OpenVPN Connect + Local DNS lookups not working

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Thu Aug 20, 2020 10:38 pm

Recently, my server that ran openvpn crashed and had to build a new server with a newer version of openvpn. Initially, the challenge was with creating higher security certificates, etc. and making sure client/server options matched. I created a basic template for the client ovpn. With a slight modification, it works fine on an Ubuntu 18.04 system. When I deploy the same configuration to android everything seems to work except for dns. There is a local dns server. The logs shows the request, but it never makes it back to the android device.

The server is running openvpn 2.4.7.

Here is server configuration file:

Server Config
1
local <openvpn-local-ip>
2
port 1194
3
proto udp
4
dev tun
5
ca /etc/openvpn/easy-rsa/pki/ca.crt
6
cert /etc/openvpn/easy-rsa/pki/issued/<openvpn-hostname>.crt
7
key /etc/openvpn/easy-rsa/pki/private/<openvpn-hostname>.key
8
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
9
topology subnet
10
server 10.8.0.0 255.255.255.0
11
tls-server
12
client-config-dir /etc/openvpn/clients
13
push "redirect-gateway def1"
14
push "dhcp-option DNS <local-dns-ip-addr>"
15
push "dhcp-option DOMAIN <local-domain-name>"
16
client-to-client
17
keepalive 10 120
18
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
19
cipher AES-256-CBC
20
auth SHA256
21
compress lz4
22
user nobody
23
group nogroup
24
persist-key
25
persist-tun
26
status /var/log/openvpn-status.log 20
27
log /var/log/openvpn.log



In the /etc/openvpn/clients there is a client configuration with the following line based on the hostname of the client:

Server Config Client Specific
1
ifconfig-push 10.8.0.<x> 255.255.255.0



For the client ovpn template:

Client OVPN
1
client
2
dev tun
3
proto udp
4
remote <remote-host> <port>
5
resolv-retry infinite
6
nobind
7
persist-key
8
persist-tun
9
mute-replay-warnings
10
remote-cert-tls server
11
tls-client
12
key-direction 1
13
cipher AES-256-CBC
14
auth SHA256
15
auth-nocache
16
compress lz4
17
verb 4
18
mute 20
19
<for ubuntu, there are up/down resolvconf options set here that are not present when importing on android>
20
<ca>
21
--STRIPPED INLINE CA CERT--
22
</ca>
23
<cert>
24
--STRIPPED INLINE CERT--
25
</cert>
26
<key>
27
--STRIPPED INLINE KEY--
28
</key>
29
<tls-auth>
30
--STRIPPED INLINE TLS-AUTH KEY--
31
</tls-auth>




The android client is running openvpn connect version 3.2.2 (5027)



Here is a snippet from the logs when connecting:

