Configuration issue

[kiteplans]

Hi,

I have spent endless hours on OpenVPN config.

I was running my server on a Virtualized OpenVZ server, and after many many hours got it working.

I have however now moved my server over to a non Virtualized server but cant seem to get it to work.

My Goal is to tunnel ALL traffic through the VPN - internet browsing and name resolution so that I will be able to browse all blocked sites.

server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Firewall rules:

Code: Select all

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1194 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A OUTPUT -o tun+ -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Named Config:

Code: Select all

options {
    directory "/var/named";
    pid-file "/var/run/named/named.pid";
    allow-recursion {
                     localnets;
                     127.0.0.1;
                     10.8.0.0/24;
                    };
    listen-on { 10.8.0.1;
                127.0.0.1;
              };

    };

zone "." {
    type hint;
    file "/etc/db.cache";
    };

zone "**My Domain**" {
	type master;
	file "data/**My Domain**.hosts";
	allow-transfer {
		127.0.0.1;
		localnets;
                **MY-IP**;
		};
        also-notify {
		**MY-IP**;
		};
		};

zone "6**MY-IP**.in-addr.arpa" {
	type master;
	file "data/**MY-IP**.rev";
	};

What am I doing wrong?

I am able to connect and browse through the connection - my name resolution of sites is not done by my DNS however.

Thanks in advance

[janjust]

what is your client OS?
what happens if you type (on the client)

Code: Select all

nslookup www.google.com 10.8.0.1

?
If your client OS is Windows, try adding

Code: Select all

register-dns

to ensure that windows picks up the new DNS server.

If your client OS is not Windows, ensure that your openvpn client picks up and processes the DNS setting (e.g. on Linux use update-resolv-conf)

[kiteplans]

nslookup www.google.com 10.8.0.1

Code: Select all

C:\Documents and Settings\Administrator>nslookup www.google.com 10.8.0.1
*** Can't find server name for address 10.8.0.1: No response from server
Server:  UnKnown
Address:  10.8.0.1

*** UnKnown can't find www.google.com: No response from server

Add register-dns where?

[janjust]

*** Can't find server name for address 10.8.0.1: No response from server

this means your remote DNS server is not responding ; rerun the command on the VPN server itself after the tunnel is up. Is named started and listening on port 53?

Add register-dns where?

this would be a client configuration file option, e.g. at the bottom of the .ovpn file; but first the 'nslookup' must work.

[kiteplans]

yes Bind is on and listening on port 53.

From the VPN:

Code: Select all

[root@**] nslookup www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 74.125.224.48
Name:   www.l.google.com
Address: 74.125.224.49
Name:   www.l.google.com
Address: 74.125.224.50
Name:   www.l.google.com
Address: 74.125.224.51
Name:   www.l.google.com
Address: 74.125.224.52

Code: Select all

 [root@**] nslookup www.google.com 10.8.0.1
;; connection timed out; no servers could be reached

[kiteplans]

after removing

Code: Select all

    listen-on { 10.8.0.1;
                127.0.0.1;
              };

from bind config:

On VPN Server:

Code: Select all

nslookup www.google.com 10.8.0.1
Server:         10.8.0.1
Address:        10.8.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 74.125.224.49
Name:   www.l.google.com
Address: 74.125.224.50
Name:   www.l.google.com
Address: 74.125.224.51
Name:   www.l.google.com
Address: 74.125.224.52
Name:   www.l.google.com
Address: 74.125.224.48

On Client:

Code: Select all

C:\Documents and Settings\Administrator>nslookup www.google.com 10.8.0.1
*** Can't find server name for address 10.8.0.1: Non-existent domain
Server:  UnKnown
Address:  10.8.0.1

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  74.125.224.48, 74.125.224.49, 74.125.224.50, 74.125.224.51
          74.125.224.52
Aliases:  www.google.com

[kiteplans]

Could it be a bind folder permissions problem - I seem to remember having to change the permissions of the named folder on my old server but I am not sure

[janjust]

So with

after removing ...

it is now working ; now try adding the 'register-dns' option on the client, reconnect the client and check whether your DNS queries are also routed via the VPN.

[kiteplans]

no - still same result - I can browse and everything through the VPN connection (Posting here now through it).

But as soon as I try to browse blocked sites it does not work. (Name resolution not working)

[janjust]

please post the (sanitized) output of

Code: Select all

ipconfig /all

after connecting; the ipv6/teredo interfaces are not interesting.

[kiteplans]

Think this is all you need:

Code: Select all

ipconfig /all

Ethernet adapter 无线网络连接 5:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : RT73 USB Wireless LAN Card #4
        Physical Address. . . . . . . . . : 00-25-86-AA-4F-24
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.103
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1


Ethernet adapter 本地连接 9:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V9
        Physical Address. . . . . . . . . : 00-FF-5F-EB-BA-90
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.8.0.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 10.8.0.5
        DHCP Server . . . . . . . . . . . : 10.8.0.5
        DNS Servers . . . . . . . . . . . : 10.8.0.1
        

[janjust]

yep; it shows that the VPN-supplied DNS server is picked up by the client but for some reason it is not used as the default DNS server. what happens if you run

Code: Select all

  net stop dnscache
  net start dnscache

and then run

Code: Select all

nslookup www.google.com

?

[kiteplans]

After:

Code: Select all

net stop dnscache
net start dnscache

Code: Select all

C:\Documents and Settings\Administrator>nslookup www.google.com
Server:  bogon
Address:  192.168.1.1

Non-authoritative answer:
Name:    www-g-com-chn.l.google.com
Addresses:  74.125.71.104, 74.125.71.99
Aliases:  www.google.com

[kiteplans]

well - I am thinking its a DNS issue.

I turned off everything and turned on the VPN client.

Then issued the Iptable rules.

I could then connect to the internet via the VPN - but still not blocked sites.

Then started up the DNS and tried again - still no luck

Really hope some one can help me - this is the second time I have spent days on getting OpenVPN to work!

[janjust]

try doing

Code: Select all

push "dhcp-option DNS 8.8.8.8"

instead and see if it picks up *that* DNS server (yes 8.8.8.8 is a valid DNS server). if so , then you know it's your DNS server; if not, then it's something funny on your windows client.

[kiteplans]

I tried but it still does not work.

I am also sure that it is nothing with my windows client. I can use the exact same settings on a different server and it connects and works fine. Does nameserver resolution via the DNS on the server.

But this server just wont work