OpenVPN Support Forum

Folks,

This is my first run at opnevpn. I read up, studied, consulted no less than three how to's and all went smooth. The client connected fine, and I could ping around the network.

Then, came the names. I realized that when connected, I could not resolve hostnames from either the target network, or my local one. If I order the tap adapter first, nslookup queries the dns server on that network, and then I get a dns timeout from the server 2008 Domain Controller, i.e.:

C:\Users\>nslookup media1 192.168.1.7
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.7

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

If I order the wireless connection first, then I get no reply from the local dns server (server 2003 virtual machine).

The near side --------------
C:\Users\>nslookup http://www.google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.250

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

But If I run tracroutes, then the names get resolved.

...over a maximum of 30 hops:
...
3 19 ms 16 ms 18 ms MEDIA1 [192.168.10.5]

I can ssh, and ping via IP, but any name resolution crashes hard. I have poured over forums for six hours, but nothing that's worked for others has helped and I can't make sense of no getting a response from the local dns server when openvpn is connected.

As soon as I disconnect, I get webpages again.

C:\Users\>nslookup www.facebook.com
Server: mits-dc1.nogroup.net
Address: 192.168.2.250

Non-authoritative answer:
Name: www.facebook.com
Address: 69.171.224.12

route print shows all the packets going where they are supposed to. A little help here?

Many Thanks,

MORE STUFF:
Server = centos 5.5
Client = Windows 7
Far side dns server Windows 2008 R2.

server config file:

proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"
push "route 192.168.50.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.7"
push "dhcp-option DNS 192.168.1.17"
push "dhcp-option WINS 192.168.1.7"
push "dhcp-option DOMAIN ipdomain.org"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 6
mute 20

Client Config File:

client
dev tun
proto udp
remote 70.0.0.6 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
mute 20

hi there,


can you ping your dns server from your openvpn client?

if yes

did you allowed access to your dns so it can accept queries from other subnets?

Michael.

Sure, I can ping anything on the server side, to include other routed subnets. I did notice that one of the subnets (192.168.2.0) was the same as my local LAN, so I took out the push statement on the server and restarted the client, and the open vpn service on the server, and now multihomed dns works as far as I can surf the internet from the client on the local LAN.

I can ping both DNS servers.
Reply from 192.168.1.17: bytes=32 time=19ms TTL=126
Reply from 192.168.1.7: bytes=32 time=17ms TTL=126

But on any nslookups, I still get:
DNS request timed out.
timeout was 2 seconds.

I haven't seen anything in the server's config that restricts it to certain subnets. My understanding of Windows DNS, is that any client, from any routed subnet can query it, and it will answer.

I have thought about making the centos server a caching resolver, but I don't know if that will work, and I didn't want to add another DNS source to this network that has two already. If that's a valid solution though, I may try it.

So, a little more info now, but it's still not making sense to me.

Traceroute from the Windows DNS server to the client's vpn address:

C:\Documents and Settings\>tracert 10.8.0.6

Tracing route to 10.8.0.6 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 192.168.1.1
2 <1 ms <1 ms <1 ms linuxserver.org [192.168.1.2
35]
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.

No route from the VPN server's eth0 to tun 0?
So I put one in:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1

Still no dice.

[root@LinuxServer ~]# traceroute 10.8.0.6
traceroute to 10.8.0.6 (10.8.0.6), 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *

Ip forwarding is enabled, so anybody got any ideas? And how are pings getting back with no route?

Just noticed I now have a dup route. The one I put in, was already present.
[root@LinuxServer ~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Thanks again for any help. This one just keeps getting stranger.

hi there,

>route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1

you dont need to add that to your openvpn server

also

does 10.8.0.6 has firewall enabled on it?
if yes that probably blocks traffic from vpn to your client.

to your issue (dns)

i am not 2008 guru,but i know that they have a firewall
maybe its blocking something
also i know that ms dns servers block zone transfers by default (this is not your case though).

i dont know if you can find out from dns logs if the client does contacts you or not...

Michael.

I didn't think about the client firewall so I tried shutting it off. Still no luck, but it was good to eliminate it as the culprit. It also reminded me to check the opnevpn server's ip tables.

The Windows server does block dns zone transfers, but not dns queries. It will accept zone transfers via tcp only from servers on it's name servers tab, so in that way, it's a lot like bind. But it will accept and respond to queries from any source via udp.

I think today I'm going to install wireshark on the server and see if that tells me what's happening. I'll post the results if I can't work it out on my own, and the solution if I can.

Thanks for the suggestions.

Well, things seem to be working now. I had to make some weird changes on the windows client.

The wireshark and tcpdumps were showing me a double appended dns name. For example, client.dnssuffix.vpn.dnssuffix.local-lan, instead of just client.dnssuffix.vpn

The only way I could wipe out the dns settings of the local lan, was to go to the advanced connection porperties of the interface and on the DNS tab at the bottom type in the vpn's proper dns suffix in "DNS suffix for this connection"

I tried to put this info on the tap tunnel adapter, but it doesn't work there, I still get the double suffix.

The workaround suit my purposes. But this will present a problem it seems to me when a host from one Active Directory domain has to VPN into another AD domain, such as a vendor to a client site.

If someone knows of a solution that's more transparent to the user, I'm all ears.