DNS problem. Many hours wasted, need help.

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

DNS problem. Many hours wasted, need help.

Post by Bebop » Sun Dec 19, 2010 12:56 am

Problem: Can browse internet through VPN if I use IP numbers, however, cannot browse the internet if I use domain names. EG: if type "66.249.68.89" into my browser address bar, then I can see google. If I type "www.google.com", then I can only see "Looking up hostname google.com -- host not found".

Why has this not been a simple fix for me? Some background info: I have recently rented 2 VPS servers from 2 separate companies. I have setup OpenVPN on both servers. Each has the same OS (debian) the same DNS (bind9). The dilemma is that on Server[A] everything is working fine, including DNS. On server (the subject of this thread), DNS through VPN is not working.

I already am aware of solutions such as using google dns or OpenDNS as an alternative, but am not entirely interested in that for the time being.

Server[A] has eth0 for network interface, Server (problem server) has venet0.

For both servers all the server and client configs are identical. The only differences in config of each server is in IPTABLES.

Server[A] ifconfig:

Image

Server (problem server) ifconfig:

Image

Server[A] Server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Server Server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 6
Server[A] iptables

Code: Select all

#!/bin/sh
 iptables -F
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
 iptables -A INPUT -p tcp --dport 20000 -j ACCEPT
 iptables -A INPUT -p udp --dport 53 -j ACCEPT
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 iptables -L -v
Server iptables

Code: Select all

#!/bin/sh
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 iptables -P INPUT DROP
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
 iptables -A INPUT -p tcp --dport 20000 -j ACCEPT
 iptables -A INPUT -p udp --dport 53 -j ACCEPT
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
 
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 #iptables -A FORWARD -j REJECT
 #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
 iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xx.xx.xx.xx(public facing ipaddress of my server)
 echo 1 > /proc/sys/net/ipv4/ip_forward 
 iptables -L -v
A fresh set of eyes and any help provided will be REALLY appreciated.
Regards,
Bebop
The cure for boredom is curiosity
Top
User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: DNS problem. Many hours wasted, need help.

Post by Bebop » Sun Dec 19, 2010 4:24 am

**Solved** thanks to pyther on IRC

In server[A] which was setup first, I *did* setup and ACL for bind9. In server server I *did not* setup the ACL, and THAT was the cause of the problem.

I've got a sample of the file here for anyone who has a similar problem in the future.

/etc/bind/named.conf.options

Code: Select all

acl "trusted" {
  127.0.0.1;
  localhost;
};

acl "vpnclients" {
  10.8.0.0/16;
};

options {
	directory "/var/cache/bind";

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	
	allow-query {
		trusted;
		vpnclients;
	  };
	  allow-recursion {
		trusted;
		vpnclients;
	  };
};
The cure for boredom is curiosity
Top
Post Reply

Return to “Server Administration”