openvpn log
1
Thu Aug 20 17:56:56 2020 us=908327 MULTI: multi_create_instance called
2
Thu Aug 20 17:56:56 2020 us=909047 <cell-phone-carrier-assigned-ip-address>:56929 Re-using SSL/TLS context
3
Thu Aug 20 17:56:56 2020 us=909427 <cell-phone-carrier-assigned-ip-address>:56929 LZ4 compression initializing
4
Thu Aug 20 17:56:56 2020 us=910793 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
5
Thu Aug 20 17:56:56 2020 us=911147 <cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
6
Thu Aug 20 17:56:56 2020 us=911923 <cell-phone-carrier-assigned-ip-address>:56929 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
7
Thu Aug 20 17:56:56 2020 us=912200 <cell-phone-carrier-assigned-ip-address>:56929 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
8
Thu Aug 20 17:56:56 2020 us=912667 <cell-phone-carrier-assigned-ip-address>:56929 TLS: Initial packet from [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929, sid=5f913f34 58d658b9
9
Thu Aug 20 17:56:57 2020 us=236223 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=1, CN=<openvpn-server>
10
Thu Aug 20 17:56:57 2020 us=241949 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=0, CN=<openvpn-client>
11
Thu Aug 20 17:56:57 2020 us=251104 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_VER=3.git:released:3e56f9a6:Release
12
Thu Aug 20 17:56:57 2020 us=252961 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PLAT=android
13
Thu Aug 20 17:56:57 2020 us=254998 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_NCP=2
14
Thu Aug 20 17:56:57 2020 us=256808 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_TCPNL=1
15
Thu Aug 20 17:56:57 2020 us=258596 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PROTO=2
16
Thu Aug 20 17:56:57 2020 us=260402 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_LZO_STUB=1
17
Thu Aug 20 17:56:57 2020 us=262239 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUB=1
18
Thu Aug 20 17:56:57 2020 us=264009 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUBv2=1
19
Thu Aug 20 17:56:57 2020 us=265865 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_IPv6=0
20
Thu Aug 20 17:56:57 2020 us=267669 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_AUTO_SESS=1
21
Thu Aug 20 17:56:57 2020 us=269468 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
22
Thu Aug 20 17:56:57 2020 us=271363 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_SSO=openurl
23
Thu Aug 20 17:56:57 2020 us=342827 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
24
Thu Aug 20 17:56:57 2020 us=344907 <cell-phone-carrier-assigned-ip-address>:56929 [<openvpn-client>] Peer Connection Initiated with [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929
25
Thu Aug 20 17:56:57 2020 us=347134 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/<openvpn-client>
26
Thu Aug 20 17:56:57 2020 us=350182 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: Learn: 10.8.0.4 -> <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929
27
Thu Aug 20 17:56:57 2020 us=352057 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: primary virtual IP for <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929: 10.8.0.4
28
Thu Aug 20 17:56:57 2020 us=354645 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 PUSH: Received control message: 'PUSH_REQUEST'
29
Thu Aug 20 17:56:57 2020 us=356956 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 SENT CONTROL [<openvpn-client>]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS <local-dns-server>,dhcp-option,dhcp-option DOMAIN <local-domain>,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
30
Thu Aug 20 17:56:57 2020 us=358938 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel: using negotiated cipher 'AES-256-GCM'
31
Thu Aug 20 17:56:57 2020 us=360882 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
32
Thu Aug 20 17:56:57 2020 us=364098 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
33
Thu Aug 20 17:56:57 2020 us=366213 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key



When attempting a dns query from android, I see the following in the query log:

Local DNS Query Log
1
20-Aug-2020 18:03:02.549 client <openvpn-server-ip-address>


If I run tcpdump on the tun interface, the output shows:

tcpdump output
1
18:04:56.872248 IP <openvpn-tun-ip-address>.10921 > <local-dns-fqdn>.domain: 31155+ A? <hostname-query-fqdn>. (43)
2
18:04:56.875049 IP <local-dns-fqdn>.domain > <openvpn-tun-ip-address>.10921: 31155* 1/1/1 A <found-ip-address-query> (102)



I have tried different iptables commands such as:

Attempt #1

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <openvpn-server-ip-address>

Attempt #2

Code: Select all

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <openvpn-server-ip-address>

Attempt #3

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Attempt #4

Code: Select all

iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

None of which worked.

Let me know if you need more information. Thanks.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by TinCanTech » Thu Aug 20, 2020 10:43 pm

vpnreguser wrote:
Thu Aug 20, 2020 10:38 pm
 When I deploy the same configuration to android everything seems to work except for dns
And no android logs provided what-so-ever ..
Top
vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Fri Aug 21, 2020 4:33 pm

