AR750 as OpenVPN client, no DNS for far network

Hi All

I do have AR750 configured as OpenVPN client, which I’m using when traveling. My home router act as OpenVPN server, where I have terminated other two stationary routers. So far so good, in server config I’m “pushing” my internal domain with internal DNS server IP. And it works for other two routers, or OpenVPN software. It doesn’t for AR750, when trying to resolve address which is in my home network, AR750 instead asking through tunnel, goes via internet (I do have split-dns). How I can fix this ?
BTW, where is OpenVPN log in this small, clever box ?

you can set up custom DNS in the router.

Seems open doesn’t keep full log. Some of the logs is in system log, which you can read via logread

this is openwrt/lede problem, now have “perfect work solution”, but “little stupid”.

  1. of course, you need the “*.ovpn” file.
  2. follow “https://gl-inet.com/docs/openwrt/openvpn/” upload your “*.ovpn” file
  3. you need use ssh connect your gl-inet router.
  4. cd /etc/openvpn
  5. ls -l, you will list the porcedure (2) uploaded ovpn file
  6. use vi to edit your ovpn file
  7. insert below (3) lines to your ovpn file
    7.1 *** WHY NOT MODIFY OVPN FILE BEFORE UPLOAD ? *** because the gl.inet web upload will clear below 3 line. so you need modify after upload.

–script-security 2
up /etc/openvpn/updns
down /etc/openvpn/downdns

  1. save & exit the vi
  2. use vi to create (2) scripts file (updns and downdns)

/etc/openvpn/updns: (file not include this line)

#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo $foreign_option_1 | sed -e ‘s/dhcp-option DOMAIN/domain/g’ -e ‘s/dhcp-option DNS/nameserver/g’ > /tmp/resolv.conf.auto
echo $foreign_option_2 | sed -e ‘s/dhcp-option DOMAIN/domain/g’ -e ‘s/dhcp-option DNS/nameserver/g’ >> /tmp/resolv.conf.auto
echo $foreign_option_3 | sed -e ‘s/dhcp-option DOMAIN/domain/g’ -e ‘s/dhcp-option DNS/nameserver/g’ >> /tmp/resolv.conf.auto

/etc/openvpn/downdns: (file not include this line)

#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto

  1. chmod 755 updns
  2. chmod 755 downdns

*** FINISH! ENJOY YOUR VPN ***

reference

2 Likes

Hi, I’ve tried this a few days ago but got stuck after restarting the router. It always throws an error when trying to run the script from the vpn file and causes vpn to not start. I double and triple checked that i followed directions closely. I’ll try again tho just for giggles. Btw I’m using an ar750 running 2.27 with a few added packages and scripts. Added sftp server, wget, and adblock, as well as a vpn reconnect script and led profile script. But i don’t think any of those should interfer.

You pay post your error message or log.

FWIW, I have this on my AR750 and it works well- but caveat, cutting and pasting from this site introduces extraneous characters that will prevent the scripts from running. I’ll attempt to attach them here for downloading …

vpn-dns-fixes.zip (684 Bytes)

These are the files I use. I’ve also added a file with the lines that fix existing .ovpn config files.

Thu May 17 15:12:38 2018 daemon.err openvpn[1658]: WARNING: Failed running command (–up/–down): external program exited with error status: 1
Thu May 17 15:12:38 2018 daemon.notice openvpn[1658]: Exiting due to fatal error
Thu May 17 15:12:38 2018 daemon.notice netifd: Network device ‘tun0’ link is down

This is what I’m getting using my own files, I’ll try the ones posted and edit this with results in a bit.

Edit:
After using the provided zip the scripts do now run, but something is happening to block it taking effect. I’m going to try and add my log file
log.zip (8.8 KB)

I think your problems lie outside of DNS, though; I’m past my direct experience here and the GLi team (or someone more-familiar with OpenVPN config) will have to step in here, but to me, it looks like the “updns” command is working OK:

openvpn[2911]: /etc/openvpn/updns tun1 1500 1585 10.8.8.26 255.255.255.0 init

… but the problem appears to be when OpenVPN tries to set up your routing:

openvpn[2911]: /sbin/ip route add 170.178.173.157/32 via 10.0.0.1
openvpn[2911]: ERROR: Linux route add command failed: external program exited with error status: 2

openvpn[2911]: /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
openvpn[2911]: ERROR: Linux route add command failed: external program exited with error status: 2

openvpn[2911]: /sbin/ip route add 128.0.0.0/1 via 10.8.8.1
openvpn[2911]: ERROR: Linux route add command failed: external program exited with error status: 2

Can you remove the “up” and “down” lines from the .ovpn and make sure that works?

Also, before you pull the “up/down” lines, try it again and take a look at /tmp/resolv.conf.auto and verify that your VPN provider’s DNS is in there (and that you have a /tmp/resolv.conf.auto.hold file, too).

