Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client specific override DNS is not applied

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 221 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lifeboyL
      lifeboy
      last edited by

      I have set a CSO for some clients to change the DNS server that gets pushed to them. In the opvn log I can see that the conf gets read.

      Jul 9 11:02:25	openvpn	35966	MULTI: primary virtual IP for xoliswa/41.161.86.201:26125: 192.168.x.x
      Jul 9 11:02:25	openvpn	35966	MULTI: Learn: 192.168.x.x -> xoliswa/41.161.86.201:26125
      Jul 9 11:02:24	openvpn	77508	openvpn server 'ovpns2' user 'xoliswa' address '41.161.86.201:26125' - connected
      Jul 9 11:02:24	openvpn	35966	xoliswa/41.161.86.201:26125 PUSH: Received control message: 'PUSH_REQUEST'
      Jul 9 11:02:24	openvpn	72845	openvpn server 'ovpns2' user 'xoliswa' address '41.161.86.201:26125' - connecting
      Jul 9 11:02:24	openvpn	35966	xoliswa/41.161.86.201:26125 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn/server2/csc/xoliswa
      Jul 9 11:02:24	openvpn	35966	xoliswa/41.161.86.201:26125 MULTI_sva: pool returned IPv4=192.168.132.4, IPv6=(Not enabled)
      Jul 9 11:02:23	openvpn	35966	41.161.86.201:26125 [xoliswa] Peer Connection Initiated with [AF_INET]41.161.86.201:26125
      Jul 9 11:02:23	openvpn	33368	user 'xoliswa' authenticated
      

      The contents of xoliswa's config override file is:

      cat /var/etc/openvpn/server2/csc/xoliswa
      push "dhcp-option DNS 192.168.131.191"
      push "redirect-gateway def1"
      

      I have the machine's DNS manually set to 192.168.131.191. If I do a lookup without the VPN connected I get

      nslookup -type=srv _ldap._tcp.dc._msdcs.imbfs.local
      DNS request timed out.
          timeout was 2 seconds.
      Server:  UnKnown
      Address:  192.168.131.191
      
      DNS request timed out.
          timeout was 2 seconds.
      DNS request timed out.
          timeout was 2 seconds.
      *** Request to UnKnown timed-out
      

      That is because 192.168.131.191 is not reachable without the VPN being connected.

      Once I connect the VPN, I get this:

      nslookup -type=srv _ldap._tcp.dc._msdcs.imbfs.local
      Server:  fw.fast.za.net
      Address:  192.168.131.254
      
      *** fw.fast.za.net can't find _ldap._tcp.dc._msdcs.imbfs.local: Non-existent domain
      

      Now the first DNS server was pushed to the client as 192.168.131.254, which is the DNS for the server configuration of that VPN connection. That indicates that the CSO DNS is not successfully pushed to the client.

      I have not been able to figure out why. Who can help please?

      lifeboyL 1 Reply Last reply Reply Quote 0
      • lifeboyL
        lifeboy @lifeboy
        last edited by lifeboy

        Just to add a little more details, here is the problematic connection.

        
           Connection-specific DNS Suffix  . : imb.co
           Description . . . . . . . . . . . : TAP-Windows Adapter V9
           Physical Address. . . . . . . . . : 00-FF-45-74-E2-DD
           DHCP Enabled. . . . . . . . . . . : Yes
           Autoconfiguration Enabled . . . . : Yes
           Link-local IPv6 Address . . . . . : fe80::d886:c8fe:6fae:15cd%8(Preferred)
           IPv4 Address. . . . . . . . . . . : 192.168.132.5(Preferred)
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Lease Obtained. . . . . . . . . . : Tuesday, July 9, 2024 2:24:52 AM
           Lease Expires . . . . . . . . . . : Wednesday, July 9, 2025 2:24:52 AM
           Default Gateway . . . . . . . . . :
           DHCP Server . . . . . . . . . . . : 192.168.132.0
           DHCPv6 IAID . . . . . . . . . . . : 687931205
           DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2E-1D-B1-3A-28-F1-0E-28-F5-C8
           DNS Servers . . . . . . . . . . . : 192.168.131.254
                                               192.168.131.191
           NetBIOS over Tcpip. . . . . . . . : Enabled
        

        I need to get rid of the 192.168.131.254 DNS or at least have that as the secondary.

        lifeboyL 1 Reply Last reply Reply Quote 0
        • lifeboyL
          lifeboy @lifeboy
          last edited by lifeboy

          I have found a workaround. In Windows PowerShell I can do this:

          netsh dnsclient delete dnsserver "OpenVPN TAP-Windows6" all
          netsh dnsclient add dnsserver "OpenVPN TAP-Windows6" 192.168.131.191
          

          This sets the correct DNS server so that I can join the AD domain, which is the goal I was trying to achieve.

          It seems that the CSO adds the DNS records to the existing one, and doesn't replace it. Is that by design or can it be fixed/changed?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.