split tunneling and --allow-pull-fqdn

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
pandrian
OpenVpn Newbie
Posts: 4
Joined: Wed Feb 20, 2019 6:02 pm

split tunneling and --allow-pull-fqdn

Post by pandrian » Mon Jan 13, 2020 3:31 pm

hi there, I am trying to setup pulling a FQDN route with split tunneling enabled but im unsure how to progress with this.
My understanding that this needs to be set up on the client side?
and how would that affect the existing split tunneling do I need to disable split tunneling in order to achieve pulling fqdn address?
is it possible to push the fqdn address from the server configuration?

Thank you in advance!

current my client template is the following

Code: Select all

client
proto udp
remote <url>
port 1194
dev tun
nobind
persist-key
persist-tun
resolv-retry infinite
remote-cert-tls server
cipher AES-256-CBC
route-metric 1
auth-user-pass
verb 3
and my server conf is the following

Code: Select all

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-file
script-security 2
username-as-common-name
local <%= @internal_ip %>
port 1194
proto udp
dev tun
ca /usr/share/easy-rsa/3/pki/ca.crt
cert /usr/share/easy-rsa/3/pki/issued/server.crt
key /usr/share/easy-rsa/3/pki/private/server.key  # This file should be kept secret
dh /usr/share/easy-rsa/3/pki/dh.pem
topology subnet
server 10.254.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route <ip address> 255.255.255.255 vpn_gateway"
push "route <ip address> 255.255.255.255 vpn_gateway"
push "route <ip address> 255.255.255.255 vpn_gateway"
push "route <ip address> 255.255.255.255 vpn_gateway"
push "route <ip address> 255.255.255.255 vpn_gateway"
;push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DOMAIN <internal domain>"
push "dhcp-option DOMAIN <internal domain>"
push "dhcp-option DOMAIN <internal domain>"
push "dhcp-option DNS <ip address>"
push "dhcp-option DNS <ip address>"

keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
explicit-exit-notify 1
openvpn version

Code: Select all

OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019

300000
OpenVPN Super User
Posts: 240
Joined: Tue May 01, 2012 9:30 pm

Re: split tunneling and --allow-pull-fqdn

Post by 300000 » Mon Jan 13, 2020 5:11 pm

Yes you can do it from server and let try this ok one to see it works as you like jus add some line into your server config

push "route 0.0.0.0 192.0.0.0 net_gateway "
push "route 64.0.0.0 192.0.0.0 net_gateway "
push "route 128.0.0.0 192.0.0.0 net_gateway "
push"route 192.0.0.0 192.0.0.0 net_gateway "

push "dhcp-option DNS 192.168.1.10"
push "dhcp-option DOMAIN your domain.com"

Adding to server will push only DNS and domain to your client .the rest will use client gateway so it will use split VPN as you like

If you want to use your domain you must have DNS server and you need to push that address to client

pandrian
OpenVpn Newbie
Posts: 4
Joined: Wed Feb 20, 2019 6:02 pm

Re: split tunneling and --allow-pull-fqdn

Post by pandrian » Tue Jan 14, 2020 10:26 am

Hey @30000 thanks for the reply,

I am not sure if thats gonna work maybe its an openVPN issue. but if you see I try to push 3 dhcp-option DOMAINS
but only one of them get registered on a mac in Search Domains while both DNS ip addresses get registered in mac.
please note (I am using Tunnelblick client)

with openvpn connect client i don't get any DNS servers or DHCP options registered in network preferences of mac.

I am not sure why this happens exactly do you any ideas? has it occurred to you?

300000
OpenVPN Super User
Posts: 240
Joined: Tue May 01, 2012 9:30 pm

Re: split tunneling and --allow-pull-fqdn

Post by 300000 » Tue Jan 14, 2020 10:39 am

pandrian wrote:
Tue Jan 14, 2020 10:26 am
Hey @30000 thanks for the reply,

you see I try to push 3 dhcp-option DOMAINS
but only one of them get registered on a mac in Search Domains while both DNS ip addresses get registered in mac.
please note (I am using Tunnelblick client)

what does it mean when you said 3 option domain? if you want to use multi domain you need to do it on dns server so when cleint request it will answer from dns server .

what you asked is to use split tunnel not domain anyway .

you cant do

push dhcp-option DOMAINS
push dhcp-option DOMAINS
push dhcp-option DOMAINS

this is not going to works for you , but you need to create a record on dns server like this some.on.co 19.168.1.2 help.noe.co 10.0.10.2

pandrian
OpenVpn Newbie
Posts: 4
Joined: Wed Feb 20, 2019 6:02 pm

Re: split tunneling and --allow-pull-fqdn

Post by pandrian » Tue Jan 14, 2020 10:54 am

Morning @300000,

I have already split tunneling working thats ok, the problem is here.
with pushing an FQDN hostname instead of an ip address to a client

Code: Select all

push "dhcp-option DOMAIN <internal domain>"
push "dhcp-option DOMAIN <internal domain>"
push "dhcp-option DOMAIN <internal domain>"
push "dhcp-option DNS <ip address>"
push "dhcp-option DNS <ip address>"
when you told me to add the extra domain here as I already do and based on this issue,
https://github.com/Tunnelblick/Tunnelbl ... -220358808

It seems that OS X takes only the first resolver until its not resolving anymore then goes to the next one.
so in that sense adding my additional domain would not work which is a static website in a S3 bucket so it would need to be a hostname always this is not an internal hostname but i do whitelist the vpn server's external ip address on the S3 bucket.

reason i asked if it would affect split tunneling is because of the --allow-pull-fqdn option which as i understood would break split tunneling because everything would need to pass through vpn?

So i would need to do this resolve on the DNS servers? I am a bit confused here :lol:

Thanks!

pandrian
OpenVpn Newbie
Posts: 4
Joined: Wed Feb 20, 2019 6:02 pm

Re: split tunneling and --allow-pull-fqdn

Post by pandrian » Tue Jan 14, 2020 12:09 pm

with the openvpn connect client i get this from its logs

bash-3.2# tail -f openvpn_com_p8476.log
10.8.7.208
10.132.0.18
Search Domains:
c.core-1356.internal
c.skim-dp.internal
c.skim-infra.internal

Tue Jan 14 11:57:01 2020 Connected via utun1

but in mac's network preferences i only see my public external ip address nothing else.
would happen to know why is this occuring?

300000
OpenVPN Super User
Posts: 240
Joined: Tue May 01, 2012 9:30 pm

Re: split tunneling and --allow-pull-fqdn

Post by 300000 » Tue Jan 14, 2020 1:23 pm

i said to you it is not going to works for you , you cant push 3 domain as your config, you need to do it througt dns server that is the way internet work, there are million domain out there if everybody think the same like you try to push all of them can you think it is going to work , that why you need to understand how dns work and if you want 3 domain you need to do it on your dns server.

Post Reply