dns resolver problem after OpenVPN connected
-
I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:
nslookup google.com ;; connection timed out; no servers could be reachedand here is before and after connecion:
resolvectl status wlp82s0 Link 3 (wlp82s0) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 2001:558:feed::1 DNS Servers: 2001:558:feed::1 2001:558:feed::2 DNS Domain: ~.resolvectl status wlp82s0 Link 3 (wlp82s0) Current Scopes: none DefaultRoute setting: no LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: noI am missing something but not sure what.
TIA -
@chudak said in dns resolver problem after OpenVPN connected:
I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:
Do you use the NetworkManager OpenVPN plugin to connect?
By default NM routes the whole upstream traffic over the VPN.
If this is not desired and you push specific routes from the server, edit the connection settings, go to the IPvX tab > routes and check "use only for resources of this connection". -
@viragomann said in dns resolver problem after OpenVPN connected:
@chudak said in dns resolver problem after OpenVPN connected:
I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:
Do you use the NetworkManager OpenVPN plugin to connect?
By default NM routes the whole upstream traffic over the VPN.
If this is not desired and you push specific routes from the server, edit the connection settings, go to the IPvX tab > routes and check "use only for resources of this connection".Thx
If I set my OpenVPN connection as:
It helps partly. I can ping google.com, but my remote home network resources are not accessible still :(
Anything else I need to do?
I do use this in my OpenVPN server settings and it used to work fine (and still work for all other clients):
-
@chudak
Did you enter the remote networks in the server settings to push the routes to the client?
With recent NetworkManager this should work though.I had issues in the past with former versions, that the routes were not set, even the server pushed them. As a workaround I entered the remote networks in the client settings.
To do so, just click routes and add them manually. No need to specify a gateway, just network address + mask. -
@viragomann said in dns resolver problem after OpenVPN connected:
@chudak
Did you enter the remote networks in the server settings to push the routes to the client?
With recent NetworkManager this should work though.I had issues in the past with former versions, that the routes were not set, even the server pushed them. As a workaround I entered the remote networks in the client settings.
To do so, just click routes and add them manually. No need to specify a gateway, just network address + mask.Can you share an example of what you have done?
TIA -
@chudak
On the server did you enter your local networks here:
In my client settings (workaround if the above does not work), I removed the manual routes yet, since I don't need them anymore.
It's just on the IPv4 (or v6) there is a "Routes" button. Click it and you can add your remote networks. -
I had "Force all client-generated IPv4 traffic through the tunnel." checked
After unchecking I have now:
and it did help!!!
Thx a million :)
Why did it change behavior ?!
-
@chudak said in dns resolver problem after OpenVPN connected:
"Force all client-generated IPv4 traffic through the tunnel."
Using "Force all client-generated IPv4 traffic through the tunnel." did make my external IP set to my server's IP and now it's not.
How do we get it back with the routes specified?
-
@chudak
Yeah, the option does, what it's name is saying. It forces all upstream traffic over the VPN. Hence your outbound traffic gets the public IP from the server.
If this is what you want, you need to check the option.Then for DNS resolution you need to ensure that the used DNS server is accessible over the VPN.
Best to use a DNS server from the remote network.In the screenshot above you stated a DNS in the OpenVPN server settings. Is it reachable?
Is it used by the client?
Does the server respond? -
@viragomann said in dns resolver problem after OpenVPN connected:
@chudak
Yeah, the option does, what it's name is saying. It forces all upstream traffic over the VPN. Hence your outbound traffic gets the public IP from the server.
If this is what you want, you need to check the option.Then for DNS resolution you need to ensure that the used DNS server is accessible over the VPN.
Best to use a DNS server from the remote network.In the screenshot above you stated a DNS in the OpenVPN server settings. Is it reachable?
Is it used by the client?
Does the server respond?My old settings without routes specified works fine for all clients except one laptop.
When I unset “Force all client-generated IPv4 traffic through the tunnel."
all clients work but no server IP used (not sure if this is important, just wondering how to make it work)In both cases I have DNS forced thru my pfsense and it seems to be responding etc.
-
@chudak said in dns resolver problem after OpenVPN connected:
and it seems to be responding
Sure?
To investigate, with "redirect gateway" checked, run
dig google.comon the client and look, which server is responding.
-
@viragomann said in dns resolver problem after OpenVPN connected:
@chudak said in dns resolver problem after OpenVPN connected:
and it seems to be responding
Sure?
To investigate, with "redirect gateway" checked, run
dig google.comon the client and look, which server is responding.
with this option:
from my Mac (works fine in both cases):
dig google.com ; <<>> DiG 9.10.6 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14479 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 55 IN A 172.217.12.110 ;; Query time: 28 msec ;; SERVER: 192.168.70.1#53(192.168.70.1) ;; WHEN: Tue Jan 02 13:55:57 PST 2024 ;; MSG SIZE rcvd: 55192.168.70.1 is my 2d LAN and also goes thru 192.168.90.1
From ubuntu laptop (the one we are fixing):
dig google.com ; <<>> DiG 9.16.1-Ubuntu <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54110 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 283 IN A 172.217.164.110 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Tue Jan 02 13:57:24 PST 2024 ;; MSG SIZE rcvd: 55Are you thinking I should try removing DNS Server 192.168.90.1 from OpebVPN server?
-
@chudak said in dns resolver problem after OpenVPN connected:
from my Mac (works fine in both cases):
dig google.com
;; SERVER: 192.168.70.1#53(192.168.70.1)
;; WHEN: Tue Jan 02 13:55:57 PST 2024From ubuntu laptop (the one we are fixing):
dig google.com
;; SERVER: 127.0.0.53#53(127.0.0.53)So non of these clients really use the DNS server you pushed from the server.
Pushed DNS might not be accepted on the MAC, at least I know such behavior of IOS.
On your Ubuntu, not clear, what the 127.0.0.53 is. It's a local address of the client device.
You can try to enter 192.168.90.1 in the client settings on the IPv4 tab and reconnect after.
-
Hell :(
I can't get both server IP and ubuntu box to operate at the same time.
I guess I will live like this for now.
Thx for your help!
