Android, OpenVPN, DNS Resolution

mich04 · Nov 30, 2020, 9:08 AM

I have been having problems getting my Android device to resolve DNS addresses when connected to OpenVPN and using the "Always-on VPN" and "Block connections without VPN".

My pfSense box is correctly resolving dns on my network with ExpressVPN. I can see the OpenVPN log entrey where port 53 was successfully accessed.

OpenVPN Client---- 10.5.44.69
LAN---------------------10.44.34.54:53

I have firewall rules passing the OpenVPN network on both the LAN tab as well as the OpenVPN tab. I also have my DNS server set in the OpenVPN server config.

I also tried using a public DNS. I tried using the push command as well as manually setting it in the OpenVPN app on the phone.

I do redirect my LAN traffic using NAT port forwarding. It was successfully running earlier today I was able to vpn resolve address's and see that expressvpn was partially working. I have restarted my pfsense box as well as the device just in case their were residual changes pending.

As of right now I can not even get the phone to resolve any website or have any of the apps connect to the internet while the "Block connections without VPN" is turned on. I can however access pfsense using the ip address as well as my other servers using just their ip addresses.

Thank you in advance.

Bob.Dig · Nov 30, 2020, 9:44 AM

It is working here.

Yesterday I had a problem that my phone wouldn't be shown as online in android so I had to policy route my internet-traffic out to another vpn-server, don't know if this was a vpn-server or google problem...

mich04 · Nov 30, 2020, 1:40 PM

Sorry realized I could post a client config

#client config
persist-tun
persist-key
ncp-disable
cipher AES-256-CBC
auth SHA512
tls-client
client
remote blahblah.com 443 tcp4
verify-x509-name "blahblah.com" name
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
snip
-----END OpenVPN Static key V1-----
</tls-auth>

#server config
dev ovpns3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh blahblah.com"
local 46.60.70.50
tls-server
server 10.10.15.60 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server3
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user tommy= fa
lse server3 443
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.blahblah.com' 1"
lport 443
management /var/etc/openvpn/server3.sock unix
max-clients 3
push "dhcp-option DOMAIN blahblah.com"
push "dhcp-option DNS 10.44.34.54"
push "dhcp-option NTP 10.44.34.54"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert

##DNS Resolver##

Network Interfaces: ALL
Outgoing Network Interfaces: ExpressVPN
*(Enable DNSSEC Support
*Register DHCP leases in the DNS Resolver
*Register DHCP static mappings in the DNS Resolver
*Register connected OpenVPN clients in the DNS Resolver