OpenVPN Connect 3.3.1

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
xiss_gm
OpenVpn Newbie
Posts: 5
Joined: Tue Jul 20, 2021 1:58 pm

OpenVPN Connect 3.3.1

Post by xiss_gm » Tue Jul 20, 2021 2:08 pm

So, I've been pulling my hair on this one :lol: :lol: :lol:

We have internal DNS servers hosting some .com entries for internal servers, so we do not want them exposed on external DNS servers. I've used the same .ovpn file on OpenVPN 2.5 and it applies the DNS servers and correctly identifies them with PING and NSLOOKUP.

After installing Connect, importing the client config, the DNS servers are not set correctly on the TAP adapter. Running NSLOOKUP on the .com addresses tries to use external DNS. I can ping my .local entries just fine and NSLOOKUP works for those.

I have modified the config file to have:
dhcp-option DNS 10.200.0.201
dhcp-option DNS 10.200.0.202

But still no DNS servers. I've unchecked the DNS fallback option under advanced settings. In the log file, I receive this:
Tunnel Addresses:
10.200.200.2/24 -> 10.200.200.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
10.200.0.0/24
10.0.1.0/24
10.0.99.0/24
10.190.101.26/32
10.190.101.27/32
172.16.0.0/16
Exclude Routes:
DNS Servers:
10.200.0.201
10.200.0.202
Search Domains:
(blank).local
WINS Servers:
10.200.0.201
10.200.0.202

After editing the config file and adding
dhcp-option DOMAIN (blank).com
dhcp-option DOMAIN (blank).local

I can ping and access them via a web browser. However, the issue still exists that DNS is not propagated to the TAP adapter. Certain applications rely on a dig of the .com domain names to access them. We do not want to host our internal .com names on our external DNS server.

I have also gone through setting different binding order in registry, enabling SmartDNS through GPO, disabling SmartDNS through GPO, changing the metrics of the adapters, and such. Adding the DNS servers manually to the TAP adapter will add them, but I'm trying to figure out a way to do this without manual intervention. I'd just like to get the functionality back like it was in OVPN 2.5, but we like being able to automatically connect on boot. This version of OVPN Connect also fixes some of the random VPN disconnect issues a few clients had, so rolling back isn't such a good option at this time.

Thanks for any insight to this issue.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Connect 3.3.1

Post by openvpn_inc » Thu Jul 29, 2021 10:01 am

Hello xiss_gm,

Because OpenVPN3 supports split-DNS its implementation is different.

If you're on Windows 7 OpenVPN3 implements same logic as OpenVPN2 - it applies DNS on the interface.

On Windows 8 and above, if you reroute Internet traffic through the VPN tunnel, it will implement the DNS servers on the interface like OpenVPN2, and on top of that implement an NRPT rule for "." zone (all domains).

And on Windows 8 and above if it's split tunnel and you push a specific domain it will implement that and not set the DNS server on the interface.

I hope that information helps.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

xiss_gm
OpenVpn Newbie
Posts: 5
Joined: Tue Jul 20, 2021 1:58 pm

Re: OpenVPN Connect 3.3.1

Post by xiss_gm » Fri Jul 30, 2021 2:03 pm

I figured it out.

dhcp-options DNS domain.com
dhcp-options DNS domain.local
dhcp-options DNS mhpc


I was also looking for a way to automate first-time login users of the system. Unfortunately each new user has to setup an OpenVPN profile. I was wanting to take the .opvn file and just import it with options and run it only once per newly logged in user.

I've tried this and variants and no luck:
"%ProgramFiles%\OpenVPN Connect\OpenVPNConnect.exe --set-setting=timeout --value=0 --set-settings=tray-icon-style --value=color --enable-crash-reporting --value=no --skip-startup-dialogs --config C:\Colo.ovpn --name=Colo --username=%USERNAME% --password=%PASSWORD% --set-setting=launch-options --value=connect-latest"

xiss_gm
OpenVpn Newbie
Posts: 5
Joined: Tue Jul 20, 2021 1:58 pm

Re: OpenVPN Connect 3.3.1

Post by xiss_gm » Sat Jul 31, 2021 12:08 am

Actually this fix doesn't work if you're connected to the network that has a site-to-site VPN connection. I need OpenVPN Connect to push the DNS servers to the client to use correctly! The only workaround is to manually add them to the TAP adapter.

As you can see from ipconfig /all there are NO DNS SERVERS:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
Physical Address. . . . . . . . . : 00-FF-D9-0D-0E-95
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7958:6dfa:df28:133d%66(Preferred)
IPv4 Address. . . . . . . . . . . : 10.200.200.2(Tentative)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.200.200.1
DHCPv6 IAID . . . . . . . . . . . : 1107361753
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-6A-F7-FD-B0-7B-25-7E-AF-06
Primary WINS Server . . . . . . . : 10.200.0.201
Secondary WINS Server . . . . . . : 10.200.0.202
NetBIOS over Tcpip. . . . . . . . : Enabled

Post Reply