Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    dns resolver problem after OpenVPN connected

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:

      nslookup google.com
      ;; connection timed out; no servers could be reached
      

      and here is before and after connecion:

      resolvectl status wlp82s0
      Link 3 (wlp82s0)
            Current Scopes: DNS             
      DefaultRoute setting: yes             
             LLMNR setting: yes             
      MulticastDNS setting: no              
        DNSOverTLS setting: no              
            DNSSEC setting: no              
          DNSSEC supported: no              
        Current DNS Server: 2001:558:feed::1
               DNS Servers: 2001:558:feed::1
                            2001:558:feed::2
                DNS Domain: ~.
      
      resolvectl status wlp82s0
      Link 3 (wlp82s0)
            Current Scopes: none
      DefaultRoute setting: no  
             LLMNR setting: yes 
      MulticastDNS setting: no  
        DNSOverTLS setting: no  
            DNSSEC setting: no  
          DNSSEC supported: no
      

      I am missing something but not sure what.
      TIA

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @chudak
        last edited by

        @chudak said in dns resolver problem after OpenVPN connected:

        I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:

        Do you use the NetworkManager OpenVPN plugin to connect?

        By default NM routes the whole upstream traffic over the VPN.
        If this is not desired and you push specific routes from the server, edit the connection settings, go to the IPvX tab > routes and check "use only for resources of this connection".

        chudakC 1 Reply Last reply Reply Quote 0
        • chudakC
          chudak @viragomann
          last edited by chudak

          @viragomann said in dns resolver problem after OpenVPN connected:

          @chudak said in dns resolver problem after OpenVPN connected:

          I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:

          Do you use the NetworkManager OpenVPN plugin to connect?

          By default NM routes the whole upstream traffic over the VPN.
          If this is not desired and you push specific routes from the server, edit the connection settings, go to the IPvX tab > routes and check "use only for resources of this connection".

          Thx
          If I set my OpenVPN connection as:

          f870a6ba-8779-44a7-a835-bb184a7f7766-image.png

          It helps partly. I can ping google.com, but my remote home network resources are not accessible still :(

          Anything else I need to do?

          I do use this in my OpenVPN server settings and it used to work fine (and still work for all other clients):

          57912ca1-06ce-442c-873e-c5491b14caa2-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @chudak
            last edited by

            @chudak
            Did you enter the remote networks in the server settings to push the routes to the client?
            With recent NetworkManager this should work though.

            I had issues in the past with former versions, that the routes were not set, even the server pushed them. As a workaround I entered the remote networks in the client settings.
            To do so, just click routes and add them manually. No need to specify a gateway, just network address + mask.

            chudakC 1 Reply Last reply Reply Quote 0
            • chudakC
              chudak @viragomann
              last edited by

              @viragomann said in dns resolver problem after OpenVPN connected:

              @chudak
              Did you enter the remote networks in the server settings to push the routes to the client?
              With recent NetworkManager this should work though.

              I had issues in the past with former versions, that the routes were not set, even the server pushed them. As a workaround I entered the remote networks in the client settings.
              To do so, just click routes and add them manually. No need to specify a gateway, just network address + mask.

              Can you share an example of what you have done?
              TIA

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @chudak
                last edited by

                @chudak
                On the server did you enter your local networks here:
                dc65ed21-9139-4f3c-8c05-11b1c7d5d936-image.png

                In my client settings (workaround if the above does not work), I removed the manual routes yet, since I don't need them anymore.
                It's just on the IPv4 (or v6) there is a "Routes" button. Click it and you can add your remote networks.

                chudakC 1 Reply Last reply Reply Quote 1
                • chudakC
                  chudak @viragomann
                  last edited by

                  @viragomann

                  I had "Force all client-generated IPv4 traffic through the tunnel." checked

                  After unchecking I have now:

                  81e6cc14-7ef2-4940-bd78-ce5a6c6839e9-image.png

                  and it did help!!!

                  Thx a million :)

                  Why did it change behavior ?!

                  chudakC 1 Reply Last reply Reply Quote 0
                  • chudakC
                    chudak @chudak
                    last edited by

                    @chudak said in dns resolver problem after OpenVPN connected:

                    "Force all client-generated IPv4 traffic through the tunnel."

                    Using "Force all client-generated IPv4 traffic through the tunnel." did make my external IP set to my server's IP and now it's not.

                    How do we get it back with the routes specified?

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @chudak
                      last edited by

                      @chudak
                      Yeah, the option does, what it's name is saying. It forces all upstream traffic over the VPN. Hence your outbound traffic gets the public IP from the server.
                      If this is what you want, you need to check the option.

                      Then for DNS resolution you need to ensure that the used DNS server is accessible over the VPN.
                      Best to use a DNS server from the remote network.

