DNS Issues

[MadDawg]

Hello,

When I connect my phone to my VPN with my LAN's DNS server pushed, I am unable to resolve anything on the Internet, but I can resolve everything in my LAN. When I push Google's servers, I am able to browse the Internet, but I naturally cannot resolve anything on the LAN. Pushing both servers results in consistent Internet access, but flaky LAN access. Everything is accessible via IP address no matter which servers I push. I am certain that the LAN's DNS server is working due to the fact that every device on the LAN that uses it can connect to everything with no issues. However, in case I am missing something, I'll post the nslookup output along with the configs:

Windows:

Code: Select all

>nslookup google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4000:80b::200e
	  216.58.218.206

Code: Select all

>nslookup google.com 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4000:805::100e
	  74.125.227.195
	  74.125.227.197
	  74.125.227.201
	  74.125.227.200
	  74.125.227.194
	  74.125.227.196
	  74.125.227.206
	  74.125.227.199
	  74.125.227.192
	  74.125.227.193
	  74.125.227.198

Code: Select all

>nslookup google.com 192.168.1.7
Server:  ns.maddawg.lan
Address:  192.168.1.7

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4000:80b::200e
	  216.58.218.206

Linux:

Code: Select all

$nslookup google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 173.194.115.67
Name:   google.com
Address: 173.194.115.71
Name:   google.com
Address: 173.194.115.64
Name:   google.com
Address: 173.194.115.73
Name:   google.com
Address: 173.194.115.72
Name:   google.com
Address: 173.194.115.66
Name:   google.com
Address: 173.194.115.69
Name:   google.com
Address: 173.194.115.78
Name:   google.com
Address: 173.194.115.70

Code: Select all

$nslookup google.com 208.67.222.222
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.227.200
Name:   google.com
Address: 74.125.227.199
Name:   google.com
Address: 74.125.227.198
Name:   google.com
Address: 74.125.227.193
Name:   google.com
Address: 74.125.227.196
Name:   google.com
Address: 74.125.227.201
Name:   google.com
Address: 74.125.227.194
Name:   google.com
Address: 74.125.227.206
Name:   google.com
Address: 74.125.227.197

Code: Select all

$nslookup google.com 192.168.1.7
Server:         192.168.1.7
Address:        192.168.1.7#53

Non-authoritative answer:
Name:   google.com
Address: 216.58.218.206

Server config:

Code: Select all

port 1194
proto tcp
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN maddawg.lan"
push "dhcp-option DNS 192.168.1.7"
user nobody
group nogroup
dev tun

ca              /etc/openvpn/easy-rsa/keys/ca.crt
cert    /etc/openvpn/easy-rsa/keys/server.crt
key             /etc/openvpn/easy-rsa/keys/server.key
dh              /etc/openvpn/easy-rsa/keys/dh1024.pem

server 172.29.3.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo
persist-key
persist-tun

status log/openvpn-status.log
log-append /var/log/openvpn.log

verb 4

Client config:

Code: Select all

client
dev tun
proto tcp
remote *snip* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
comp-lzo
verb 4
set CLIENT_CERT 0
<ca>
*snip*
</ca>
<cert>
*snip*
</cert>
<key>
*snip*
</key>

I suppose I should mention that the DNS server and the OpenVPN server are running on the same physical machine (no VMs or anything fancy like that). Also, this issue appeared only recently; I did not have any issues with this setup before, nor did I make any changes to the setup.

[Traffic]

Something you need to check:

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

[MadDawg]

I'm running my tests from the phone's data connection, which gives an IP address in the 10.0.0.0/8 block.

[Traffic]

Some thing you can try:

Server config:

Code: Select all

push "dhcp-option DOMAIN maddawg.lan" ## Remove this for testing
push "dhcp-option DNS 192.168.1.7"    ## I presume this is your server LAN DNS server ?
user nobody                           ## Remove this for testing
group nogroup                         ## Remove this for testing
log-append /var/log/openvpn.log       ## change this to: log /var/log/openvpn.log

[MadDawg]

Sorry for the terribly late reply. I've edited the config file with the changes you've suggested, but I still get the same results. Here's the log: http://pastebin.com/qpYXanYc

I did follow some ancient instructions (https://www.void.gr/kargig/blog/2008/05 ... -solution/) to get rid of this:

Code: Select all

MULTI: bad source address from client [10.x.x.x], packet dropped

However, I got the same results as before, so I removed it.

[Traffic]

You must implement this:
HOWTO: Expanding the scope of the VPN to include additional machines

Setting up the server this way will enable your client to reach 192.168.1.7
This will also resolve this:

Code:
MULTI: bad source address from client [10.x.x.x], packet dropped