WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
SparkyTD
OpenVpn Newbie
Posts: 7
Joined: Tue Jul 26, 2022 7:07 pm

WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

Post by SparkyTD » Tue Jul 26, 2022 7:34 pm

Hello!

I recently set up an OpenVPN server to securely connect employee computers to an internal corporate network. The VPN doesn't "hide" the user's IP address, because that's not the intended purpose, and therefore I haven't enabled forced traffic redirection (;push "redirect-gateway def1 bypass-dhcp").

I want to change the default DNS address to one that's hosted on the VPN server, so the clients can use more user-friendly internal domain names instead of IP addresses, but I'm having some strange issues. In my server.conf, I have enabled push "dhcp-option DNS 10.8.0.1" and after connecting to the server, the correct DNS setting shows up in ipconfig /all:

Code: Select all

Unknown adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.8.0.1  <=== This is the correct DNS address
However for some reason, most programs are still unable to resolve domain names that are hosted by my custom DNS server. The ping command fails with "could not find host ...", and Chrome also fails with ERR_NAME_NOT_RESOLVED. Some people have suggested ensuring that the network metric of the default interface is higher than OpenVPN's, but unfortunately this didn't work.

Strangely, if I try to nslookup an internal domain name, it works, even if I don't specify the DNS server address. What's even more strange is that DNS resolution seems to fully work from within a WSL (Windows Subsystem for Linux) terminal, e.g. the ping command functions as expected.

OpenVPN Connect is already deployed on all the relevant machines, and all .ovpn profiles have already been issued and installed, so it would be preferrable if this problem could be solved with a server-side "push" configuration, or something similar.

Here's my minimized server.conf file with all comments stripped:
Server Config

port 52278
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "dhcp-option DNS 10.8.0.1" # <======= DNS Configuration
push "block-outside-dns" # <====== This also doesn't fix the issue
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
management localhost 7505

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

Post by TinCanTech » Tue Jul 26, 2022 10:38 pm

SparkyTD wrote:
Tue Jul 26, 2022 7:34 pm
Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
Which version of Openvpn is that ?

SparkyTD
OpenVpn Newbie
Posts: 7
Joined: Tue Jul 26, 2022 7:07 pm

Re: WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

Post by SparkyTD » Tue Jul 26, 2022 11:31 pm

TinCanTech wrote:
Tue Jul 26, 2022 10:38 pm
SparkyTD wrote:
Tue Jul 26, 2022 7:34 pm
Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
Which version of Openvpn is that ?
The Client is OpenVPN Connect 3.3.6.2752 (OpenVPN core 3.git::d3f8b18b win x86_64 in the logs)
I'm not quite sure where I can check the server's exact version on Ubuntu, since it's running as a service and the logs don't seem to reveal it, but it's whatever version was the latest for Ubuntu about a week ago. From my apt-cache, it appears to be 2.5.1-2~bpo10+1, but again, I'm not sure if that's the correct version.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

Post by TinCanTech » Wed Jul 27, 2022 12:47 am

The client version is what determines how the client DNS will behave.

^ moved *

SparkyTD
OpenVpn Newbie
Posts: 7
Joined: Tue Jul 26, 2022 7:07 pm

Re: WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

Post by SparkyTD » Wed Jul 27, 2022 1:48 am

TinCanTech wrote:
Wed Jul 27, 2022 12:47 am
The client version is what determines how the client DNS will behave.
Then I assume this is a bug in OpenVPN Connect? Or is it a misconfiguration? I find it really strange that even with "block-outside-dns" my programs still fail to use the provided DNS.

Since I didn't specify in my post, I am testing this on the latest beta release of Windows 11, but I'm getting the same behavior on Windows 10.

SparkyTD
OpenVpn Newbie
Posts: 7
Joined: Tue Jul 26, 2022 7:07 pm

Re: WSL and nslookup can use the DNS pushed by OpenVPN, but nothing else can

Post by SparkyTD » Wed Jul 27, 2022 2:33 am

I posted this question on r/OpenVPN on Reddit, and u/matthew1471 helped me solve it.

I think the problem was that I wasn't using a top level domain, but after appending ".local" to all my dns entries and adding the following push options:

push "dhcp-option DOMAIN LAN"
push "dhcp-option DISABLE-NBT"

Everything works now as expected.

Post Reply