OpenVPN Connect + Local DNS lookups not working

Post Reply
vpnreguser
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 20, 2020 10:22 pm

OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Thu Aug 20, 2020 10:38 pm

Recently, my server that ran openvpn crashed and had to build a new server with a newer version of openvpn. Initially, the challenge was with creating higher security certificates, etc. and making sure client/server options matched. I created a basic template for the client ovpn. With a slight modification, it works fine on an Ubuntu 18.04 system. When I deploy the same configuration to android everything seems to work except for dns. There is a local dns server. The logs shows the request, but it never makes it back to the android device.

The server is running openvpn 2.4.7.

Here is server configuration file:

Server Config
local <openvpn-local-ip>
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/<openvpn-hostname>.crt
key /etc/openvpn/easy-rsa/pki/private/<openvpn-hostname>.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
tls-server
client-config-dir /etc/openvpn/clients
push "redirect-gateway def1"
push "dhcp-option DNS <local-dns-ip-addr>"
push "dhcp-option DOMAIN <local-domain-name>"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6



In the /etc/openvpn/clients there is a client configuration with the following line based on the hostname of the client:

Server Config Client Specific
ifconfig-push 10.8.0.<x> 255.255.255.0



For the client ovpn template:

Client OVPN
client
dev tun
proto udp
remote <remote-host> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings

remote-cert-tls server
tls-client
key-direction 1
cipher AES-256-CBC
auth SHA256
auth-nocache
compress lz4
verb 4
mute 20

<for ubuntu, there are up/down resolvconf options set here that are not present when importing on android>


<ca>
<CERT>
</ca>
<cert>
<CERT>
</cert>
<key>
<KEY>
</key>
<tls-auth>
<KEY>
</tls-auth>




The android client is running openvpn connect version 3.2.2 (5027)



Here is a snippet from the logs when connecting:

openvpn log

Thu Aug 20 17:56:56 2020 us=908327 MULTI: multi_create_instance called
Thu Aug 20 17:56:56 2020 us=909047 <cell-phone-carrier-assigned-ip-address>:56929 Re-using SSL/TLS context
Thu Aug 20 17:56:56 2020 us=909427 <cell-phone-carrier-assigned-ip-address>:56929 LZ4 compression initializing
Thu Aug 20 17:56:56 2020 us=910793 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Thu Aug 20 17:56:56 2020 us=911147 <cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Aug 20 17:56:56 2020 us=911923 <cell-phone-carrier-assigned-ip-address>:56929 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Aug 20 17:56:56 2020 us=912200 <cell-phone-carrier-assigned-ip-address>:56929 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Aug 20 17:56:56 2020 us=912667 <cell-phone-carrier-assigned-ip-address>:56929 TLS: Initial packet from [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929, sid=5f913f34 58d658b9
Thu Aug 20 17:56:57 2020 us=236223 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=1, CN=<openvpn-server>
Thu Aug 20 17:56:57 2020 us=241949 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=0, CN=<openvpn-client>
Thu Aug 20 17:56:57 2020 us=251104 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_VER=3.git:released:3e56f9a6:Release
Thu Aug 20 17:56:57 2020 us=252961 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PLAT=android
Thu Aug 20 17:56:57 2020 us=254998 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_NCP=2
Thu Aug 20 17:56:57 2020 us=256808 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_TCPNL=1
Thu Aug 20 17:56:57 2020 us=258596 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PROTO=2
Thu Aug 20 17:56:57 2020 us=260402 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_LZO_STUB=1
Thu Aug 20 17:56:57 2020 us=262239 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUB=1
Thu Aug 20 17:56:57 2020 us=264009 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUBv2=1
Thu Aug 20 17:56:57 2020 us=265865 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_IPv6=0
Thu Aug 20 17:56:57 2020 us=267669 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_AUTO_SESS=1
Thu Aug 20 17:56:57 2020 us=269468 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
Thu Aug 20 17:56:57 2020 us=271363 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_SSO=openurl
Thu Aug 20 17:56:57 2020 us=342827 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Aug 20 17:56:57 2020 us=344907 <cell-phone-carrier-assigned-ip-address>:56929 [<openvpn-client>] Peer Connection Initiated with [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929
Thu Aug 20 17:56:57 2020 us=347134 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/<openvpn-client>
Thu Aug 20 17:56:57 2020 us=350182 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: Learn: 10.8.0.4 -> <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929
Thu Aug 20 17:56:57 2020 us=352057 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: primary virtual IP for <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929: 10.8.0.4
Thu Aug 20 17:56:57 2020 us=354645 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 PUSH: Received control message: 'PUSH_REQUEST'
Thu Aug 20 17:56:57 2020 us=356956 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 SENT CONTROL [<openvpn-client>]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS <local-dns-server>,dhcp-option,dhcp-option DOMAIN <local-domain>,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Aug 20 17:56:57 2020 us=358938 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Aug 20 17:56:57 2020 us=360882 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Thu Aug 20 17:56:57 2020 us=364098 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 20 17:56:57 2020 us=366213 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key



