Using Windows 10 1803 (and 1709) and trying to make OpenVPN work properly as a client.
I imported "setenv opt block-outside-dns" on the client configs and the results are as expted, thus, the OpenVPN interface is automatically set to InterfaceMetric = 3 and DNS queries on other interfaces is blocked.
PS> Get-NetIPInterface
Code: Select all
ifIndex InterfaceAlias AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp ConnectionState PolicyStore
------- -------------- ------------- ------------ --------------- ---- --------------- -----------
1 Loopback Pseudo-Interface 1 IPv6 4294967295 75 Disabled Connected ActiveStore
6 OpenVPN IPv4 1500 3 Enabled Connected ActiveStore
2 Ethernet IPv4 1500 5 Enabled Disconnected ActiveStore
10 Wi-Fi IPv4 1500 30 Enabled Connected ActiveStore
1 Loopback Pseudo-Interface 1 IPv4 4294967295 75 Disabled Connected ActiveStore
Code: Select all
Wed Jun 20 00:24:23 2018 Block_DNS: WFP engine opened
Wed Jun 20 00:24:23 2018 Block_DNS: Added a persistent sublayer with pre-defined UUID
Wed Jun 20 00:24:23 2018 Block_DNS: Added permit filters for exe_path
Wed Jun 20 00:24:23 2018 Block_DNS: Added block filters for all interfaces
Wed Jun 20 00:24:23 2018 Block_DNS: Added permit filters for TAP interface
Up to this point everything works as expected, the clients connect to the BSD OpenVPN server fine.
BUT, this setup works properly only when connecting over the Wifi interface.
If we connect via Ethernet, again the client properly connects and routing works fine.
1. I can ping internal and external hosts
2. I can nslookup properly any hostname
But what I can't do is to browse the Internet via Edge or IE or PS Invoke-WebRequest.
* IE
When opened, it remains in an "opening state" where we see the IE window but nothing is loaded.
In addition, we can't even get to IE menus as the browser seems not be fully loaded.
* Edge
Opens up and nothing is loading. When entering any hostname,IP the browser doesn't even try to load the page.
It's like it just stays there.
* Invoke-WebRequest -uri xxx.xxx.xx
Huings without erroring out
* Firefox
WORKS FINE
All of the above will never timeout and will just stay in that state indefinitely.
At that point, if I kill the OpenVPN client service, everything is waken up and functions properly.
Now the above behavior does not happen if I don't use the block-outside-dns
At that point, I tried to disable the wpad script on IE (that would affect the OS as well) and the issue was resolved.
Summarizing when the issue occurs:
1. When connected to Ethernet only AND
2. When using the native software (not Firefox) AND
3. When wpad script is in use AND
4. When block-outside-dns is used
I know this is a possible scenario for many enterprises (using a wpad script) and also -block-outside-dns is avoiding DNS leakage which is also necessary from a security perspective.
It seems like the problem has something to do with resolving something on DNS (dnscache ?) and not being able to do so.
Since the wpad script is the first DNS lookup a browser will do in Windows there could be an issue where this lookup is killed by block-outside-dns.
I have noticed that there is a strange lookup being made repeatedly when the browsers open for the first time after a reboot
What I am thinking of trying is to disable Multi-Homed DNS resolution.
DisableSmartNameResolution
Anyone else has faced this strange issue?
--
Alex