• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

dns resolver problem after OpenVPN connected

Scheduled Pinned Locked Moved OpenVPN
14 Posts 2 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chudak
    last edited by Jan 2, 2024, 4:28 PM

    I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:

    nslookup google.com
    ;; connection timed out; no servers could be reached
    

    and here is before and after connecion:

    resolvectl status wlp82s0
    Link 3 (wlp82s0)
          Current Scopes: DNS             
    DefaultRoute setting: yes             
           LLMNR setting: yes             
    MulticastDNS setting: no              
      DNSOverTLS setting: no              
          DNSSEC setting: no              
        DNSSEC supported: no              
      Current DNS Server: 2001:558:feed::1
             DNS Servers: 2001:558:feed::1
                          2001:558:feed::2
              DNS Domain: ~.
    
    resolvectl status wlp82s0
    Link 3 (wlp82s0)
          Current Scopes: none
    DefaultRoute setting: no  
           LLMNR setting: yes 
    MulticastDNS setting: no  
      DNSOverTLS setting: no  
          DNSSEC setting: no  
        DNSSEC supported: no
    

    I am missing something but not sure what.
    TIA

    V 1 Reply Last reply Jan 2, 2024, 5:59 PM Reply Quote 0
    • V
      viragomann @chudak
      last edited by Jan 2, 2024, 5:59 PM

      @chudak said in dns resolver problem after OpenVPN connected:

      I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:

      Do you use the NetworkManager OpenVPN plugin to connect?

      By default NM routes the whole upstream traffic over the VPN.
      If this is not desired and you push specific routes from the server, edit the connection settings, go to the IPvX tab > routes and check "use only for resources of this connection".

      C 1 Reply Last reply Jan 2, 2024, 7:27 PM Reply Quote 0
      • C
        chudak @viragomann
        last edited by chudak Jan 2, 2024, 7:43 PM Jan 2, 2024, 7:27 PM

        @viragomann said in dns resolver problem after OpenVPN connected:

        @chudak said in dns resolver problem after OpenVPN connected:

        I connect via OpenVPN from several systems, but on my Ubuntu laptop started having this issue - after connecting to OpenVPN I see no names resolutions:

        Do you use the NetworkManager OpenVPN plugin to connect?

        By default NM routes the whole upstream traffic over the VPN.
        If this is not desired and you push specific routes from the server, edit the connection settings, go to the IPvX tab > routes and check "use only for resources of this connection".

        Thx
        If I set my OpenVPN connection as:

        f870a6ba-8779-44a7-a835-bb184a7f7766-image.png

        It helps partly. I can ping google.com, but my remote home network resources are not accessible still :(

        Anything else I need to do?

        I do use this in my OpenVPN server settings and it used to work fine (and still work for all other clients):

        57912ca1-06ce-442c-873e-c5491b14caa2-image.png

        V 1 Reply Last reply Jan 2, 2024, 7:57 PM Reply Quote 0
        • V
          viragomann @chudak
          last edited by Jan 2, 2024, 7:57 PM

          @chudak
          Did you enter the remote networks in the server settings to push the routes to the client?
          With recent NetworkManager this should work though.

          I had issues in the past with former versions, that the routes were not set, even the server pushed them. As a workaround I entered the remote networks in the client settings.
          To do so, just click routes and add them manually. No need to specify a gateway, just network address + mask.

          C 1 Reply Last reply Jan 2, 2024, 7:59 PM Reply Quote 0
          • C
            chudak @viragomann
            last edited by Jan 2, 2024, 7:59 PM

            @viragomann said in dns resolver problem after OpenVPN connected:

            @chudak
            Did you enter the remote networks in the server settings to push the routes to the client?
            With recent NetworkManager this should work though.

            I had issues in the past with former versions, that the routes were not set, even the server pushed them. As a workaround I entered the remote networks in the client settings.
            To do so, just click routes and add them manually. No need to specify a gateway, just network address + mask.

            Can you share an example of what you have done?
            TIA

            V 1 Reply Last reply Jan 2, 2024, 8:07 PM Reply Quote 0
            • V
              viragomann @chudak
              last edited by Jan 2, 2024, 8:07 PM

              @chudak
              On the server did you enter your local networks here:
              dc65ed21-9139-4f3c-8c05-11b1c7d5d936-image.png

              In my client settings (workaround if the above does not work), I removed the manual routes yet, since I don't need them anymore.
              It's just on the IPv4 (or v6) there is a "Routes" button. Click it and you can add your remote networks.

              C 1 Reply Last reply Jan 2, 2024, 8:27 PM Reply Quote 1
              • C
                chudak @viragomann
                last edited by Jan 2, 2024, 8:27 PM

                @viragomann

                I had "Force all client-generated IPv4 traffic through the tunnel." checked

                After unchecking I have now:

                81e6cc14-7ef2-4940-bd78-ce5a6c6839e9-image.png

                and it did help!!!

                Thx a million :)

                Why did it change behavior ?!

                C 1 Reply Last reply Jan 2, 2024, 8:51 PM Reply Quote 0
                • C
                  chudak @chudak
                  last edited by Jan 2, 2024, 8:51 PM

                  @chudak said in dns resolver problem after OpenVPN connected:

                  "Force all client-generated IPv4 traffic through the tunnel."

                  Using "Force all client-generated IPv4 traffic through the tunnel." did make my external IP set to my server's IP and now it's not.

                  How do we get it back with the routes specified?

