Push DNS not working with OpenVPN Connect Client 3.4.x

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
AdminHarald
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 02, 2024 1:47 pm

Push DNS not working with OpenVPN Connect Client 3.4.x

Post by AdminHarald » Fri Feb 02, 2024 2:48 pm

Hi everybody,
I am running OpenVPN server on Ubuntu. Since using OpenVPN Connect Client 3.4.x the push dns directive does not work. With Connect Clients 3.3.x I can see my Domain-DNS servers configured at the TAP-NT-Adapter when connection is established. When using V. 3.4.x, DNS-Server are not set and therefore address resolution to domain sources is not possible.

This user seem to have similar problem: viewtopic.php?t=36869
But in my case I am using internal DNS servers and I am pushing also the route to that servers subnet.

This is my server config:

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.26.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.20.30.11"
push "dhcp-option DNS 10.20.30.12"
dhcp-option DOMAIN my.domain.com
dhcp-option ADAPTER_DOMAIN_SUFFIX my.domain.com
push "route 10.20.30.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_xxxxxxxxxxxxxxx.crt
key server_xxxxxxxxxxxxxxxxx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
script-security 2
log-append /var/log/openvpn/openvpn.log
username-as-common-name
reneg-sec 43400
and this is the V. 3.4.3 Client Log:

Code: Select all

[Feb 1, 2024, 15:35:53] OpenVPN core 3.8.2connect3 win x86_64 64-bit OVPN-DCO built on Dec  1 2023 16:39:43
⏎[Feb 1, 2024, 15:35:53] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Feb 1, 2024, 15:35:53] EVENT: RESOLVE ⏎[Feb 1, 2024, 15:35:53] Contacting xxx.xxx.xx.xx:1194 via UDP
⏎[Feb 1, 2024, 15:35:53] EVENT: WAIT ⏎[Feb 1, 2024, 15:35:53] WinCommandAgent: transmitting bypass route to xxx.xxx.xx.xx
{
	"host" : "xxx.xxx.xx.xx",
	"ipv6" : false
}

⏎[Feb 1, 2024, 15:35:53] Connecting to [vpn.my.domain.com]:1194 (xxx.xxx.xx.xx) via UDP
⏎[Feb 1, 2024, 15:35:53] EVENT: CONNECTING ⏎[Feb 1, 2024, 15:35:53] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
⏎[Feb 1, 2024, 15:35:53] Creds: Username/Password
⏎[Feb 1, 2024, 15:35:53] Sending Peer Info:
IV_VER=3.8.2connect3
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_GUI_VER=OCWindows_3.4.3-3337
IV_SSO=webauth,crtext

⏎[Feb 1, 2024, 15:35:53] SSL Handshake: peer certificate: CN=server_xxxxxxxxxxxxxxx, 256 bit EC, group:prime256v1, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

⏎[Feb 1, 2024, 15:35:53] Session is ACTIVE
⏎[Feb 1, 2024, 15:35:53] EVENT: GET_CONFIG ⏎[Feb 1, 2024, 15:35:53] Sending PUSH_REQUEST to server...
⏎[Feb 1, 2024, 15:35:54] Options continuation...
⏎[Feb 1, 2024, 15:35:54] OPTIONS:
0 [dhcp-option] [DOMAIN-SEARCH] [my.domain.com]
1 [route] [10.20.30.0] [255.255.255.0]
2 [route] x
3 [route] x
4 [route] x
5 [route] x
6 [route] x
7 [route] x
8 [route] x
9 [route] x
10 [route] x
11 [route] x
12 [route] x
13 [route] x
14 [route] x
15 [route] x
16 [route] x
17 [route] x
18 [route] x
19 [route] x
20 [route] x
21 [route] x
22 [route] x
23 [route] x
24 [route] x
25 [route] x
26 [route] x
27 [dhcp-option] [DNS] [10.20.30.11]
28 [push-continuation] [2]
29 [dhcp-option] [DNS] [10.20.30.12]
30 [route-gateway] [10.26.10.1]
31 [topology] [subnet]
32 [ping] [10]
33 [ping-restart] [120]
34 [route] x
35 [ifconfig] [10.26.10.5] [255.255.255.0]
36 [peer-id] [1]
37 [cipher] [AES-128-GCM]
38 [push-continuation] [1]

