Connect", the DNS IP is correctly set in the TAP adapter setting. I don't know how to get a more verbose log in OpenVPN GUI so I'm not sure which command is used to configure the DNS there.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Potential bug with DNS on OpenVPN Connect v3.2.3

Post by openvpn_inc » Mon Jun 28, 2021 12:12 pm

Hello fh29,

OpenVPN Connect v3 supports NRPT, which is a way to do split-dns. If you're seeing that ".somedomain.com" thing in there, that means that apparently you're being pushed a split-DNS domain. That means that the DNS server will only apply for resolving anything ending in ".somedomain.com". And that means it gets implemented in NRPT, not as a global DNS server on your TAP interface.

If you see in your pushed options in the logs something like "dhcp-option DOMAIN somedomain.com" then that will be why this is happening. If you remove that pushed option from the server side, the consequence will be that all domains will be resolved through the DNS server specified. And then NRPT will not be used, and the DNS server gets set on the TAP adapter instead.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chad90b
OpenVpn Newbie
Posts: 1
Joined: Thu Feb 09, 2023 11:49 am

Re: Potential bug with DNS on OpenVPN Connect v3.2.3

Post by chad90b » Thu Feb 09, 2023 11:57 am

im having the same issue with openvpn connect 3.3.6

how do we disable nrpt in the client?
always appreciate that new features are supported, but not at the cost of removing old features. would like to be able to toggle this

i do not have access to the vpn server and it will not be reconfigured. other vpn clients do not have this problem. im using openvpn connect because having multiple profiles is nice... just hope this issue can be resolved as well somehow

Post Reply