                      In the screenshot above you stated a DNS in the OpenVPN server settings. Is it reachable?
                      Is it used by the client?
                      Does the server respond?

                      chudakC 1 Reply Last reply Reply Quote 0
                      • chudakC
                        chudak @viragomann
                        last edited by

                        @viragomann said in dns resolver problem after OpenVPN connected:

                        @chudak
                        Yeah, the option does, what it's name is saying. It forces all upstream traffic over the VPN. Hence your outbound traffic gets the public IP from the server.
                        If this is what you want, you need to check the option.

                        Then for DNS resolution you need to ensure that the used DNS server is accessible over the VPN.
                        Best to use a DNS server from the remote network.

                        In the screenshot above you stated a DNS in the OpenVPN server settings. Is it reachable?
                        Is it used by the client?
                        Does the server respond?

                        My old settings without routes specified works fine for all clients except one laptop.

                        When I unset “Force all client-generated IPv4 traffic through the tunnel."
                        all clients work but no server IP used (not sure if this is important, just wondering how to make it work)

                        In both cases I have DNS forced thru my pfsense and it seems to be responding etc.

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @chudak
                          last edited by

                          @chudak said in dns resolver problem after OpenVPN connected:

                          and it seems to be responding

                          Sure?

                          To investigate, with "redirect gateway" checked, run

                          dig google.com
                          

                          on the client and look, which server is responding.

                          chudakC 1 Reply Last reply Reply Quote 0
                          • chudakC
                            chudak @viragomann
                            last edited by chudak

                            @viragomann said in dns resolver problem after OpenVPN connected:

                            @chudak said in dns resolver problem after OpenVPN connected:

                            and it seems to be responding

                            Sure?

                            To investigate, with "redirect gateway" checked, run

                            dig google.com
                            

                            on the client and look, which server is responding.

                            with this option:

                            50aa6d06-fca7-4a39-9351-c1fd00f7b405-image.png

                            from my Mac (works fine in both cases):

                            dig google.com
                            
                            ; <<>> DiG 9.10.6 <<>> google.com
                            ;; global options: +cmd
                            ;; Got answer:
                            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14479
                            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                            
                            ;; OPT PSEUDOSECTION:
                            ; EDNS: version: 0, flags:; udp: 4096
                            ;; QUESTION SECTION:
                            ;google.com.			IN	A
                            
                            ;; ANSWER SECTION:
                            google.com.		55	IN	A	172.217.12.110
                            
                            ;; Query time: 28 msec
                            ;; SERVER: 192.168.70.1#53(192.168.70.1)
                            ;; WHEN: Tue Jan 02 13:55:57 PST 2024
                            ;; MSG SIZE  rcvd: 55
                            

                            192.168.70.1 is my 2d LAN and also goes thru 192.168.90.1

                            From ubuntu laptop (the one we are fixing):

                            dig google.com
                            
                            ; <<>> DiG 9.16.1-Ubuntu <<>> google.com
                            ;; global options: +cmd
                            ;; Got answer:
                            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54110
                            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                            
                            ;; OPT PSEUDOSECTION:
                            ; EDNS: version: 0, flags:; udp: 65494
                            ;; QUESTION SECTION:
                            ;google.com.			IN	A
                            
                            ;; ANSWER SECTION:
                            google.com.		283	IN	A	172.217.164.110
                            
                            ;; Query time: 0 msec
                            ;; SERVER: 127.0.0.53#53(127.0.0.53)
                            ;; WHEN: Tue Jan 02 13:57:24 PST 2024
                            ;; MSG SIZE  rcvd: 55
                            

                            Are you thinking I should try removing DNS Server 192.168.90.1 from OpebVPN server?

                            V 1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @chudak
                              last edited by

                              @chudak said in dns resolver problem after OpenVPN connected:

                              from my Mac (works fine in both cases):
                              dig google.com
                              ;; SERVER: 192.168.70.1#53(192.168.70.1)
                              ;; WHEN: Tue Jan 02 13:55:57 PST 2024

                              From ubuntu laptop (the one we are fixing):
                              dig google.com
                              ;; SERVER: 127.0.0.53#53(127.0.0.53)

                              So non of these clients really use the DNS server you pushed from the server.

                              Pushed DNS might not be accepted on the MAC, at least I know such behavior of IOS.

                              On your Ubuntu, not clear, what the 127.0.0.53 is. It's a local address of the client device.

                              You can try to enter 192.168.90.1 in the client settings on the IPv4 tab and reconnect after.

                              chudakC 1 Reply Last reply Reply Quote 0
                              • chudakC
                                chudak @viragomann
                                last edited by

                                @viragomann

                                Hell :(

                                I can't get both server IP and ubuntu box to operate at the same time.

                                I guess I will live like this for now.

                                Thx for your help!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.