⏎[Feb 1, 2024, 15:35:54] PROTOCOL OPTIONS:
  cipher: AES-128-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: 1
  control channel: tls-crypt enabled
⏎[Feb 1, 2024, 15:35:54] EVENT: ASSIGN_IP ⏎[Feb 1, 2024, 15:35:54] CAPTURED OPTIONS:
Session Name: vpn.my.domain.com
Layer: OSI_LAYER_3
Remote Address: xxx.xxx.xx.xx
Tunnel Addresses:
  10.26.10.5/24 -> 10.26.10.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
  10.20.30.0/24
  x
  x
  x
Exclude Routes:
DNS Servers:
  10.20.30.11
  10.20.30.12
Search Domains:
  my.domain.com

⏎[Feb 1, 2024, 15:35:54] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
	"allow_local_dns_resolvers" : false,
	"confirm_event" : "1c0e000000000000",
	"destroy_event" : "3c0e000000000000",
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"add_routes" : 
		[
			{
				"address" : "10.20.30.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			},
	x
	x
	x
		],
		"block_ipv6" : false,
		"dns_servers" : 
		[
			{
				"address" : "10.20.30.11",
				"ipv6" : false
			},
			{
				"address" : "10.20.30.12",
				"ipv6" : false
			}
		],
		"layer" : 3,
		"mtu" : 0,
		"remote_address" : 
		{
			"address" : "xxx.xxx.xx.xx",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 256,
			"ipv4" : false,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"search_domains" : 
		[
			{
				"domain" : "my.domain.com"
			}
		],
		"session_name" : "vpn.my.domain.com",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "10.26.10.5",
				"gateway" : "10.26.10.1",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			}
		]
	},
	"tun_type" : 0
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{xxxx}' index=36 name='LAN-Verbindung 2'
Open TAP device "LAN-Verbindung 2" PATH="\\.\Global\{xxxx}.tap" SUCCEEDED
TAP-Windows Driver Version 9.26
ActionDeleteAllRoutesOnInterface iface_index=36
netsh interface ip set interface 36 metric=9000
OK.
netsh interface ip set address 36 static 10.26.10.5 255.255.255.0 gateway=10.26.10.1 store=active
IPHelper: add route 10.20.30.0/24 36 10.26.10.1 metric=-1
x
x
x
NRPT::ActionCreate names=[.my.domain.com] dns_servers=[10.20.30.11,10.20.30.12]
ipconfig /flushdns
Windows-IP-Konfiguration
Der DNS-Auflösungscache wurde geleert.
TAP: ARP flush succeeded
TAP handle: 600d000000000000
⏎[Feb 1, 2024, 15:35:54] Connected via TUN_WIN
⏎[Feb 1, 2024, 15:35:54] EVENT: CONNECTED user1@vpn.my.domain.com:1194 (xxx.xxx.xx.xx) via /UDP on TUN_WIN/10.26.10.5/ gw=[10.26.10.1/] mtu=(default)⏎
I would be grateful for any help.
Regards, Harald

fernando.sanz@sanzconsultoria.com.br
OpenVpn Newbie
Posts: 2
Joined: Wed Feb 07, 2024 7:05 pm

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by fernando.sanz@sanzconsultoria.com.br » Wed Feb 07, 2024 7:17 pm

We had similar problems when we updated the client to version 3.4.x, even version 3.3.7 worked without problems. We used SoftEther VPN 4.42 Build 9798 RTM as a server, and we identified that the client only resolved names from the domain that was registered in the SecureNAT DHCP settings through the internal DNS, we resolved the problem by leaving the domain name field blank in the SecureNat DHCP settings in the server. After that, the client returned to resolving all domains using the internal DNS.

Best Regards,

Fernando Sanz

arest
OpenVpn Newbie
Posts: 1
Joined: Tue Feb 13, 2024 8:50 am

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by arest » Tue Feb 20, 2024 7:55 am

we had similiar problems when using the client to version 3.4.x,
its can't resolve dns.

ozy
OpenVpn Newbie
Posts: 1
Joined: Fri Apr 05, 2024 12:26 pm

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by ozy » Fri Apr 05, 2024 12:27 pm

To whom it might concern.
Got exactly the same problem with OpenVPN 3.4.2 win client and Opensense 24.1.

Once I removed the default domain, dns servers were pushed correctly (verified via ipconfig /all).

