WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

[SparkyTD]

Hello!

I recently set up an OpenVPN server to securely connect employee computers to an internal corporate network. The VPN doesn't "hide" the user's IP address, because that's not the intended purpose, and therefore I haven't enabled forced traffic redirection (;push "redirect-gateway def1 bypass-dhcp").

I want to change the default DNS address to one that's hosted on the VPN server, so the clients can use more user-friendly internal domain names instead of IP addresses, but I'm having some strange issues. In my server.conf, I have enabled push "dhcp-option DNS 10.8.0.1" and after connecting to the server, the correct DNS setting shows up in ipconfig /all:

Code: Select all

Unknown adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.8.0.1  <=== This is the correct DNS address

However for some reason, most programs are still unable to resolve domain names that are hosted by my custom DNS server. The ping command fails with "could not find host ...", and Chrome also fails with ERR_NAME_NOT_RESOLVED. Some people have suggested ensuring that the network metric of the default interface is higher than OpenVPN's, but unfortunately this didn't work.

Strangely, if I try to nslookup an internal domain name, it works, even if I don't specify the DNS server address. What's even more strange is that DNS resolution seems to fully work from within a WSL (Windows Subsystem for Linux) terminal, e.g. the ping command functions as expected.

OpenVPN Connect is already deployed on all the relevant machines, and all .ovpn profiles have already been issued and installed, so it would be preferrable if this problem could be solved with a server-side "push" configuration, or something similar.

Here's my minimized server.conf file with all comments stripped:

View OriginalServer Config

1

2

3

port 52278

4

5

proto udp

6

7

dev tun

8

9

ca ca.crt

10

11

cert server.crt

12

13

key server.key

14

15

dh none

16

17

topology subnet

18

19

server 10.8.0.0 255.255.255.0

20

21

ifconfig-pool-persist /var/log/openvpn/ipp.txt

22

23

push "dhcp-option DNS 10.8.0.1" # <======= DNS Configuration

24

25

push "block-outside-dns" # <====== This also doesn't fix the issue

26

27

client-config-dir /etc/openvpn/ccd

28

29

client-to-client

30

31

keepalive 10 120

32

33

tls-crypt ta.key

34

35

cipher AES-256-GCM

36

37

auth SHA256

38

39

user nobody

40

41

group nogroup

42

43

persist-key

44

45

persist-tun

46

47

status /var/log/openvpn/openvpn-status.log

48

49

verb 3

50

51

explicit-exit-notify 1

52

1

port 52278

2

proto udp

3

dev tun

4

ca ca.crt

5

cert server.crt

6

key server.key

7

dh none

8

topology subnet

9

server 10.8.0.0 255.255.255.0

10

ifconfig-pool-persist /var/log/openvpn/ipp.txt

11

push "dhcp-option DNS 10.8.0.1"

12

push "block-outside-dns"

13

client-config-dir /etc/openvpn/ccd

14

client-to-client

15

keepalive 10 120

16

tls-crypt ta.key

17

cipher AES-256-GCM

18

auth SHA256

19

user nobody

20

group nogroup

21

persist-key

22

persist-tun

23

status /var/log/openvpn/openvpn-status.log

24

verb 3

25

explicit-exit-notify 1

[TinCanTech]

Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect

Which version of Openvpn is that ?

[SparkyTD]

Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect

Which version of Openvpn is that ?

The Client is OpenVPN Connect 3.3.6.2752 (OpenVPN core 3.git::d3f8b18b win x86_64 in the logs)
I'm not quite sure where I can check the server's exact version on Ubuntu, since it's running as a service and the logs don't seem to reveal it, but it's whatever version was the latest for Ubuntu about a week ago. From my apt-cache, it appears to be 2.5.1-2~bpo10+1, but again, I'm not sure if that's the correct version.

[TinCanTech]

The client version is what determines how the client DNS will behave.

^ moved *

[SparkyTD]

The client version is what determines how the client DNS will behave.

Then I assume this is a bug in OpenVPN Connect? Or is it a misconfiguration? I find it really strange that even with "block-outside-dns" my programs still fail to use the provided DNS.

Since I didn't specify in my post, I am testing this on the latest beta release of Windows 11, but I'm getting the same behavior on Windows 10.

[SparkyTD]

I posted this question on r/OpenVPN on Reddit, and u/matthew1471 helped me solve it.

I think the problem was that I wasn't using a top level domain, but after appending ".local" to all my dns entries and adding the following push options:

push "dhcp-option DOMAIN LAN"
push "dhcp-option DISABLE-NBT"

Everything works now as expected.