DNS not working but connection is fine?(Windows 10)

[acadia1184]

My windows 10 machine is not able to resolve any dns? It's able to connect to the vpn, ping external ip addresses, receive discord messages, and access google.com by typing the ip of it manually but trying to ping google.com does not work. I'm assuming this is a dns problem because the internet does work(if you have the ip address of the site you want to use ). This vpn is also working fully with my edgerouter 4 as a client already. Can anyone offer advice?

Client config

Code: Select all

client
proto udp
remote 1xx.2xx.xx.xxx xxxxx
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_xxxxxxxxx name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3

Server config

Code: Select all

port xxxxx
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_xxxxxxx.crt
key server_xxxxxxxx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

Client log

Code: Select all

Tue Sep 17 17:02:37 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Sep 17 17:02:37 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Sep 17 17:02:37 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Sep 17 17:02:37 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Sep 17 17:02:37 2019 Need hold release from management interface, waiting...
Tue Sep 17 17:02:38 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'state on'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'log all on'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'echo all on'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'hold off'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'hold release'
Tue Sep 17 17:02:38 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Sep 17 17:02:38 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Sep 17 17:02:38 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Sep 17 17:02:38 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Sep 17 17:02:38 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]redactedIP
Tue Sep 17 17:02:38 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Sep 17 17:02:38 2019 UDP link local: (not bound)
Tue Sep 17 17:02:38 2019 UDP link remote: [AF_INET]redactedIP
Tue Sep 17 17:02:38 2019 MANAGEMENT: >STATE:1568754158,WAIT,,,,,,
Tue Sep 17 17:02:38 2019 MANAGEMENT: >STATE:1568754158,AUTH,,,,,,
Tue Sep 17 17:02:38 2019 TLS: Initial packet from [AF_INET]RedactedIp, sid=feb45b57 1f229ce5
Tue Sep 17 17:02:38 2019 VERIFY OK: depth=1, CN=cn_hm2Ph37iye3P5DNu
Tue Sep 17 17:02:38 2019 VERIFY KU OK
Tue Sep 17 17:02:38 2019 Validating certificate extended key usage
Tue Sep 17 17:02:38 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Sep 17 17:02:38 2019 VERIFY EKU OK
Tue Sep 17 17:02:38 2019 VERIFY X509NAME OK: CN=server_eHabSYnbcyZtj0IW
Tue Sep 17 17:02:38 2019 VERIFY OK: depth=0, CN=server_eHabSYnbcyZtj0IW
Tue Sep 17 17:02:41 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit EC, curve: prime256v1
Tue Sep 17 17:02:41 2019 [server_eHabSYnbcyZtj0IW] Peer Connection Initiated with [AF_INET]redactedIp
Tue Sep 17 17:02:43 2019 MANAGEMENT: >STATE:1568754163,GET_CONFIG,,,,,,
Tue Sep 17 17:02:43 2019 SENT CONTROL [server_eHabSYnbcyZtj0IW]: 'PUSH_REQUEST' (status=1)
Tue Sep 17 17:02:43 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 1.0.0.1,dhcp-option DNS 1.1.1.1,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 1,cipher AES-128-GCM'
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: route options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: route-related options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: peer-id set
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Sep 17 17:02:43 2019 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Sep 17 17:02:43 2019 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Sep 17 17:02:43 2019 interactive service msg_channel=592
Tue Sep 17 17:02:43 2019 ROUTE_GATEWAY 192.168.0.1/255.255.252.0 I=6 HWADDR=00:28:f8:21:5f:a2
Tue Sep 17 17:02:43 2019 open_tun
Tue Sep 17 17:02:43 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{E2354CBE-F4FE-4A34-B22B-CD596E42E246}.tap
Tue Sep 17 17:02:43 2019 TAP-Windows Driver Version 9.21 
Tue Sep 17 17:02:43 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.3/255.255.255.0 [SUCCEEDED]
Tue Sep 17 17:02:43 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.3/255.255.255.0 on interface {E2354CBE-F4FE-4A34-B22B-CD596E42E246} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Tue Sep 17 17:02:43 2019 Successful ARP Flush on interface [23] {E2354CBE-F4FE-4A34-B22B-CD596E42E246}
Tue Sep 17 17:02:43 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Sep 17 17:02:43 2019 MANAGEMENT: >STATE:1568754163,ASSIGN_IP,,10.8.0.3,,,,
Tue Sep 17 17:02:43 2019 Blocking outside dns using service succeeded.
Tue Sep 17 17:02:48 2019 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Sep 17 17:02:48 2019 C:\WINDOWS\system32\route.exe ADD redactedIp MASK 255.255.255.255 192.168.0.1
Tue Sep 17 17:02:48 2019 Route addition via service succeeded
Tue Sep 17 17:02:48 2019 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Sep 17 17:02:48 2019 Route addition via service succeeded
Tue Sep 17 17:02:48 2019 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Sep 17 17:02:48 2019 Route addition via service succeeded
Tue Sep 17 17:02:48 2019 Initialization Sequence Completed
Tue Sep 17 17:02:48 2019 MANAGEMENT: >STATE:1568754168,CONNECTED,SUCCESS,10.8.0.3,RedactedIP,

Thanks.

[TinCanTech]

Maybe your router filters DNS ..

[300000]

register-dns
pull


you can try to add this one to your openvpn client so windows renew ip and dns to see. if still not working let comment this line setenv opt block-outside-dns so client will use local dns to seen it work or not
block-outside-dns to use server dns to prevent dnsleak , but sometime windows not working correct to apply filter on dns on system .

[TinCanTech]

but sometime windows not working correct to apply filter on dns on system

Do you have an example ?

If windows does not apply the WFP filters correctly then the OpenVPN developers need to know this.

[acadia1184]

register-dns
pull


you can try to add this one to your openvpn client so windows renew ip and dns to see. if still not working let comment this line setenv opt block-outside-dns so client will use local dns to seen it work or not
block-outside-dns to use server dns to prevent dnsleak , but sometime windows not working correct to apply filter on dns on system .

Adding those config options did not work but removing setenv opt block-outside-dns from my client config does get things working.

[TinCanTech]

removing setenv opt block-outside-dns from my client config does get things working

Which means you are not using your pushed DNS servers but you are still using your original client DNS. This probably not what you intended.

Please try with the correct command: block-outside-dns (without setenv opt) added to your client config file.