Dns not working

JustinHoMi

I've been using OpenVPN for remote clients for quite a while now… several windows and mac os x clients. However, DNS has never worked. Even though I set the DNS server option in the openvpn config, hosts cannot resolve any of the local domains from the DNS server. I've tried both the builtin DNS Forwarder as well as a separate DNS server. Any ideas what is going on, and how to debug this?

Justin

Cry Havok

What version of pfSense? What version of the OpenVPN server are you running and what are your OpenVPN server and client configurations?

It works fine for me, and many others, so there must be something odd going on with either your client or server configurations.

JustinHoMi

pfSense 1.2.3. I'm mostly using the windows 2.1.1 client, but also tunnelblick on mac os x, which also uses 2.1.1.

Attached is the config, with the keys omitted.

Also, in the client config, I have:

push "route 192.168.2.0 255.255.255.0"; push "route 192.168.3.0 255.255.255.0"

Below is a connection log from mac os x.

2010-06-11 17:40:59 *Tunnelblick: OS X 10.6.2; Tunnelblick 3.0b26 (build 1395); OpenVPN 2.1.1
2010-06-11 17:41:01 *Tunnelblick: Attempting connection with XXX.ovpn; Set nameserver = 1; monitoring connection
2010-06-11 17:41:01 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start XXX.ovpn 1338 1 0 0 0
2010-06-11 17:41:02 SUCCESS: pid=4160
2010-06-11 17:41:02 SUCCESS: real-time state notification set to ON
2010-06-11 17:41:02 SUCCESS: real-time log notification set to ON
2010-06-11 17:41:01 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2] [PKCS11] built on Feb  9 2010
2010-06-11 17:41:01 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2010-06-11 17:41:01  waiting...
2010-06-11 17:41:02 MANAGEMENT: Client connected from 127.0.0.1:1338
2010-06-11 17:41:02 MANAGEMENT: CMD 'pid'
2010-06-11 17:41:02 MANAGEMENT: CMD 'state on'
2010-06-11 17:41:02 MANAGEMENT: CMD 'log on all'
2010-06-11 17:41:02 END
2010-06-11 17:41:02 MANAGEMENT: CMD 'hold release'
2010-06-11 17:41:02 SUCCESS: hold release succeeded
2010-06-11 17:41:02 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-06-11 17:41:02 WARNING: file 'XXX.key' is group or others accessible
2010-06-11 17:41:02 LZO compression initialized
2010-06-11 17:41:02 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2010-06-11 17:41:02 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2010-06-11 17:41:02 Local Options hash (VER=V4): '41690919'
2010-06-11 17:41:02 Expected Remote Options hash (VER=V4): '530fdded'
2010-06-11 17:41:02 Socket Buffers: R=[42080->65536] S=[9216->65536]
2010-06-11 17:41:02 UDPv4 link local: [undef]
2010-06-11 17:41:02 UDPv4 link remote: XXX:1194
2010-06-11 17:41:02 
2010-06-11 17:41:02 
2010-06-11 17:41:02  sid=2fcdf9ea ec4786dd
2010-06-11 17:41:03  /C=US/ST=NC/L=XXX/O=XXX/CN=vpn-CA/emailAddress=XXX
2010-06-11 17:41:03 VERIFY OK: nsCertType=SERVER
2010-06-11 17:41:03  /C=US/ST=NC/O=XXX/CN=server/emailAddress=XXX
2010-06-11 17:41:06 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2010-06-11 17:41:06 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-06-11 17:41:06 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2010-06-11 17:41:06 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-06-11 17:41:06  1024 bit RSA
2010-06-11 17:41:06 [server] Peer Connection Initiated with XXX:1194
2010-06-11 17:41:07 
2010-06-11 17:41:08 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2010-06-11 17:41:08 ifconfig 192.168.4.9 192.168.4.10'
2010-06-11 17:41:08 OPTIONS IMPORT: timers and/or timeouts modified
2010-06-11 17:41:08 OPTIONS IMPORT: --ifconfig/up options modified
2010-06-11 17:41:08 OPTIONS IMPORT: route options modified
2010-06-11 17:41:08 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2010-06-11 17:41:08 ROUTE default_gateway=XXX
2010-06-11 17:41:08 TUN/TAP device /dev/tun0 opened
2010-06-11 17:41:08 
2010-06-11 17:41:08 /sbin/ifconfig tun0 delete
2010-06-11 17:41:08 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2010-06-11 17:41:08 /sbin/ifconfig tun0 192.168.4.9 192.168.4.10 mtu 1500 netmask 255.255.255.255 up
2010-06-11 17:41:08 /Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tun0 1500 1542 192.168.4.9 192.168.4.10 init
2010-06-11 17:41:09 
2010-06-11 17:41:09 /sbin/route add -net 192.168.1.0 192.168.4.10 255.255.255.0
2010-06-11 17:41:09 /sbin/route add -net 192.168.4.1 192.168.4.10 255.255.255.255
2010-06-11 17:41:09 /sbin/route add -net 192.168.2.0 192.168.4.10 255.255.255.0
2010-06-11 17:41:09 /sbin/route add -net 192.168.3.0 192.168.4.10 255.255.255.0
2010-06-11 17:41:09 Initialization Sequence Completed
2010-06-11 17:41:09 XXX

