OVPN name resolution -edited 09/26/2022 as SOLVED

[jankom]

I had a working system at home in the US with wpa_supplicant WiFi and a virtual ovpn server. Now I'm traveling in Europe and first the WiFi access did not work after wpa_supplican was updated to 2.10. Finally it is solved using "iwd" instead, and with help from this Forum - see my SOLVED post there. However OVPN access is only partially working: No name resolution. There is Internet access, I can ping a public IP, but not by name. I tried not only my previously working server and client configurations, but also configurations according to Gentoo-Wiki. I looked at a similar post on this forum from 2016, but due to my limited experience and knowledge of networking I ask for help.
The important thing is that everything worked in the US. After connecting to VPN server my public IP became the server's IP, Internet access was OK. I did not change iptables settings or configurations on the OVPN server and client, yet name resolution fails if VPN started. The OVPN "server" is a virtual machine in the US, the "client" is a Fitlet2 machine traveling with me. Both the server and the client have Gentoo installed.

EDIT 09/08/2022 - additional info:
(1) before VPN connection:

[bbgermany]

Hi,

do you run a dns server on your OpenVPN Server in the US? If yes, which DNS Server and did you allow access via vpn to the dns server? Please post the resolv.conf before and after connecting to the OpenVPN Server.

Please check the IP address, you get in the public wireless. Maybe its in the same range as your vpn connection. A traceroute to maybe 8.8.8.8 would be interesting as well. This should show, whether you are going through the tunnel or not to access this host.

Greetings Stefan
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

[jankom]

Thx Stefan,
No, I do not run a DNS server. The virtual machine in the US has its own public IP.
(a) on Fitle2 machine in Hungary (OVPN client)

[bbgermany]

Hmm, i tried to use the dns servers of your resolv.conf to run nslookup. it seems these are no dns servers, thats why no resolution works. I always get a dns timeout. maybe you should change them to something that should definitly work (maybe 1.1.1.1 hosted by cloudflare or 8.8.8.8 hosted by google).

[madmin]

Hi there,

Q1: I'm not to understand what's the problem... when you wrote "no dns resolving", did you try to change the DNS servers on your OpenVPN client to use some DNS server which is known to work (as 8.8.8.8, 1.1.1.1)?

If the point is to get DNS resolution in general (meaning not using one specific [bunch of] DNS server[s] to get access to specific DNS zone[s], I would use a standard DNS server (one from your ISP or one open like the two mentioned previously).

I'm in France with no specific account or anything related to opendns.com. When using "nmap" to check the status of TCP/53 and UDP/53 on the 5 DNS servers used in your resolv.conf as nameserver, everything is filtered (meaning that some kind of firewall is blocking the access to these ports on these IPs).

UDP check:

[jankom]

Thanks for the nmap trick and for yur interest in this problem.
Q3 - the problem is that if connected with iwd WiFi in Hungary and VPN tunneled into the Atlanta virtual machine there is no name resolution. Disconnecting VPN Internet works fine.
Q2 - without VPN everything is fine. I edited /etc/resolv.conf file to change nameserver from the Hungarian ISP dhcp assigned nameservers to 1.1.1.1 or other nameservers and they all work, but as soon as VPN connection is established there is no name resolution.
Q1

[bbgermany]

Please show the output of "ip r" with and without the vpn connection. It looks like, you cant reach anything since the routing is messed up after you start your vpn. Also, does the VPN in US masq connections through it? I think you set up a private network address range for your openvpn.

Greetings Stefan

edit: "ip a" would be interesting as well in this case (you can x-out the public ip address of your wireless device).
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

[madmin]

You're welcome ; )

Stephan is right, output of "ip a" and "ip r" given twice (connected and not connected) shall help.

Doing a ping test (on an IP anywhere on internet, outside your private networks) once connected too...

But it seems that your issue in only on DNS resolution when connected to the VPN, meaning that when you are connected to the VPN, you can reach internet using IPs (as per (4) in your first post).

If you can ping outside or use outside DNS server (as in (4)) when connected to your VPN, I'd bet on an issue on DNS configuration on your OpenVPN client (Fitle2 I believe).
If I'm right you can manually manage your DNS server (through /etc/resolv.conf) AND tell your DHCP clients (plural because it shall be run twice, for your main/real interface and for your VPN interface) to stop managing DNS servers.

