Posted: Sun Jan 15, 2017 15:43 Post subject: send DNS requests trough OpenVPN Tunnel
Hello everybody!
I am probably asking a very simple question to many, but after long searching the forums still can't find the answer.
I am proudly running DD-WRT v3.0-r30910M kongac (12/02/16) on my Netgear R7000 for about a week, first time user with no networking background.
So far everything runs smoothly out of the box, I haven't done any extra configuration.
So here is the problem, when running the OpenVPN client the DNS requests get handled by whatever server I have put in the 'basic setup > network setup' page of the GUI. If I type zeroes in, the requests go to my ISP's DNS. So I guess this all goes outside the VPN tunnel. When I use the VPN provider's Windows client it works similarly and when I set some extra options for preventing DNS leaks, it starts sending requests to OpenDNS servers set by the provider (which I cannot choose), ignoring my system settings in Windows and in the router. So the question is how do I configure it so that all traffic, including DNS requests, go through the VPN tunnel. The second one, how do I see where it goes through?
Thanks to all the people keeping this project what it is!
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Mon Jan 16, 2017 13:22 Post subject:
That is a great explanation, very instructive, thank you!
I have set up my openVPNclient on PIA which works well
I can see that it is pushing DNS servers:
20170116 13:31:50 SENT CONTROL [06425c9dfd4606f82b5adc8217d63008]: 'PUSH_REQUEST' (status=1)
20170116 13:31:50 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 ping 10 comp-lzo no route 10.53.10.1 topology net30 ifconfig 10.53.10.6 10.53.10.5'
So that seems OK, BUT if I use ipleak.net, I can see that I am on my VPN, but my DNS server is listed as google so apparently the two pushed DNS servers, which are on the top of my resolv.dnsmasq, are not used. The last three entries of my resolv.dnsmasq are my entries under DHCP server.
Settings
Use DNSMasq for DHCP : Check
Use DNSMasq for DNS : Check
DHCP-Authoritative : Check
Forced DNS Redirection: Not
DNSMasq : Enable
Encrypt DNS : Disable
Local DNS : Enable
No DNS Rebind : Enable
Query DNS in Strict Order : Enable
Add Requestor MAC to DNS Query : Disable
I am on the latest Kong build 31135 (with openVPN 2.4)on a Netgear R6400
root@R6400:~# traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8., 30 hops max, 38 byte packets
1 10.26.10.1 47.973 ms 47.501 ms 47.940 ms
2 93.114.43.193 531.769 ms 239.497 ms 99.327 ms
3 109.163.235.153 55.308 ms 48.973 ms 56.528 ms
4 109.163.235.130 119.707 ms 87.292 ms 77.351 ms
5 * * 5.254.68.146 209.919 ms
6 80.81.193.108 81.499 ms 81.661 ms 81.967 ms
7 216.239.49.128 76.174 ms 216.239.56.26 81.603 ms 216.239.56.110 76.301 ms
8 216.239.57.147 78.385 ms 216.239.57.145 75.850 ms 216.239.57.127 76.001 ms
9 66.249.95.226 94.057 ms 93.998 ms 64.233.174.143 90.991 ms
10 209.85.246.119 91.367 ms 88.641 ms 209.85.249.12 92.064 ms
11 * * *
12 * 8.8.8.8 92.487 ms 90.478 ms
My take (for what it's worth) is that the resolv.dnsmasq.conf is not used.
So I tried to stop and start DNSMasq, what that did is it altered the resolv.dnsmas.conf file in such a way that the entries from the OpenVPN were gone, not surprisingly, after starting and stoping the OpenVPN the entries were back but still no go
Then I decided to open and save but not alter the resolv.dnsmasq.conf and BINGO now with dnsleaktest and ipleak.net my vpn IP address is listed as my DNS server.
root@R6400:~# traceroute -n 209.222.18.222
traceroute to 209.222.18.222 (209.222.18.222), 30 hops max, 38 byte packets
1 10.26.10.1 47.277 ms 49.820 ms 55.928 ms
2 * * *
3 109.163.235.61 47.949 ms 50.662 ms 48.774 ms
4 62.115.147.6 48.105 ms 46.910 ms 47.835 ms
5 62.115.119.118 70.494 ms 80.91.248.15 73.086 ms 62.115.143.170 69.943 ms
6 62.115.136.62 82.192 ms 213.155.133.56 77.521 ms 62.115.134.216 85.494 ms
7 213.155.135.63 169.163 ms 62.115.116.160 84.581 ms 80.91.250.203 168.142 ms
8 62.115.134.108 168.400 ms 213.155.130.28 164.305 ms 62.115.141.238 170.200 ms
9 62.115.123.77 88.615 ms 62.115.123.85 86.542 ms 62.115.149.39 167.472 ms
10 66.55.144.146 168.482 ms 66.55.144.149 169.875 ms 66.55.144.146 161.635 ms
11 108.61.248.78 165.518 ms 80.91.247.121 177.393 ms 62.115.118.192 170.098 ms
12 62.115.112.107 166.877 ms 213.155.130.30 173.375 ms 209.222.18.222 164.657 ms
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Jan 17, 2017 18:38 Post subject:
Thank you very much for your elaborate answer. Not only is your knowledge amazing but your explanation concise and to the point.