When attempting a dns query from android, I see the following in the query log:

Local DNS Query Log

20-Aug-2020 18:03:02.549 client <openvpn-server-ip-address>#32434: query: <hostname-query-fqdn> IN A + (<dns-ip-address>)


If I run tcpdump on the tun interface, the output shows:

tcpdump output

18:04:56.872248 IP <openvpn-tun-ip-address>.10921 > <local-dns-fqdn>.domain: 31155+ A? <hostname-query-fqdn>. (43)
18:04:56.875049 IP <local-dns-fqdn>.domain > <openvpn-tun-ip-address>.10921: 31155* 1/1/1 A <found-ip-address-query> (102)



I have tried different iptables commands such as:

Attempt #1

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <openvpn-server-ip-address>

Attempt #2

Code: Select all

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <openvpn-server-ip-address>

Attempt #3

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Attempt #4

Code: Select all

iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

None of which worked.

Let me know if you need more information. Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by TinCanTech » Thu Aug 20, 2020 10:43 pm

vpnreguser wrote:
Thu Aug 20, 2020 10:38 pm
When I deploy the same configuration to android everything seems to work except for dns
And no android logs provided what-so-ever ..

vpnreguser
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Fri Aug 21, 2020 4:33 pm

Android OpenVPN Connect Log
12:11:44.351 -- ----- OpenVPN Start -----

12:11:44.352 -- EVENT: CORE_THREAD_ACTIVE

12:11:44.359 -- OpenVPN core 3.git:released:3e56f9a6:Release android armv7a thumb2 32-bit PT_PROXY

12:11:44.360 -- Frame=512/2048/512 mssfix-ctrl=1250

12:11:44.368 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
8 [mute-replay-warnings]
10 [tls-client]
14 [auth-nocache]
16 [verb] [4]
17 [mute] [20]

12:11:44.371 -- EVENT: RESOLVE

12:11:44.568 -- Contacting [2607:7700:0:7::4748:2349]:<port> via UDP

12:11:44.569 -- EVENT: WAIT

12:11:44.596 -- Connecting to [<external-ip-address>]:<port> (2607:7700:0:7::4748:2349) via UDPv6

12:11:44.668 -- EVENT: CONNECTING

12:11:44.678 -- Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client

12:11:44.679 -- Creds: UsernameEmpty/PasswordEmpty

12:11:44.680 -- Peer Info:
IV_VER=3.git:released:3e56f9a6:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_IPv6=0
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
IV_SSO=openurl


12:11:44.848 -- VERIFY OK: depth=1, /CN=<openvpn-hostname>

12:11:44.850 -- VERIFY OK: depth=0, /CN=<openvpn-hostname>

12:11:44.974 -- SSL Handshake: CN=<openvpn-hostname>, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

12:11:44.976 -- Session is ACTIVE

12:11:44.978 -- EVENT: GET_CONFIG

12:11:45.004 -- Sending PUSH_REQUEST to server...

12:11:45.055 -- OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [<local-dns-ip-addr>]
2 [dhcp-option] [DOMAIN] [<local-domain-name>]
3 [route-gateway] [10.8.0.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [10.8.0.4] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]
10 [block-ipv6]


12:11:45.056 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: COMP_STUB
peer ID: 0

12:11:45.059 -- EVENT: ASSIGN_IP

12:11:45.168 -- Connected via tun

12:11:45.174 -- LZO-ASYM init swap=0 asym=1

12:11:45.177 -- Comp-stub init swap=1

12:11:45.179 -- EVENT: CONNECTED info='<external-ip-address>:<port> (2607:7700:0:7::4748:2349) via /UDPv6 on tun/10.8.0.4/ gw=[10.8.0.1/]'


Thanks.

vpnreguser
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Tue Sep 15, 2020 2:23 am

Any additional information needed? Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by TinCanTech » Tue Sep 15, 2020 2:39 am

vpnreguser wrote:
Fri Aug 21, 2020 4:33 pm

Code: Select all

[dhcp-option] [DNS] [<local-dns-ip-addr>]
[dhcp-option] [DOMAIN] [<local-domain-name>]
No errors detected .. could be your DNS server ?

Post Reply