DNS resolution through VPN isn't working



  • Hi there,
    I know it must be the millionth time this has been asked but in my defense I have to tell you I've been trying to solve this problem since 2011 (!) on many different VPN configs and I couldn't get it work, not a single time. No matter how much effort I put in reading, learning, watching tutorials over and over again just to throw everything away after two weeks of trying. So here it goes, I really hope you can help me out.
    My setup:
    Network (A): 192.168.44.0/24, local domain: domain1.lan
    Network (B): 192.168.5.0/24 local domain: domain2.lan
    VPN Network: 192.168.70.0/24
    Network (A) has an OpenWRT router (A) that works as DHCP, DNS, Internet access, etc. -server for network (A) and has the IP address 192.168.44.1.
    My pfsense is serving as an OpenVPN Server with the address 192.168.44.2. I completely disabled the internal firewall in pfsense since I don't need it (I just wanted a fancy Web Interface for the OpenVPN server with a client export function) no DNS or DHCP server has been set up on it.

    Network (B) has an OpenWRT router (B) as well with the same function as the router from network (A) (DHCP, DNS, Internet, etc) with IP address 192.168.5.1.
    I want the router (B) on Network (B) to act as the OpenVPN Client.
    To that point my VPN is working great, I can connect router (B) to my VPN server in network (A), I can access shares etc, that's working fine.
    The only thing that's missing to work is DNS resolution on a client that is in Network (B), e.g. when I'm working on 192.168.5.120 I can connect to 192.168.44.100 but only via IP address, not via hostname (and that sh*t is freaking me out). Ping says "unknown host", nslookup is asking wrongly 192.168.5.1 - not 192.168.44.1 like I want it to.
    The thing is: when I'm connecting a client directly to the VPN (e.g. from 192.168.5.120 via client software Tunnelblick, Viscosity, OpenVPN GUI etc) the DNS resolution works flawless. I can resolve hostnames both of network (A) AND network (B).
    So I'm coming to the conclusion that my server and client configs are actually working.

    My goal is to have a 24/7 VPN connection from network (B) to network (A) and every client on network (B) shall be able to access machines in 192.168.44.0 - but "native" without the use of any client application. I have about 120+ clients on network (B) and I don't want to configure 120 VPN clients.
    I read a lot about DNS forwarding, DNS resolvers etc but I have absolutely no clue where I should start (besides trial and error).

    One thing is really important: While connected to the VPN it must be ensured that clients from network (B) can resolve hostnames on both networks.
    Some years ago I already had something like a "half solution" with a working DNS resolution but only for resolving hostnames on network (A). When connected to the VPN machines on network (B) couldn't resolve hostnames on network (B) any more.
    Viscosity has a quite nice feature called "Split DNS" that uses 192.168.44.1 only for hostnames located on network (A) and 192.168.5.1 for everything else. I don't know if it's possible to do like that on a router like in my scenario.

    Sorry for this long text but I hope my problem is comprehensible now.
    Any help is really appreciated.

    client.ovpn

    dev tun
    persist-tun
    persist-key
    pull
    cipher AES-256-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote dyndns.networka.com 6655 udp
    auth-user-pass
    remote-cert-tls server

    <ca>
    -----BEGIN CERTIFICATE-----
    xxxxxxx
    -----END CERTIFICATE-----
    </ca>
    setenv CLIENT_CERT 0
    key-direction 1
    <tls-auth>

    2048 bit OpenVPN static key

    -----BEGIN OpenVPN Static key V1-----
    xxxxxxxx
    -----END OpenVPN Static key V1-----
    </tls-auth>

    server.ovpn


    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 192.168.44.2
    tls-server
    server 192.168.70.0 255.255.255.0
    client-config-dir /var/etc/openvpn/server1/csc
    verify-client-cert none
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user xxxxxxxxxxx= false server1 6655
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server' 1"
    lport 6655
    management /var/etc/openvpn/server1/sock unix
    max-clients 40
    push "route 192.168.44.0 255.255.255.0"
    push "dhcp-option DOMAIN domain1.lan"
    push "dhcp-option DNS 192.168.44.1"
    push "register-dns"
    client-to-client
    duplicate-cn
    capath /var/etc/openvpn/server1/ca
    cert /var/etc/openvpn/server1/cert
    key /var/etc/openvpn/server1/key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1/tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    persist-remote-ip
    float
    topology subnet
    fast-io



  • Add a domain override for network A to your DNS server in network B, so that DNS requests for hosts within that domain are forwarded to the DNS server in A. Allow DNS access from site B.
    Then you should be able to resolve the hosts in A by <host-name.domain>.


Log in to reply