VPN connection successful--DNS not working

[jcarerra]

Although I have had issues with connections not happening (log showing TLS errors), this morning I had the Tab4 tablet out at a place with wifi, and the OpenVPN Connect seemed at first to work perfectly--quick connection after putting in the password.

This is connecting to an OpenVPN server running in an ASUS RT-AC66R using ASUS-wrt-MERLIN firmware 376-49_5.

However, when I tried opening some web pages, none would populate..."unavailable." When I tried with a different browser (Chrome or Opera Mini, don't recall which), the page that displayed stated clearly that DNS did not resolve.

So the question is, what do I need to do to get DNS to work through the tunnel (send DNS requests to the server and out to nameserver from there, not resolved out the net the tablet is currently connected to locally)?

[Traffic]

Does DNS normally work ?

[jcarerra]

Does DNS normally work ?

Not sure what you mean. This is initial beginning with the VPN so I have no history of DNS working through the VPN in the past.

If you mean 'without the VPN being 'on,' then yes, it works fine connected to the "coffee house" public wifi (or anybody else's), and connected to home wifi.

[jcarerra]

Does DNS normally work ?

(I thought I posted an answer, but do not see it. ????)

This will be shorter than the other one I typed

Not sure what you mean.
No history of it working with VPN 'on' as this was first time.
But if you mean--with VPN 'off'--DNS (access to web pages) works fine on public wifi's and at home. So DNS normally DOES work.

[Traffic]

(I thought I posted an answer, but do not see it. ????)

Post by new users, such as yourself, have to wait to be moderated .. thanks to the spam-monkeys.

I have no history of DNS working through the VPN in the past

OK. So this is your first time setting up OpenVPN ?

Some common errors for DNS resolution by new users would be:

• Pushing DNS server IPs to the client which are not actually DNS servers
• Not enabling NAT on the server
• Incorrectly configured firewall on the server
• Many other possibilities ..

Other than that we have no information on your setup .. so please post your server and client config

[jcarerra]

OK. So this is your first time setting up OpenVPN ?

Some common errors for DNS resolution by new users would be:

• Pushing DNS server IPs to the client which are not actually DNS servers
• Not enabling NAT on the server
• Incorrectly configured firewall on the server
• Many other possibilities ..

Other than that we have no information on your setup ..
so please post your server and client config

Yes, first time with VPN.
The OpenVPN server is in my ASUS RT-AC66R router that is flashed with ASUS-wrt MERLIN firmware. The client config is created by selecting options in the "OpenVPN Servers" tab of the interface, exported from there, and then moved into the client devices.
(I have an image of the selections screen, but don't see a control to put it here)
I have not detected any way to edit the sever config file.
Here is the ovpn client file.

Code: Select all

client
dev tun
proto udp
remote (address and porthere)
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
//snipped//
-----END CERTIFICATE-----
</ca>
resolv-retry infinite
nobind

[Traffic]

I have not detected any way to edit the sever config file.

Perhaps you can telnet/ssh into the router for a console and search for some server config.

As this is your first time using OpenVPN, I strongly advise you take a little time to browse the HOWTO:
HOWTO: For OpenVPN Community Edition

It may not provide you with immediate solutions but it will help you get your head around some of the options
and how to use them.

If you suspect DNS issues try pushing google DNS servers: 8.8.8.8 + 8.8.4.4

[jcarerra]

The rouer has an info statement on the page where the settings are made, quoted below. It give me a new perspective...I was thinking that the settings page was maing CLIENT settings. This statement gives a different perspective--tat these settings are SERVER settings--so it would appear then that it is simply exporting a client ovpn that is consistent with the settings made on that config page.

"RT-AC66R will automatically generate a .ovpn file with the Certification Authority key. You can provide the .ovpn file with a username and password [italics mine] to all users connecting to the OpenVPN server. You can change the default settings of the OpenVPN server to provide a custom OPVN file for a specific connection type. To change OpenVPN server settings, go to Advanced Settings." << (Advanced settings is the config page I was referring to above)

I do not understand the italics. There is a place in the interface to create users and passwords, but they do not show up in the client ovpn file. Maybe it means they are being put into the SERVER ovpn file, which we cannot see directly.

(I have to be out for an hour or so; will check back on return)

[Quip11]

I think I'm having this same issue. DNS worked great on my Android phone with a running OpenVPN session until I just upgraded to Lollipop. Now, without a running OpenVPN session, DNS works great, but as soon as I connect, DNS no longer works. Disconnect OpenVPN, and DNS works again.

Running over Verizon's network; haven't tried this yet over someone's WiFi.

Yes, I can ping any IP address, including 8.8.8.8. But "google.com" fails to resolve, unknown host.

It doesn't matter which OpenVPN client I run.

On my server, I am NOT using push "redirect-gateway def1 bypass-dhcp". Using push "dhcp-option DNS 8.8.8.8" and push "dhcp-option DNS 8.8.4.4" don't help, probably because I'm connecting over Verizon's network. I and not running a DNS server on my VPN server.

[Quip11]

Confirmed, DNS fails when connected to someone else's WiFi, when connected using OpenVPN.

[kidingwithlaura]

For those having hard fixing dns error, fix dns probe error.

[Quip11]

Really, you thought this was due to firewall or anti-virus settings on our Android phones?

[Traffic]

Really, you thought this was due to firewall or anti-virus settings on our Android phones?

who is this question directed at ?

[Quip11]

@kidingwithlaura. This was an Android client issue, not Windows.

In an Android forum (https://code.google.com/p/android/issue ... l?id=64819), I also asked this question and found much greater feedback, determining its cause as an Android bug: if you are running a VPN client, any DNS query you send will have your address on your VPN network as its return address, even if the query isn't sent on your VPN network. So the DNS server gets your request, but can't route the reply back to you.

My workaround has been to run a DNS server on my own VPN server.

This is not an OpenVPN issue. OpenVPN works great.

-Q

[Traffic]

if you are running a VPN client, any DNS query you send will have your address on your VPN network as its return address

Only if you use a DNS server which is routed over the VPN, typically by using --redirect-gateway

even if the query isn't sent on your VPN network

If the DNS query is not sent over the VPN then the address will be the publicly identifiable IP address of your client.

So the DNS server gets your request, but can't route the reply back to you

If the DNS request is sent with your RFC1918 VPN IP as source IP to the internet then it will not even get to the DNS server as it will be dropped by your ISP.

My workaround has been to run a DNS server on my own VPN server

That is one approach but a bit over the top for most users.

This is not an OpenVPN issue. OpenVPN works great

Good stuff

[Quip11]

if you are running a VPN client, any DNS query you send will have your address on your VPN network as its return address, even if the query isn't sent on your VPN network

Only if you use a DNS server which is routed over the VPN, typically by using --redirect-gateway. If the DNS query is not sent over the VPN then the address will be the publicly identifiable IP address of your client.

I wish that were the case, and we wouldn't be having this conversation. People ran their OpenVPN clients with the usual dedicated netmasks (not default-routing all traffic) and analyzed the packets sent to public DNS servers like 8.8.8.8, outside the VPN. This is an Android bug.

So the DNS server gets your request, but can't route the reply back to you

If the DNS request is sent with your RFC1918 VPN IP as source IP to the internet then it will not even get to the DNS server as it will be dropped by your ISP.

That's entirely possible too, that the packets never reached the public DNS server.

My workaround has been to run a DNS server on my own VPN server

That is one approach but a bit over the top for most users.

Waiting for a Google update is another option. Now that they fixed their stagefright library.