How to disable DNS management through DHCP will depend on how the cards are configured:
- with systemd-networkd:

[jankom]

We're almost there. I do have name resolution while connected to VPN.
First of all, a correction, my mistake: during debugging this situation I messed up the OVPN server conf. Restoring to original (US) version and editing resolv.conf on the server to use 1.1.1.1 name resolution does work with VPN.
It also works if I use the "filtered" name server of my OVPN server machine in Atlanta, GA.
My Gentoo system uses openRC.
Also, I think part of the problem is that iwd has its own dhcp service. Therefore right now the only solution that works for me is to manually edit resolv.conf file on Fitlet2, the VPN client. Will see what happens when I get back to the US and my ISP will assign a "filtered" name server.
For the record here is my ip a and ip r without VPN:

[jankom]

I could mark this thread as SOLVED but my solution is just a brute force method and it is not stable.
I created a script that I can invoke from menu after VPN is activated..It overwrites "etc/resolv/conf" file with resolv.conf.vpn file. This way I can access some of the US based banking and other web sites which otherwise would not let me do much because of a foreign IP address.
Using VPN and the"filtered" name servers things do work though intermittently. Occasionally /etc/resolv.conf is regenerated by the Hungarian ISP, so I have to rerun the copy script.

Btw, I tried the gentoo specific /etc/conf.d/net "nodns" method. Nevertheless the resolv.conf file is regenerated with Hungarian ISP nemaservers. So the only solution now is the brute force.

Thanks anyway for the help and direction I received on this forum - ankom (janos)

[bbgermany]

It looks like you are trying to redirect your default gateway:

[jankom]

Thx Stefan. I was away for a few days.

Yes, initially, before I turned to this forum, I tried to modify the OVPN client configuration (the one on the Fitlet2 machine in Hungary) without success. There is a lot more to learn for me.

My "brute force method" works now: after connecting to WiFi with iwd and starting the OVPN process I overwrite the resolv.conf file with the nameservers my VPN server uses in Atlanta, GA. I is working now without a glitch.

But yes, I would like to do it the correct way, to redirect all network traffic via tun0. What is the correct setting in the vpn client configuration?

Cheers, Janos (jankom

[bbgermany]

Hi,

afair its done in the server config and the client config. Please have a look here:

https://openvpn.net/community-resources/how-to/#routing-all-client-traffic-including-web-traffic-through-the-vpn

greeting Stefan
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

[jankom]

Hi, sorry for the delay in my response to your post. I'm back in the States and catching up with stuff. My OVPN setup with iwd WiFi access works well with my US Internet provider, and did not even have to overwrite the resolv.conf file. This means that the nameserver IP provided my US Internet connector finds servers on the Internet by their name. In Hungary I could only connect to another machine with public IP using their IP, that is there was no name service. I had to rewrite the resolv.conf file on my vpn client (the Fitlet2 machine in Hungary) in order to fully function as a vpn connected machine.

Based on the link in your post I changed the OVPN server configuration by replacing push "redirect-gateway def1 bypass-dhcp" with

[jankom]

It looks like the "dhcp-option DNS 10.8.0.1" does nmt change the exposed public IP, therefore it is not a hidden tunnel, so I went back to the original

[bbgermany]

Hi,

i think you did not understand the config at its specials:

1. "push dhcp-option DNS" should point to you local dns server running in your vpn network (maybe on the same host as the openvpn server). So please think about, whether you network vpn or the network behind your openvpn server equals to 10.8.0.x
2. "push redirect-gateway def1" is still needed, since this will redirect ALL traffic through your vpn, since it reconfigure your default gateway settings

Only if you are running both options successfull, all your traffic (including DNS resolving) will go through your openvpn tunnel. But to be honest, I had a f***ing lot issues get this running as well and switched to wireguard instead. And this was way easier to get this special setup running

Greetings Stefan
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

[jankom]

Thank you, it works now with both push directives.
Yes, I did not quite understand that I can have multiple push directives in ovpn server configuration.
And yes, 10.8.0.1 is the server IP of the internal vpn network.
Now I have the correct public IP of the client, and I think it willl work even if outside the US.

Thank you for your patience and expert advice help. I'll mark ths thread finally as SOLVED.

P.S. I looked at wireguard, and plan to replace OVPN with it, especially since its developer is a Gentoo guy.

Peace and happyness!

Janos (jankom)

[bbgermany]

Hi,

good to see it working now. If you have any questions regarding wireguard config, just let me know

Greeting Stefan
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

[jankom]

Thanks Stefan - I do need some help with wireguard, but will start a new thread for the sake of clarity and simplicity - Janos