![Screen shot 2010-06-11 at 5.42.20 PM.png](/public/imported_attachments/1/Screen shot 2010-06-11 at 5.42.20 PM.png)
![Screen shot 2010-06-11 at 5.42.20 PM.png_thumb](/public/imported_attachments/1/Screen shot 2010-06-11 at 5.42.20 PM.png_thumb)
![Screen shot 2010-06-11 at 5.42.29 PM.png](/public/imported_attachments/1/Screen shot 2010-06-11 at 5.42.29 PM.png)
![Screen shot 2010-06-11 at 5.42.29 PM.png_thumb](/public/imported_attachments/1/Screen shot 2010-06-11 at 5.42.29 PM.png_thumb)

Cry Havok

I don't see in the client log any sign that the DNS server has been pushed to it, which is probably part of your problem. You may want to follow that issue up with the TunnelBlick folks. Can you repeat that test with the Windows client and produce it's client log?

Also, if your clients use any of those 192.168.x.y networks you're using, they will have problems with the VPN. It would be far better if you were to move away from 192.168.0.x and 192.168.1.x - the most common home network IP ranges.

JustinHoMi

Yeah, I would have done a lot of things differently from the person who originally set this network up. FYI on my test network I use a different subnet (192.168.5.x).

Here's the log from a windows client:

Fri Jun 11 19:24:14 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Fri Jun 11 19:24:14 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jun 11 19:24:15 2010 LZO compression initialized
Fri Jun 11 19:24:15 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Jun 11 19:24:15 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jun 11 19:24:15 2010 Local Options hash (VER=V4): '41690919'
Fri Jun 11 19:24:15 2010 Expected Remote Options hash (VER=V4): '530fdded'
Fri Jun 11 19:24:15 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jun 11 19:24:15 2010 UDPv4 link local: [undef]
Fri Jun 11 19:24:15 2010 UDPv4 link remote: XXX:1194
Fri Jun 11 19:24:16 2010 TLS: Initial packet from XXX:1194, sid=6958fec4 8f389965
Fri Jun 11 19:24:17 2010 VERIFY OK: depth=1, /C=US/ST=NC/L=XXX/O=XXX/CN=vpn-CA/emailAddress=XXX@XXX.com
Fri Jun 11 19:24:17 2010 VERIFY OK: nsCertType=SERVER
Fri Jun 11 19:24:17 2010 VERIFY OK: depth=0, /C=US/ST=NC/O=XXX/CN=server/emailAddress=cert@XXX.com
Fri Jun 11 19:24:22 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 11 19:24:22 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 11 19:24:22 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 11 19:24:22 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 11 19:24:22 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Jun 11 19:24:22 2010 [server] Peer Connection Initiated with XXX
Fri Jun 11 19:24:24 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jun 11 19:24:24 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,ifconfig 192.168.4.201 192.168.4.202'
Fri Jun 11 19:24:24 2010 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 11 19:24:24 2010 OPTIONS IMPORT: route options modified
Fri Jun 11 19:24:24 2010 ROUTE default_gateway=10.0.2.2
Fri Jun 11 19:24:24 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{73865E09-FBCC-4FB2-B1C7-489DFB77854F}.tap
Fri Jun 11 19:24:24 2010 TAP-Win32 Driver Version 9.6 
Fri Jun 11 19:24:24 2010 TAP-Win32 MTU=1500
Fri Jun 11 19:24:24 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.4.201/255.255.255.252 on interface {73865E09-FBCC-4FB2-B1C7-489DFB77854F} [DHCP-serv: 192.168.4.202, lease-time: 31536000]
Fri Jun 11 19:24:24 2010 NOTE: FlushIpNetTable failed on interface [3] {73865E09-FBCC-4FB2-B1C7-489DFB77854F} (status=6) : The handle is invalid.  
Fri Jun 11 19:24:30 2010 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Fri Jun 11 19:24:30 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 192.168.4.202
Fri Jun 11 19:24:30 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=3]
Fri Jun 11 19:24:30 2010 Route addition via IPAPI failed [adaptive]
Fri Jun 11 19:24:30 2010 Route addition fallback to route.exe
Fri Jun 11 19:24:30 2010 Initialization Sequence Completed

Here's the typical client config:

client
dev tun
proto udp
remote XXX 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert XXX.crt
key XXX.key
ns-cert-type server
comp-lzo
pull
verb 3

JustinHoMi

It's resolved. There were two different problems. One was with Tunnelblick. I switched to a different VPN client on the Mac (Viscosity) which worked right away. The problem with the Windows PC was that I was using a different VPN config, who's alias was mistakingly being blocked from DNS via a firewall rule.