Page 1 of 1
Configuration issue
Posted: Wed May 04, 2011 7:34 am
by kiteplans
Hi,
I have spent endless hours on OpenVPN config.
I was running my server on a Virtualized OpenVZ server, and after many many hours got it working.
I have however now moved my server over to a non Virtualized server but cant seem to get it to work.
My Goal is to tunnel ALL traffic through the VPN - internet browsing and name resolution so that I will be able to browse all blocked sites.
server.conf
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Firewall rules:
Code: Select all
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1194 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A OUTPUT -o tun+ -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Named Config:
Code: Select all
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-recursion {
localnets;
127.0.0.1;
10.8.0.0/24;
};
listen-on { 10.8.0.1;
127.0.0.1;
};
};
zone "." {
type hint;
file "/etc/db.cache";
};
zone "**My Domain**" {
type master;
file "data/**My Domain**.hosts";
allow-transfer {
127.0.0.1;
localnets;
**MY-IP**;
};
also-notify {
**MY-IP**;
};
};
zone "6**MY-IP**.in-addr.arpa" {
type master;
file "data/**MY-IP**.rev";
};
What am I doing wrong?
I am able to connect and browse through the connection - my name resolution of sites is not done by my DNS however.
Thanks in advance
Re: Configuration issue
Posted: Wed May 04, 2011 7:57 am
by janjust
what is your client OS?
what happens if you type (on the client)
?
If your client OS is Windows, try adding
to ensure that windows picks up the new DNS server.
If your client OS is not Windows, ensure that your openvpn client picks up and processes the DNS setting (e.g. on Linux use update-resolv-conf)
Re: Configuration issue
Posted: Wed May 04, 2011 8:07 am
by kiteplans
nslookup
www.google.com 10.8.0.1
Code: Select all
C:\Documents and Settings\Administrator>nslookup www.google.com 10.8.0.1
*** Can't find server name for address 10.8.0.1: No response from server
Server: UnKnown
Address: 10.8.0.1
*** UnKnown can't find www.google.com: No response from server
Add register-dns where?
Re: Configuration issue
Posted: Wed May 04, 2011 8:21 am
by janjust
*** Can't find server name for address 10.8.0.1: No response from server
this means your remote DNS server is not responding ; rerun the command on the VPN server itself after the tunnel is up. Is named started and listening on port 53?
Add register-dns where?
this would be a client configuration file option, e.g. at the bottom of the .ovpn file; but first the 'nslookup' must work.
Re: Configuration issue
Posted: Wed May 04, 2011 8:32 am
by kiteplans
yes Bind is on and listening on port 53.
From the VPN:
Code: Select all
[root@**] nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.224.48
Name: www.l.google.com
Address: 74.125.224.49
Name: www.l.google.com
Address: 74.125.224.50
Name: www.l.google.com
Address: 74.125.224.51
Name: www.l.google.com
Address: 74.125.224.52
Code: Select all
[root@**] nslookup www.google.com 10.8.0.1
;; connection timed out; no servers could be reached
Re: Configuration issue
Posted: Wed May 04, 2011 8:37 am
by kiteplans
after removing
Code: Select all
listen-on { 10.8.0.1;
127.0.0.1;
};
from bind config:
On VPN Server:
Code: Select all
nslookup www.google.com 10.8.0.1
Server: 10.8.0.1
Address: 10.8.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.224.49
Name: www.l.google.com
Address: 74.125.224.50
Name: www.l.google.com
Address: 74.125.224.51
Name: www.l.google.com
Address: 74.125.224.52
Name: www.l.google.com
Address: 74.125.224.48
On Client:
Code: Select all
C:\Documents and Settings\Administrator>nslookup www.google.com 10.8.0.1
*** Can't find server name for address 10.8.0.1: Non-existent domain
Server: UnKnown
Address: 10.8.0.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.224.48, 74.125.224.49, 74.125.224.50, 74.125.224.51
74.125.224.52
Aliases: www.google.com
Re: Configuration issue
Posted: Wed May 04, 2011 8:40 am
by kiteplans
Could it be a bind folder permissions problem - I seem to remember having to change the permissions of the named folder on my old server but I am not sure
Re: Configuration issue
Posted: Wed May 04, 2011 8:45 am
by janjust
So with
after removing ...
it is now working ; now try adding the 'register-dns' option on the client, reconnect the client and check whether your DNS queries are also routed via the VPN.
Re: Configuration issue
Posted: Wed May 04, 2011 8:58 am
by kiteplans
no - still same result - I can browse and everything through the VPN connection (Posting here now through it).
But as soon as I try to browse blocked sites it does not work. (Name resolution not working)
Re: Configuration issue
Posted: Wed May 04, 2011 8:59 am
by janjust
please post the (sanitized) output of
after connecting; the ipv6/teredo interfaces are not interesting.
Re: Configuration issue
Posted: Wed May 04, 2011 9:05 am
by kiteplans
Think this is all you need:
Code: Select all
ipconfig /all
Ethernet adapter 无线网络连接 5:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RT73 USB Wireless LAN Card #4
Physical Address. . . . . . . . . : 00-25-86-AA-4F-24
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.103
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Ethernet adapter 本地连接 9:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-5F-EB-BA-90
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
Re: Configuration issue
Posted: Wed May 04, 2011 9:41 am
by janjust
yep; it shows that the VPN-supplied DNS server is picked up by the client but for some reason it is not used as the default DNS server. what happens if you run
Code: Select all
net stop dnscache
net start dnscache
and then run
?
Re: Configuration issue
Posted: Wed May 04, 2011 9:45 am
by kiteplans
After:
Code: Select all
net stop dnscache
net start dnscache
Code: Select all
C:\Documents and Settings\Administrator>nslookup www.google.com
Server: bogon
Address: 192.168.1.1
Non-authoritative answer:
Name: www-g-com-chn.l.google.com
Addresses: 74.125.71.104, 74.125.71.99
Aliases: www.google.com
Re: Configuration issue
Posted: Wed May 04, 2011 10:17 am
by kiteplans
well - I am thinking its a DNS issue.
I turned off everything and turned on the VPN client.
Then issued the Iptable rules.
I could then connect to the internet via the VPN - but still not blocked sites.
Then started up the DNS and tried again - still no luck
Really hope some one can help me - this is the second time I have spent days on getting OpenVPN to work!
Re: Configuration issue
Posted: Wed May 04, 2011 1:11 pm
by janjust
try doing
instead and see if it picks up *that* DNS server (yes 8.8.8.8 is a valid DNS server). if so , then you know it's your DNS server; if not, then it's something funny on your windows client.
Re: Configuration issue
Posted: Sat May 07, 2011 6:40 am
by kiteplans
I tried but it still does not work.
I am also sure that it is nothing with my windows client. I can use the exact same settings on a different server and it connects and works fine. Does nameserver resolution via the DNS on the server.
But this server just wont work