[MT1300] - Openvpn and DNS

Hi,

Just got my new Beryl MT1300 and have been having fun playing around with it. However, I am having some difficulty getting it to play nice with DNS. I run a PFsense firewall that hosts my Openvpn server, and while I am able to connect and get traffic to pass, I am unable to get any internal DNS resolution on the clients that are connected to the router. The router itself appears to be able to resolve the correct addresses with a traceroute or a ping, but as soon as I try to do the same thing on any of my Windows or Android clients, I cannot resolve the names. I have reda a number of topics on DNS forwarding, but many of them appear to be a bit older, and most seem to talk about calling a DNS script on tunnel establishment. I verified that my configs do seem to include this external script callout, but I continue to be unable to resolve DNS names for devices on the other side of the tunnel. I will include my scripts and logs below, any help would be appreciated!

OpenVPN Server: Pfsense 2.4.5
OpenVPN Client: GL-iNET Beryl Mt1300 3.200
Connected to Beryl Router - Windows 10 pro (x3), Android 10 (x3)
Server Config:

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 72.195.xxx.xxx
tls-server
server 192.168.101.0 255.255.255.192
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so 
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpncert' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "dhcp-option DOMAIN xxx**ck .net"
push "dhcp-option DNS 192.168.100.5"
push "dhcp-option DNS 192.168.100.250"
push "block-outside-dns"
push "register-dns"
push "dhcp-option WINS 192.168.100.250"
push "redirect-gateway def1"
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet

Client Config

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 72.195.xxx.xxx 1194 udp
verify-x509-name "vpncert" name
auth-user-pass /etc/openvpn/ovpn0/auth/usrpwd.txt
remote-cert-tls server
keepalive 10 120
pull-filter ignore "register-dns"
status /var/log/openvpn-status 20
log /var/log/openvpn
<ca>
-----BEGIN CERTIFICATE-----
xxx*
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx*
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
daemon
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

update-resolv-conf

#!/bin/sh

case $script_type in
up)
        i=1
        ns=""
        while true; do
                # As we know, for non-Windows openvpn clients can accept push DHCP
                # options by using a client-side up script which parses the
                # foreign_option_n environmental variable list
                eval opt=\$foreign_option_${i}
                [ -z "${opt}" ] && break

                ns="$ns\n$(echo ${opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g')"

                i=$((i + 1))
        done

        if [ -n "$ns" ]; then
                echo -e "$ns" > /tmp/resolv.conf.vpn
        else
                echo -e "nameserver 1.1.1.1\nnameserver 8.8.8.8" > /tmp/resolv.conf.vpn
        fi

        uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
        uci commit dhcp
        # Let it runs on background, in order to avoid any delay to add route table,
        # which will effort to mwan3
        /etc/init.d/dnsmasq restart &
        ;;
down)
        # Restore dns
        [ -f "/tmp/resolv.conf.vpn" ] || return 0
        rm -fr "/tmp/resolv.conf.vpn"
        uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
        uci commit dhcp
        /etc/init.d/dnsmasq restart &
        ;;
esac

exit 0

Log

2021-01-23 14:40:24 OpenVPN 2.5_git mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2021-01-23 14:40:24 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
2021-01-23 14:40:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-01-23 14:40:24 TCP/UDP: Preserving recently used remote address: [AF_INET]72.195.xxx.xxx:1194
2021-01-23 14:40:24 UDP link local (bound): [AF_INET][undef]:1194
2021-01-23 14:40:24 UDP link remote: [AF_INET]72.195.xxx.xxx:1194
2021-01-23 14:40:25 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-01-23 14:40:25 [vpncert] Peer Connection Initiated with [AF_INET]72.195.xxx.xxx:1194
2021-01-23 14:40:31 write UDP: Network unreachable (code=128)
2021-01-23 14:40:33 write UDP: Network unreachable (code=128)
2021-01-23 14:40:36 write UDP: Network unreachable (code=128)
2021-01-23 14:40:37 write UDP: Network unreachable (code=128)
2021-01-23 14:40:38 write UDP: Network unreachable (code=128)
2021-01-23 14:40:41 write UDP: Network unreachable (code=128)
2021-01-23 14:40:42 write UDP: Network unreachable (code=128)
2021-01-23 14:40:43 write UDP: Network unreachable (code=128)
2021-01-23 14:40:45 write UDP: Network unreachable (code=128)
2021-01-23 14:40:46 write UDP: Network unreachable (code=128)
2021-01-23 14:40:48 write UDP: Network unreachable (code=128)
2021-01-23 14:40:48 write UDP: Network unreachable (code=128)
2021-01-23 14:41:01 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.5_git)
2021-01-23 14:41:01 TUN/TAP device tun0 opened
2021-01-23 14:41:01 /sbin/ip link set dev tun0 up mtu 1500
2021-01-23 14:41:01 /sbin/ip link set dev tun0 up
2021-01-23 14:41:01 /sbin/ip addr add dev tun0 192.168.101.2/26
2021-01-23 14:41:01 /etc/openvpn/update-resolv-conf tun0 1500 1624 192.168.101.2 255.255.255.192 init
RTNETLINK answers: File exists
2021-01-23 14:41:04 ERROR: Linux route add command failed: external program exited with error status: 2
RTNETLINK answers: File exists
2021-01-23 14:41:04 ERROR: Linux route add command failed: external program exited with error status: 2
RTNETLINK answers: File exists
2021-01-23 14:41:04 ERROR: Linux route add command failed: external program exited with error status: 2
uci: Entry not found
2021-01-23 14:41:07 Initialization Sequence Completed

From router:

root@GL-MT1300:/tmp/log# traceroute xpy.xxx*ck .net
traceroute to xpy.xxx*ck .net (192.168.100.152), 30 hops max, 38 byte packets
 1  192.168.101.1 (192.168.101.1)  11.824 ms  11.276 ms  11.657 ms
 2  192.168.100.152 (192.168.100.152)  11.775 ms  12.341 ms  10.592 ms
----
traceroute to nas.xxx*ck .net (192.168.100.160), 30 hops max, 38 byte packets
 1  192.168.101.1 (192.168.101.1)  10.076 ms  10.273 ms  11.115 ms
 2  nas.xxx*ck .net (192.168.100.160)  11.888 ms  13.603 ms  12.913 ms

From Windows Client

C:\Users\user1>tracert nas.xxx*ck .net
Unable to resolve target system name nas.xxx*ck .net.

C:\Users\user1>tracert xpy.xxx*ck .net
Unable to resolve target system name xpy.xxx*ck .net.

Clients rely on firewalls to retrieve data using DNS encryption, and if you use PFSense, you may need to reconfigure firewall rules.

Thanks for the reply. I’m pretty sure its not a firewall rule, as if I change the DNS manually on my clients, I am able to successfully query the DNS server. For some reason it just seems like the MT1300 is not respecting the pushed DNS server list when connecting to the VPN endpoint. For the time being, I just change my DNS server on the clients to the remote DNS server after connecting to the 1300. It would be great if I could find a solution, but this is what I am doing for now.