Hi,
Just got my new Beryl MT1300 and have been having fun playing around with it. However, I am having some difficulty getting it to play nice with DNS. I run a PFsense firewall that hosts my Openvpn server, and while I am able to connect and get traffic to pass, I am unable to get any internal DNS resolution on the clients that are connected to the router. The router itself appears to be able to resolve the correct addresses with a traceroute or a ping, but as soon as I try to do the same thing on any of my Windows or Android clients, I cannot resolve the names. I have reda a number of topics on DNS forwarding, but many of them appear to be a bit older, and most seem to talk about calling a DNS script on tunnel establishment. I verified that my configs do seem to include this external script callout, but I continue to be unable to resolve DNS names for devices on the other side of the tunnel. I will include my scripts and logs below, any help would be appreciated!
OpenVPN Server: Pfsense 2.4.5
OpenVPN Client: GL-iNET Beryl Mt1300 3.200
Connected to Beryl Router - Windows 10 pro (x3), Android 10 (x3)
Server Config:
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 72.195.xxx.xxx
tls-server
server 192.168.101.0 255.255.255.192
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpncert' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "dhcp-option DOMAIN xxx**ck .net"
push "dhcp-option DNS 192.168.100.5"
push "dhcp-option DNS 192.168.100.250"
push "block-outside-dns"
push "register-dns"
push "dhcp-option WINS 192.168.100.250"
push "redirect-gateway def1"
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
Client Config
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 72.195.xxx.xxx 1194 udp
verify-x509-name "vpncert" name
auth-user-pass /etc/openvpn/ovpn0/auth/usrpwd.txt
remote-cert-tls server
keepalive 10 120
pull-filter ignore "register-dns"
status /var/log/openvpn-status 20
log /var/log/openvpn
<ca>
-----BEGIN CERTIFICATE-----
xxx*
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx*
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
daemon
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
update-resolv-conf
#!/bin/sh
case $script_type in
up)
i=1
ns=""
while true; do
# As we know, for non-Windows openvpn clients can accept push DHCP
# options by using a client-side up script which parses the
# foreign_option_n environmental variable list
eval opt=\$foreign_option_${i}
[ -z "${opt}" ] && break
ns="$ns\n$(echo ${opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g')"
i=$((i + 1))
done
if [ -n "$ns" ]; then
echo -e "$ns" > /tmp/resolv.conf.vpn
else
echo -e "nameserver 1.1.1.1\nnameserver 8.8.8.8" > /tmp/resolv.conf.vpn
fi
uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
uci commit dhcp
# Let it runs on background, in order to avoid any delay to add route table,
# which will effort to mwan3
/etc/init.d/dnsmasq restart &
;;
down)
# Restore dns
[ -f "/tmp/resolv.conf.vpn" ] || return 0
rm -fr "/tmp/resolv.conf.vpn"
uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
uci commit dhcp
/etc/init.d/dnsmasq restart &
;;
esac
exit 0
Log
2021-01-23 14:40:24 OpenVPN 2.5_git mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2021-01-23 14:40:24 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2021-01-23 14:40:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-01-23 14:40:24 TCP/UDP: Preserving recently used remote address: [AF_INET]72.195.xxx.xxx:1194
2021-01-23 14:40:24 UDP link local (bound): [AF_INET][undef]:1194
2021-01-23 14:40:24 UDP link remote: [AF_INET]72.195.xxx.xxx:1194
2021-01-23 14:40:25 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-01-23 14:40:25 [vpncert] Peer Connection Initiated with [AF_INET]72.195.xxx.xxx:1194
2021-01-23 14:40:31 write UDP: Network unreachable (code=128)
2021-01-23 14:40:33 write UDP: Network unreachable (code=128)
2021-01-23 14:40:36 write UDP: Network unreachable (code=128)
2021-01-23 14:40:37 write UDP: Network unreachable (code=128)
2021-01-23 14:40:38 write UDP: Network unreachable (code=128)
2021-01-23 14:40:41 write UDP: Network unreachable (code=128)
2021-01-23 14:40:42 write UDP: Network unreachable (code=128)
2021-01-23 14:40:43 write UDP: Network unreachable (code=128)
2021-01-23 14:40:45 write UDP: Network unreachable (code=128)
2021-01-23 14:40:46 write UDP: Network unreachable (code=128)
2021-01-23 14:40:48 write UDP: Network unreachable (code=128)
2021-01-23 14:40:48 write UDP: Network unreachable (code=128)
2021-01-23 14:41:01 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.5_git)
2021-01-23 14:41:01 TUN/TAP device tun0 opened
2021-01-23 14:41:01 /sbin/ip link set dev tun0 up mtu 1500
2021-01-23 14:41:01 /sbin/ip link set dev tun0 up
2021-01-23 14:41:01 /sbin/ip addr add dev tun0 192.168.101.2/26
2021-01-23 14:41:01 /etc/openvpn/update-resolv-conf tun0 1500 1624 192.168.101.2 255.255.255.192 init
RTNETLINK answers: File exists
2021-01-23 14:41:04 ERROR: Linux route add command failed: external program exited with error status: 2
RTNETLINK answers: File exists
2021-01-23 14:41:04 ERROR: Linux route add command failed: external program exited with error status: 2
RTNETLINK answers: File exists
2021-01-23 14:41:04 ERROR: Linux route add command failed: external program exited with error status: 2
uci: Entry not found
2021-01-23 14:41:07 Initialization Sequence Completed
From router:
root@GL-MT1300:/tmp/log# traceroute xpy.xxx*ck .net
traceroute to xpy.xxx*ck .net (192.168.100.152), 30 hops max, 38 byte packets
1 192.168.101.1 (192.168.101.1) 11.824 ms 11.276 ms 11.657 ms
2 192.168.100.152 (192.168.100.152) 11.775 ms 12.341 ms 10.592 ms
----
traceroute to nas.xxx*ck .net (192.168.100.160), 30 hops max, 38 byte packets
1 192.168.101.1 (192.168.101.1) 10.076 ms 10.273 ms 11.115 ms
2 nas.xxx*ck .net (192.168.100.160) 11.888 ms 13.603 ms 12.913 ms
From Windows Client
C:\Users\user1>tracert nas.xxx*ck .net
Unable to resolve target system name nas.xxx*ck .net.
C:\Users\user1>tracert xpy.xxx*ck .net
Unable to resolve target system name xpy.xxx*ck .net.