Android OpenVPN Connect Log
1
12:11:44.351 -- ----- OpenVPN Start -----
2
12:11:44.352 -- EVENT: CORE_THREAD_ACTIVE
3
12:11:44.359 -- OpenVPN core 3.git:released:3e56f9a6:Release android armv7a thumb2 32-bit PT_PROXY
4
12:11:44.360 -- Frame=512/2048/512 mssfix-ctrl=1250
5
12:11:44.368 -- UNUSED OPTIONS
6
4 [resolv-retry] [infinite]
7
5 [nobind]
8
6 [persist-key]
9
7 [persist-tun]
10
8 [mute-replay-warnings]
11
10 [tls-client]
12
14 [auth-nocache]
13
16 [verb] [4]
14
17 [mute] [20]
15
12:11:44.371 -- EVENT: RESOLVE
16
12:11:44.568 -- Contacting [2607:7700:0:7::4748:2349]:<port> via UDP
17
12:11:44.569 -- EVENT: WAIT
18
12:11:44.596 -- Connecting to [<external-ip-address>]:<port> (2607:7700:0:7::4748:2349) via UDPv6
19
12:11:44.668 -- EVENT: CONNECTING
20
12:11:44.678 -- Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
21
12:11:44.679 -- Creds: UsernameEmpty/PasswordEmpty
22
12:11:44.680 -- Peer Info:
23
IV_VER=3.git:released:3e56f9a6:Release
24
IV_PLAT=android
25
IV_NCP=2
26
IV_TCPNL=1
27
IV_PROTO=2
28
IV_LZO_STUB=1
29
IV_COMP_STUB=1
30
IV_COMP_STUBv2=1
31
IV_IPv6=0
32
IV_AUTO_SESS=1
33
IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
34
IV_SSO=openurl
35
12:11:44.848 -- VERIFY OK: depth=1, /CN=<openvpn-hostname>
36
12:11:44.850 -- VERIFY OK: depth=0, /CN=<openvpn-hostname>
37
12:11:44.974 -- SSL Handshake: CN=<openvpn-hostname>, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
38
12:11:44.976 -- Session is ACTIVE
39
12:11:44.978 -- EVENT: GET_CONFIG
40
12:11:45.004 -- Sending PUSH_REQUEST to server...
41
12:11:45.055 -- OPTIONS:
42
0 [redirect-gateway] [def1]
43
1 [dhcp-option] [DNS] [<local-dns-ip-addr>]
44
2 [dhcp-option] [DOMAIN] [<local-domain-name>]
45
3 [route-gateway] [10.8.0.1]
46
4 [topology] [subnet]
47
5 [ping] [10]
48
6 [ping-restart] [120]
49
7 [ifconfig] [10.8.0.4] [255.255.255.0]
50
8 [peer-id] [0]
51
9 [cipher] [AES-256-GCM]
52
10 [block-ipv6]
53
12:11:45.056 -- PROTOCOL OPTIONS:
54
cipher: AES-256-GCM
55
digest: NONE
56
compress: COMP_STUB
57
peer ID: 0
58
12:11:45.059 -- EVENT: ASSIGN_IP
59
12:11:45.168 -- Connected via tun
60
12:11:45.174 -- LZO-ASYM init swap=0 asym=1
61
12:11:45.177 -- Comp-stub init swap=1
62
12:11:45.179 -- EVENT: CONNECTED info='<external-ip-address>:<port> (2607:7700:0:7::4748:2349) via /UDPv6 on tun/10.8.0.4/ gw=[10.8.0.1/]'


Thanks.
Top
vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Tue Sep 15, 2020 2:23 am

Any additional information needed? Thanks.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by TinCanTech » Tue Sep 15, 2020 2:39 am

vpnreguser wrote:
Fri Aug 21, 2020 4:33 pm

Code: Select all

[dhcp-option] [DNS] [<local-dns-ip-addr>]
[dhcp-option] [DOMAIN] [<local-domain-name>]
No errors detected .. could be your DNS server ?
Top
vpnreguser
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 20, 2020 10:22 pm

Re: OpenVPN Connect + Local DNS lookups not working

Post by vpnreguser » Thu Dec 03, 2020 3:55 am

The local DNS server is working. From the system running openvpn server, I can ping local hosts either with the short hostname or FQDN. From the tcpdump output listed above, dns requests from the android device are hitting the DNS server but the response doesn't seem to be making it back to the android device even though the iptable commands looks correct and tcpdump is showing an attempt to send the data back to the device. Thanks.
Top
Post Reply

Return to “OpenVPN Connect (Android)”