Thanks so much for this, you guys rock :smiley:

I was having issues with the DNS also, and this worked perfectly :slight_smile:

I’m using a Mifi btw :stuck_out_tongue:

1 Like

The strange thing is that both files contain the dns i want to use. I do notice however that it only shows numbers, and no text before it. I think normally it says nameserver before the dns.
Maybe it’s something to do with my firewall, or the missing nameserver text, idk. I’ll try to play around some more and see what i can find out.

Edit: can anyone using this script confirm if both files are the same for them? And if the entries contain any text before them? Is there a way to modify the script so the it out puts nameserver before the actual dns? Thanks to everyone for all of the help!!

Edit 2:
It seems the the initswitch is causing the vpn to get started too early. I see it start when initswitch finishes. And then start again with a different pid. Right after the first pid finishes getting in, the second one makes it restart. Here’s the pertinent part of the log:

Sat May 19 00:03:34 2018 daemon.notice openvpn[2957]: UDP link remote: [AF_INET]170.178.173.157:1194
Sat May 19 00:03:34 2018 daemon.notice openvpn[2957]: TLS: Initial packet from [AF_INET]170.178.173.157:1194, sid=7b0b39e0 0b5ad0d5
Sat May 19 00:03:34 2018 daemon.notice openvpn[2957]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: VERIFY KU OK
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: Validating certificate extended key usage
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: VERIFY EKU OK
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: VERIFY OK: depth=0, CN=us-ca-07.protonvpn.com
Sat May 19 00:03:35 2018 daemon.err openvpn[2957]: event_wait : Interrupted system call (code=4)
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: TCP/UDP: Closing socket
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: SIGHUP[hard,] received, process restarting
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: OpenVPN 2.4.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Sat May 19 00:03:35 2018 daemon.notice openvpn[2957]: Restart pause, 5 second(s)
Sat May 19 00:03:35 2018 user.notice firewall: Reloading firewall due to ifup of wwan (wlan-sta)
Sat May 19 00:03:38 2018 daemon.warn openvpn[1669]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: Re-using SSL/TLS context
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: LZO compression initializing
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: Control Channel MTU parms [ L:1654 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client’
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server’
Sat May 19 00:03:38 2018 daemon.notice openvpn[1669]: TCP/UDP: Preserving recently used remote address: [AF_INET]170.178.173.157:1194

Hopefully @alzhao will have some insight.

Figured it out. I hadnt removed the dns servers in the wan section. It is a little misleading to have the dns leak warning if you dont have it filled in when you try to start the vpn. But removed them, restarted the router, and now all is (mostly) working great. And i Do have to set the switch to none or both the auto, and auto.hold files end up with the vpn server dns which results in no internet on disconnect from the vpn. Maybe a tiuch command at the start to tell if its the first run? Ineed help with doing it tho.

Here is a copy and paste solution, just change the name of your client config file, paste into the ssh connection and it will do the rest:

cat<<'EOF' >> /etc/openvpn/<YOUR_CLIENT_FILE_NAME>.ovpn
script-security 2
up /etc/openvpn/updns
down /etc/openvpn/downdns
EOF

cat<<'EOF' > /etc/openvpn/updns
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
EOF

cat<<'EOF' > /etc/openvpn/downdns
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
EOF

chmod 755 updns
chmod 755 downdns

Change the WAN DNS to default (ie blank fields) if you set a DNS manually and don’t mind the warning about DNS leaks. Easy :smiley:

1 Like

Thanks, i got this part working. My only problem now is with the switch causing openvpn to start twice with two different pid’s. For now I’ve disabled the switch, working on a fix for the switchinit script now.

@Exile1975 I don’t have a switch on my Mifi so that is an issue with only some devices i guess? :smiley:

I just cleaned it up for any newcomers to the thread, they won’t have to transfer any files.

@alzhao i hope you add this into firmware v3 brother :smiley:

Yes, you guys rock! This for sure will be in next firmware release.

This doesn’t work for me. I am trying to connect to my own openvpn server running within my home and also use the pushed dns setting from my openvpn server. I can successfully connect, using the very same certificates, but from Windows 7, Windows 10 and also iOS devices and when connected receive the pushed dns server from within my home. However, using the GL-AR300M-Ext although I can always connect I connect without connection to pushed DNS server. I’ve tried using the above “copy and paste solution” provided by Johnex but this makes no difference. I am able to connect to my VPN but not my specified DNS server.

Is this the client bug found in my openvpn log file that we are trying to work around: “Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: register-dns (2.4.3)”

Just remove this line from the ovpn “register-dns” and try again.

I simply cannot get this device to use my pushed dns. Would you know where I should create an addition hosts file on the busy box? e.g. Additional Hosts files /etc/hosts. Old school solutions seems to be required here.