DNS Servers on Open VPN Connection Not Working (GL-MT1300 Beryl)

Hello,

I have the issue reported here:

Custom DNS not working over OpenVPN (2.27, AR300M) - Technical Support - GL.iNet (gl-inet.com)

However, in my case, the correct DNS Servers are being written to “/tmp/resolv.conf.vpn” by the “update-resolv-conf” script.

(When I connect to the VPN, I can ssh and the “resolv.conf.vpn” file has my internal DNS servers

nameserver X.X.X.X
nameserver X.X.X.X

However, the GL-MT1300 doesn’t seem to care/understand that, and it still uses other DNS servers. It works ok for internet traffic, but I can’t resolve any hostname on the remote VPN network.

Thoughts?

Do you mean local dns, e.g. myserver.lan etc?

You need to disable dns rebind protection in admin panel → more settings → custom dns server

DNS Rebind Protection is disabled and still can’t find the problem. Other ideas?

What is the router model, firmware version?

Can you give logs?

This is the Beryl GL-MT1300 router.
Firmware: v3.215

Where do I collect the logs (I checked the System Logs in LuCI, but there’s nothing there about DNS assignment after a VPN connection is established, other than the VPN Server setting the DNS Remote DNS Servers).

if I examine /tmp/resolv.conf.vpn, the file gets set properly:

nameserver 10.0.0.3
nameserver 10.0.0.1

Is there any other logs I can check?

Thu Oct 27 09:17:52 2022 user.info : 1247: gl-vpn-client>> Start, vpnpath=/etc/openvpn/ovpn10, serverfile=__ssl_vpn_config.ovpn
Thu Oct 27 09:17:52 2022 user.debug : ------ss-redir is not running!------
Thu Oct 27 09:17:52 2022 user.info : 1324: gl-vpn-client>> glconfig.openvpn.ovpn=/etc/openvpn/ovpn10/__ssl_vpn_config.ovpn, glconfig.openvpn.clientid=ovpn10
Thu Oct 27 09:17:55 2022 kern.info kernel: [ 784.735248] mtk_soc_eth 1e100000.ethernet: 0x100 = 0x6060000c, 0x10c = 0x80818
Thu Oct 27 09:17:55 2022 kern.info kernel: [ 784.752083] mtk_soc_eth 1e100000.ethernet: PPE started
Thu Oct 27 09:17:56 2022 daemon.warn openvpn[5287]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5287]: OpenVPN 2.5.2 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5287]: library versions: OpenSSL 1.1.1n 15 Mar 2022
Thu Oct 27 09:17:56 2022 daemon.warn openvpn[5299]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Thu Oct 27 09:17:56 2022 daemon.warn openvpn[5299]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: TCP/UDP: Preserving recently used remote address: [AF_INET][RemoteVPNServer]:443
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: UDP link local: (not bound)
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: UDP link remote: [AF_INET][RemoteVPNServer]:443
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: TLS: Initial packet from [AF_INET][RemoteVPNServer]:443, sid=824edb63 27e72a17
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: VERIFY OK: depth=1, C=US, ST=NA, L=NA, O=DOMAIN, OU=OU, CN=CERT
Thu Oct 27 09:17:56 2022 daemon.notice openvpn[5299]: VERIFY OK: depth=0, C=US, ST=NA, L=NA, O=DOMAIN, OU=OU, CN=CERT
Thu Oct 27 09:17:57 2022 daemon.notice openvpn[5299]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Thu Oct 27 09:17:57 2022 daemon.notice openvpn[5299]: [CERT] Peer Connection Initiated with [AF_INET][RemoteVPNServer]:443
Thu Oct 27 09:17:58 2022 daemon.notice openvpn[5299]: SENT CONTROL [CERT]: ‘PUSH_REQUEST’ (status=1)
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: SENT CONTROL [CERT]: ‘PUSH_REQUEST’ (status=1)
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: PUSH: Received control message: ‘PUSH_REPLY,route-gateway 172.16.0.129,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,redirect-gateway def1,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,dhcp-option DNS 10.0.0.3,dhcp-option DNS 10.0.0.1,dhcp-option DOMAIN DOMAIN.local,ifconfig 172.16.0.130 255.255.255.0,peer-id 0,cipher AES-256-GCM’
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: route options modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: route-related options modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: peer-id set
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: OPTIONS IMPORT: data channel crypto options modified
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: Data Channel: using negotiated cipher ‘AES-256-GCM’
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: net_route_v4_best_gw result: via 10.0.1.253 dev apclix0
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: TUN/TAP device tun0 opened
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: net_iface_mtu_set: mtu 1500 for tun0
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: net_iface_up: set tun0 up
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: net_addr_v4_add: 172.16.0.130/24 dev tun0
Thu Oct 27 09:18:03 2022 daemon.notice openvpn[5299]: /etc/openvpn/update-resolv-conf tun0 1500 1553 172.16.0.130 255.255.255.0 init
Thu Oct 27 09:18:05 2022 daemon.notice openvpn[5299]: net_route_v4_add: [RemoteVPNServer]/32 via 10.0.1.253 dev [NULL] table 0 metric -1
Thu Oct 27 09:18:05 2022 daemon.notice openvpn[5299]: net_route_v4_add: 0.0.0.0/1 via 172.16.0.129 dev [NULL] table 0 metric -1
Thu Oct 27 09:18:05 2022 daemon.notice openvpn[5299]: net_route_v4_add: 128.0.0.0/1 via 172.16.0.129 dev [NULL] table 0 metric -1
Thu Oct 27 09:18:05 2022 daemon.notice openvpn[5299]: net_route_v4_add: [RemoteVPNServer]/32 via 10.0.1.253 dev [NULL] table 0 metric -1
Thu Oct 27 09:18:06 2022 user.info mwan3rtmon[2672]: Detect rtchange event.
Thu Oct 27 09:18:06 2022 user.notice firewall: Reloading firewall due to ifup of ovpn (tun0)
Thu Oct 27 09:18:08 2022 user.notice root: check route success
Thu Oct 27 09:18:08 2022 daemon.warn openvpn[5299]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Thu Oct 27 09:18:08 2022 daemon.notice openvpn[5299]: Initialization Sequence Completed

Can you send me privately a working ovpn to check?