AdminHarald
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 02, 2024 1:47 pm

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by AdminHarald » Thu Apr 18, 2024 9:44 am

Thanks for your help!
I can confirm: After removing the following "DOMAIN" entries in server.conf all works as expected with the new client versions:

dhcp-option DOMAIN my.domain.com
dhcp-option ADAPTER_DOMAIN_SUFFIX my.domain.com
push "dhcp-option DOMAIN-SEARCH my.domain.com"


Best Regards,
Harald

trixter
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2024 9:51 am

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by trixter » Thu Aug 29, 2024 10:05 am

Same issue here:

DNS was sent to client, but clinet did not modify windows-dns entry:

client-Log:
⏎[Aug 28, 2024, 14:22:25] Session is ACTIVE
⏎[Aug 28, 2024, 14:22:25] EVENT: GET_CONFIG ⏎[Aug 28, 2024, 14:22:25] Sending PUSH_REQUEST to server...
⏎[Aug 28, 2024, 14:22:26] Sending PUSH_REQUEST to server...
⏎[Aug 28, 2024, 14:22:26] OPTIONS:
0 [register-dns]
1 [dhcp-option] [DOMAIN] [vpn.xxx.de]
2 [dhcp-option] [DNS] [10.100.100.220]
3 [dhcp-option] [NTP] [10.100.100.224]
4 [register-dns]
5 [route] [10.0.0.0] [255.0.0.0]
6 [route] [19x.x.x.x [255.255.255.255]
7 [route-gateway] [192.168.200.1]
8 [topology] [subnet]
9 [ping] [60]
10 [ping-restart] [300]
11 [ifconfig] [192.168.200.2] [255.255.255.0]
12 [peer-id] [1]
13 [auth-token] ...
14 [cipher] [AES-256-GCM]
15 [protocol-flags] [cc-exit] [tls-ekm] [dyn-tls-crypt]
16 [tun-mtu] [1500]

Windows-entry :

Unbekannter Adapter LAN-Verbindung:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
Physische Adresse . . . . . . . . : xxxxxxxxxxxxx
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv4-Adresse . . . . . . . . . . : 192.168.200.2(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :
NetBIOS über TCP/IP . . . . . . . : Aktiviert

No DNS-Server entry to be found


Sorry, but im not english native ;)

trixter
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2024 9:51 am

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by trixter » Thu Aug 29, 2024 10:12 am

ozy wrote:
Fri Apr 05, 2024 12:27 pm
To whom it might concern.
Got exactly the same problem with OpenVPN 3.4.2 win client and Opensense 24.1.

Once I removed the default domain, dns servers were pushed correctly (verified via ipconfig /all).
Im using OpnSense 24.7.2 with Client 3.4.4 (last version today)

If you leave " DNS Default Domain" blank, DNS gets modified correctly !!

trixter
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2024 9:51 am

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by trixter » Sat Oct 12, 2024 11:06 am

Looks like the Problem is back.

Updated OpnSense to 24.7.6 and client to OpenVPN Connect 3.5.0 (3818) on Win 11.

nslookup resolves propperly with the pushed server in the OpenVPN, but ping is not able to resolve dns-names ..
I'm totally confused how this could happen.

trixter
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2024 9:51 am

Re: Push DNS not working with OpenVPN Connect Client 3.4.x

Post by trixter » Mon Oct 14, 2024 7:35 am

Got back to the Lab and confirmed OpenVPN Connect Client 3.5.0 is a mess !!!

Client 3.5.0 does not insert DNS from OpenVPN-Server propperly !!
Symptoms are like i mentioned before : nslookup works fine, other services like ping or browser are not able to resolve DNS-Names to IPs.

Solution:
Downgraded to 3.4.4 (3412) an it works like intended.

Sorry to say that the new one is buggy, but it looks better with the former one.

trixter
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2024 9:51 am

Push DNS not working with OpenVPN Connect Client 3.5.0

Post by trixter » Mon Oct 14, 2024 7:38 am

Got back to the Lab and confirmed OpenVPN Connect Client 3.5.0 is a mess !!!

Client 3.5.0 does not insert DNS from OpenVPN-Server propperly !!
Symptoms are like i mentioned before : nslookup works fine, other services like ping or browser are not able to resolve DNS-Names to IPs.

Solution:
Downgraded to 3.4.4 (3412) an it works like intended.

Sorry to say that the new one is buggy, but it looks better with the former one.
Top

Post Reply