DNS not changing after OpenVPN connection starts

blind-raven · April 17, 2017, 7:58am

Your right @Glitch I threw in a misdirection there sorry bout that @ds-Iceland.

ds-iceland · April 17, 2017, 8:01am

@Glithc,

The IP addresses shown in the openvpn config file were mine and in no way related to the image from @Blind Raven. From my perspective the image wasn’t needed, @alzho’s comment to use custom DNS tells me the AR150 ignores the config entries.

xenithorb · May 17, 2017, 3:51pm

Basically what needs to happen here is that the script option to open vpn needs to be utilized…

I made this in response to this post and also discovering the DNS leaking going on:

https://gist.github.com/xenithorb/4869dc2246d1a7e73d8766c20db41669

GLI is free to use it as they wish.

You will also want to set (in your opvn / conf file):

up /path/to/script.sh
down /path/to/script.sh

There’s an ENV variable that allows it to know when it’s up/down so no arg necessary.

You will also probably want to set:

push "redirect-gateway def1 bypass-dhcp block-local" 
push "dhcp-option DNS 10.8.0.1"

Where 10.8.0.1 is the IP of the DNS you intend on using and where

block-local

is a good setting that prevents lan access, so even if the DNS doesn’t work, you won’t leak back to the LAN DNS.

alzhao · May 18, 2017, 11:08am

@xenithorb, Thanks, I will have a try and feedback.

crayiii · May 21, 2017, 7:07am

I see this issue when using expressvpn through the router. DNS stays with the ISP’s router. If I disconnect/reconnect a few times, I can usually get the VPN’s DNS.

I’m not savvy enough to try your fix so hopefully it will be in an update soon.

glitch · May 21, 2017, 2:12pm

>>> DNS stays with the ISP’s router

That’s standard - need to go into ISP router and change from “automatic” (ie. ISP’s DNS) to whatever you want.

darkstar · June 5, 2017, 5:50am

Hi All. I’ve find out the way to set DNS which push openvpn server. In openvpm profile need to add this:

script-security 2
up /usr/bin/dns_updown_script.sh
down /usr/bin/dns_updown_script.sh

previously check if this script exist in your firmware (tested on 6416 fw 2.255)
This script can also grab dns from openvpn profile if there is “dhcp-option DNS” and save new dns to /tmp/resolv.conf.auto to all wan interface. Dns leak test pass. Hope this will help to somebody.

alzhao · June 5, 2017, 10:40am

Yes, I put the @xenithorb 's script in firmware v2.255 but not configured it. You need to do as @Darkstar suggested to make it work.

glitch · June 6, 2017, 5:39am

>>>You will also probably want to set:

>>>>push "redirect-gateway def1 bypass-dhcp block-local" 
>>>>push "dhcp-option DNS 10.8.0.1"

I don't think these work as they seem to be for the server config and not the client:

--push option

Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (“”). The client must specify –pull in its config file.

Also, regarding the script, presumably it needs “dhcp-option DNS” to be set to your preferred servers to work?
And why does it include a “down” section?

Finally, how does this all this differ from what the GLUI “custom DNS” settings?

Glitch

axebro · June 28, 2017, 7:58am

@xenithorb

I still see the router itself responding to DNS…when I ssh into the AR300M i see this:

root@T5000:~# cat /tmp/resolv.conf.auto
Interface wwan

nameserver 192.168.39.9

nameserver 8.8.8.8

root@T5000:~# nslookup google.com

Server: 127.0.0.1

Address 1: 127.0.0.1 localhost

Name: google.com

Address 1: 2a00:1450:4009:800::200e lhr25s11-in-x0e.1e100.net

Address 2: 216.58.210.46 lhr25s11-in-f14.1e100.net

root@T5000:~#

alzhao · July 1, 2017, 11:58am

@AxeBro, we put this task on the list and hope to have this in next release.

xiolo · July 11, 2017, 9:41pm

Hi Alzhao

Any update on the ability to accept the DNS server provided by the OpenVPN server?

At the moment, my situation is the following:

I need to use the DNS server located on the Openvpn server side, which has a private address 192.168.10.X
I can specify this DNS server (192.168.10.X) fine in the Custom DNS, and I can setup the tunnel fine as long as I specify the Openserver IP address by IP and not FQDN.

However, if I am not using the Openvpn tunnel, I cannot resolve anything as the 192.168.10.X address is only reachable via the Openvpn tunnel.

On Windows, the DNS are corretcly injected through the tunnel (as it accepts the pushed DNS servers).

Thanks

K

axebro · July 12, 2017, 1:58am

@xiolo, this is exactly what i need also. +1

@alzhao

alzhao · July 12, 2017, 12:06pm

Yes. We will add this.

I checked and in most ovpn files provided by public vpn providers, there is no dns push. Any idea how to deal with such situation?

axebro · July 12, 2017, 9:16pm

@alzhao

if none of those profiles push a DNS server, how about setup a vps on digital ocean, and have it push a dns server? even if you set it to push a public dns server, at least we can test to see if the push option was accepted.

alzhao · July 13, 2017, 11:38am

that could be an option. But we will not build a DNS sever. It is difficult to maintain.

I think maybe the best solution is to set up a DNS server only for vpn. When vpn starts, the server will be used.

Could use google or opendns.

I know a lot of user don’t want to use google or opendns. But they provide a very stable service.

axebro · July 13, 2017, 7:01pm

@alzhao

I think we just need to figure out how to get the openvpn client on this device to accept the pushed DNS server. It doesn’t matter whether that’s an internal (to the VPN) or even external, public DNS server. All we need is the client to accept and respect the pushed DNS option until the tunnel is dropped.

It seems to be how most of the OpenVPN clients work - on Windows, Android etc, the push options get applied. I have another OpenWRT router with OpenVPN installed, I’ll check to see if it respects the push dns settings and report back. So we can rule out if it’s an implementation issue here, or some issue native to openwrt.

My reason for wanting to accept the push dns is that I need internal to the network hosts translated. My use case here is for connecting back to my office when I’m on the road. So I need to be able to access my internal network’s devices without having to remember IP addresses.

boblabla · September 30, 2017, 7:56am

I have openVPN server running on a Ubuntu 16.04 rig. I set it up according to this tutorial:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

I am able to connect to it just fine with my AR300M-Lite however the DNS isn’t working. I made the following modifications to the server side per instructions above:

push "redirect-gateway def1 bypass-dhcp block-local" #added the Block-Local
push “dhcp-option DNS 10.8.0.1”

I made the following client side changes for my AR300M (commented out these lines):

;user nobody
;group nogroup

I un-commented these lines and I verified the “dns_updown_script.sh” is in my latest firmware on the AR300M (2.261).

script-security 2
up /usr/bin/dns_updown_script.sh

down /usr/bin/dns_updown_script.sh

However, when I do the following (cat /tmp/resolv.conf.auto) :

# Interface wwan
nameserver 8.8.8.8

nameserver 8.8.4.4

nslookup google.com

Server: 127.0.0.1

Address 1: 127.0.0.1 localhost

The server side log shows:

someuser/someIP:56785 SENT CONTROL [someuser]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp block-local,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Any suggestions? What did I miss?

hoene · May 14, 2018, 7:41am

Hello,

any update on this topic?

The DNS update still does not work with firmware 2.27

kingwilliam · May 14, 2018, 9:12am

try below procedure