The way you described it is the same as for my setup.
After the openVPN is active, the dnsmasq.conf points to the resolv.dnsmasq, which starts with the 2 entries from the VPN and then 3 entries form the DHCP fields.
I do not have anything in my Additional DNSMasq Options and I have: Query DNS in Strict Order, Local DNS and No DNS Rebind all enabled.
So my setup not working could indeed be a timing problem which is solved by opening and saving the resolv.dnsmasq file.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Jan 18, 2017 12:45 Post subject:
I did some further investigating and rebooted multiple times, sometimes DNS is using the pushed VPN DNS servers sometimes it didn't.
I include a file with the timestamps of the /tmp directory. When it was not working the timestamps of dnsmasq.conf and resolv.dnsmasq where the same, when it it worked as it should be, resolv.dnsmasq had a timestamp of 1 second later.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Jan 18, 2017 16:17 Post subject:
I totally agree, it could point to a nasty bug.
My setup is really standard, Netgear R6400 with the latest Kong build 31135, which has the new 2.4 OpenVPN.
No additional DNSMasq options only 1 static lease, no scripts or rules.
I will make a script to touch the resolv.dnsmasq. A nice exercise, I have programming and Windows scripting skills but not Linux
As I said my Linux knowledge is below average, so I can not comment on it, pherhaps I should add: Sleep 5 after startservice dnsmasq -f ? (don't know what the -f option means)
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Jan 18, 2017 18:58 Post subject:
Great!
Of course my suggestion (putting in sleep) was nonsense, I knew that the minute after I uploaded my message, these files are of course not persistent
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Fri Jan 20, 2017 13:59 Post subject:
Good Job!
I cobbled a script together which can be saved as startup script from the Administration commands tab, which "touches" the file to give it a later timestamp so that DNSMasq rereads the file and uses the pushed DNS servers. I did not test extensively so check!
Code:
#!/bin/sh
file="/tmp/resolv.dnsmasq"
Number=0
logger "File attempting to touch: $file"
logger "Starting number $Number of 10 attempts"
if [ ! -f "$file" ]; then
until [ ! -f "$file" ]; do
sleep 2
Number=$((Number+1))
logger "Wating for $Number"
if [ -f "$file" ]; then
touch "$file"
logger "$file has been touched"
break
elif [ $Number -eq 10 ]; then
logger "Can not execute touch, Beware of DNS Leak"
break
fi
done
elif [ -f "$file" ]; then
sleep 2
touch "$file"
logger "$file has been touched"
else
logger "Can not execute touch, Beware of DNS Leak"
fi
I seem to have a much more basic problem with getting my DNS queries routed through the VPN. Short story: the pushed PIA DNS servers don't seem to replace the static ones even though OpenVPN connects correctly and "Use DNSMasq for DNS" is checked.
Details:
I have PIA and set up my dd-wrt router (a Netgear WNDR3700 v4 with the DD-WRT v3.0-r31722 std (03/21/17) firmware) to route all traffic through the VPN.
thanks for that quick and substantial response. I was wondering about policy-based routing myself, thanks for anticipating that question and answering it as well.
Not sure if I sould start a new topic but this one looks like most relevant for me.
I have set up routed OpenVPN client (tun) on DD-WRT 3.0-r39715 to connect local LAN to remote LAN.
Everything is working fine with only exception that pushed remote DNS by OpenVPN server is not updating Dnsmasq resolv.
GUI settings
Setup->Basic [ Network Address Server Settings (DHCP) ]
Code:
Use DNSMasq for DNS - checked
DHCP-Authoritative - checked
Forced DNS Redirection - unchecked
Services->Services [ Dnsmasq ]
Code:
Dnsmasq - Enable
Cache DNSSEC data - Disable
Local DNS - Enable
No DNS Rebind - Enable
Query DNS in Strict Order - Enable
Add Requestor MAC to DNS Query - Disable
RFC4039 Rapid Commit support - Disable
Maximum Cached Entries - 1500
Additional Dnsmasq Options - blank
Generated dnsmasq.conf
Code:
less /tmp/dnsmasq.conf
interface=br0
resolv-file=/tmp/resolv.dnsmasq
strict-order
domain=local.net
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=50
dhcp-option=br0,3,192.168.7.250 //LAN IP address of dd wrt router
dhcp-range=br0,192.168.7.129,192.168.7.178,255.255.255.128,1440m
bogus-priv
conf-file=/etc/rfc6761.conf
dhcp-option=252,"\n"
cache-size=1500
dd wrt OpenVPN client receives remote DNS address along with static routes:
Code:
May 4 12:27:58 gate daemon.notice openvpn[7589]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.3.201,route 10.0.0.0 255.255.0.0,route 192.168.3.0 255.255.255.0
However /tmp/resolv.dnsmasq remains unchanged - only my ISP's DNS adresses there:
In the future, please, *always* start a new thread.
OK. Noted.
eibgrad wrote:
You could even combine the two so that you never had DNS leaks for public IPs *and* be able to use the remote DNS server when necessary.
I think I will switch this one to Kong's build as this solution is not elegant enough. Having a bunch of remote domains and keeping them "hardcoded" in additional options is a bit inconvenient and hard to administer.