                  V 1 Reply Last reply Jan 2, 2024, 9:17 PM Reply Quote 0
                  • V
                    viragomann @chudak
                    last edited by Jan 2, 2024, 9:17 PM

                    @chudak
                    Yeah, the option does, what it's name is saying. It forces all upstream traffic over the VPN. Hence your outbound traffic gets the public IP from the server.
                    If this is what you want, you need to check the option.

                    Then for DNS resolution you need to ensure that the used DNS server is accessible over the VPN.
                    Best to use a DNS server from the remote network.

                    In the screenshot above you stated a DNS in the OpenVPN server settings. Is it reachable?
                    Is it used by the client?
                    Does the server respond?

                    C 1 Reply Last reply Jan 2, 2024, 9:38 PM Reply Quote 0
                    • C
                      chudak @viragomann
                      last edited by Jan 2, 2024, 9:38 PM

                      @viragomann said in dns resolver problem after OpenVPN connected:

                      @chudak
                      Yeah, the option does, what it's name is saying. It forces all upstream traffic over the VPN. Hence your outbound traffic gets the public IP from the server.
                      If this is what you want, you need to check the option.

                      Then for DNS resolution you need to ensure that the used DNS server is accessible over the VPN.
                      Best to use a DNS server from the remote network.

                      In the screenshot above you stated a DNS in the OpenVPN server settings. Is it reachable?
                      Is it used by the client?
                      Does the server respond?

                      My old settings without routes specified works fine for all clients except one laptop.

                      When I unset “Force all client-generated IPv4 traffic through the tunnel."
                      all clients work but no server IP used (not sure if this is important, just wondering how to make it work)

                      In both cases I have DNS forced thru my pfsense and it seems to be responding etc.

                      V 1 Reply Last reply Jan 2, 2024, 9:43 PM Reply Quote 0
                      • V
                        viragomann @chudak
                        last edited by Jan 2, 2024, 9:43 PM

                        @chudak said in dns resolver problem after OpenVPN connected:

                        and it seems to be responding

                        Sure?

                        To investigate, with "redirect gateway" checked, run

                        dig google.com
                        

                        on the client and look, which server is responding.

                        C 1 Reply Last reply Jan 2, 2024, 10:01 PM Reply Quote 0
                        • C
                          chudak @viragomann
                          last edited by chudak Jan 2, 2024, 10:02 PM Jan 2, 2024, 10:01 PM

                          @viragomann said in dns resolver problem after OpenVPN connected:

                          @chudak said in dns resolver problem after OpenVPN connected:

                          and it seems to be responding

                          Sure?

                          To investigate, with "redirect gateway" checked, run

                          dig google.com
                          

                          on the client and look, which server is responding.

                          with this option:

                          50aa6d06-fca7-4a39-9351-c1fd00f7b405-image.png

                          from my Mac (works fine in both cases):

                          dig google.com
                          
                          ; <<>> DiG 9.10.6 <<>> google.com
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14479
                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 4096
                          ;; QUESTION SECTION:
                          ;google.com.			IN	A
                          
                          ;; ANSWER SECTION:
                          google.com.		55	IN	A	172.217.12.110
                          
                          ;; Query time: 28 msec
                          ;; SERVER: 192.168.70.1#53(192.168.70.1)
                          ;; WHEN: Tue Jan 02 13:55:57 PST 2024
                          ;; MSG SIZE  rcvd: 55
                          

                          192.168.70.1 is my 2d LAN and also goes thru 192.168.90.1

                          From ubuntu laptop (the one we are fixing):

                          dig google.com
                          
                          ; <<>> DiG 9.16.1-Ubuntu <<>> google.com
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54110
                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 65494
                          ;; QUESTION SECTION:
                          ;google.com.			IN	A
                          
                          ;; ANSWER SECTION:
                          google.com.		283	IN	A	172.217.164.110
                          
                          ;; Query time: 0 msec
                          ;; SERVER: 127.0.0.53#53(127.0.0.53)
                          ;; WHEN: Tue Jan 02 13:57:24 PST 2024
                          ;; MSG SIZE  rcvd: 55
                          

                          Are you thinking I should try removing DNS Server 192.168.90.1 from OpebVPN server?

                          V 1 Reply Last reply Jan 2, 2024, 10:13 PM Reply Quote 0
                          • V
                            viragomann @chudak
                            last edited by Jan 2, 2024, 10:13 PM

                            @chudak said in dns resolver problem after OpenVPN connected:

                            from my Mac (works fine in both cases):
                            dig google.com
                            ;; SERVER: 192.168.70.1#53(192.168.70.1)
                            ;; WHEN: Tue Jan 02 13:55:57 PST 2024

                            From ubuntu laptop (the one we are fixing):
                            dig google.com
                            ;; SERVER: 127.0.0.53#53(127.0.0.53)

                            So non of these clients really use the DNS server you pushed from the server.

                            Pushed DNS might not be accepted on the MAC, at least I know such behavior of IOS.

                            On your Ubuntu, not clear, what the 127.0.0.53 is. It's a local address of the client device.

                            You can try to enter 192.168.90.1 in the client settings on the IPv4 tab and reconnect after.

                            C 1 Reply Last reply Jan 2, 2024, 11:49 PM Reply Quote 0
                            • C
                              chudak @viragomann
                              last edited by Jan 2, 2024, 11:49 PM

                              @viragomann

                              Hell :(

                              I can't get both server IP and ubuntu box to operate at the same time.

                              I guess I will live like this for now.

                              Thx for your help!

                              1 Reply Last reply Reply Quote 0
                              14 out of 14
                              • First post
                                14/14
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received