mache
DD-WRT User
Joined: 11 Apr 2010
Posts: 311
Location: San Francisco Bay Area
|
 Posted: Fri May 31, 2019 18:40 Post subject: OpenVPN Client DNS Issues at Home, Fine at Other Locations |
 |
I am currently having trouble using an OpenVPN config on Tunnelblick 3.8.0beta01 (build 5330) on my MacBook Pro using Mojave 10.14.5 to VPN into work from home with my home Netgear 7000 router running DD-WRT v3.0-r38159 std (01/02/19). I have no issues VPNing to work from Starbucks or any location outside of my home. It seems that when I am home and trying to connect to work, I end up with my home router being the DNS (192.168.x.1) and not the work DNS. Obviously this causes problems.
However, when I VPN from home to other VPN servers, the remote DNS is used and everything works fine.
What am I doing wrong?
Here is an example where I query the DNS when I am VPN'ed into the work DNS. My home router/DNS is 192.168.x.1 and that DNS being wrongly used instead of the work DNS.
$ nslookup google.com
Server: 192.168.xx.1
Address: 192.168.xx.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.6.46
===============
Work Tunnelblick config:
auth-nocache
tun-mtu 1500
resolv-retry infinite
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote xx.yy.zz 1194 udp
remote xx.yy.zz 443 tcp
dev tun
dev-type tun
ns-cert-type server
# remote-cert-tls server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
# comp-lzo no
compress lzo
# verb 3
setenv PUSH_PEER_INFO
persist-key
persist-tun
float
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
...-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
===================================
Here is my firewall on my home router.
iptables -I OUTPUT -i `get_wanface` -dport 1194 -j ACCEPT
iptables -I OUTPUT -i `get_wanface` -dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
==================
Log file trying to VPN to work from home.
2019-05-31 08:46:26.923764 *Tunnelblick: macOS 10.14.5; Tunnelblick 3.8.0beta01 (build 5330); prior version 3.7.9beta11 (build 5310)
2019-05-31 08:46:27.391335 *Tunnelblick: Attempting connection with AAAA using shadow copy; Set nameserver = 769; monitoring connection
2019-05-31 08:46:27.391965 *Tunnelblick: openvpnstart start AAAA.tblk 64600 769 0 1 0 1098545 -ptADGNWradsgnw 2.4.7-openssl-1.0.2r
2019-05-31 08:46:28.615502 OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 22 2019
2019-05-31 08:46:28.615678 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.10
2019-05-31 08:46:28.617380 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:64600
2019-05-31 08:46:28.617425 Need hold release from management interface, waiting...
2019-05-31 08:46:29.940055 *Tunnelblick: openvpnstart log:
Loading tun-notarized.kext
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.7-openssl-1.0.2r/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SUsers-SBBBB-SLibrary-SApplication Support-STunnelblick-SConfigurations-SAAAA.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098545.64600.openvpn.log
--cd /Library/Application Support/Tunnelblick/Users/BBBB/AAAA.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5330 3.8.0beta01 (build 5330)"
--verb 3
--config /Library/Application Support/Tunnelblick/Users/BBBB/AAAA.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/BBBB/AAAA.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Users/BBBB/AAAA.tblk/Contents/Resources
--management 127.0.0.1 64600 /Library/Application Support/Tunnelblick/fappejolpgdhnojhdblhfggbkjfjedkjlcphkfkb.mip
--management-query-passwords
--management-hold
--redirect-gateway def1
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2019-05-31 08:46:29.954396 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:64600
2019-05-31 08:46:29.983175 MANAGEMENT: CMD 'pid'
2019-05-31 08:46:29.983233 MANAGEMENT: CMD 'auth-retry interact'
2019-05-31 08:46:29.983363 MANAGEMENT: CMD 'state on'
2019-05-31 08:46:29.983416 MANAGEMENT: CMD 'state'
2019-05-31 08:46:29.983474 MANAGEMENT: CMD 'bytecount 1'
2019-05-31 08:46:29.987943 *Tunnelblick: Established communication with OpenVPN
2019-05-31 08:46:29.990312 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2019-05-31 08:46:29.994804 MANAGEMENT: CMD 'hold release'
2019-05-31 08:46:29.995861 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-31 08:46:29.995891 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-05-31 08:46:30.004079 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-31 08:46:30.004111 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-31 08:46:30.004303 MANAGEMENT: >STATE:1559317590,RESOLVE,,,,,,
2019-05-31 08:46:30.121272 TCP/UDP: Preserving recently used remote address: [AF_INET]gg.hh.ii.jj:1194
2019-05-31 08:46:30.121358 Socket Buffers: R=[786896->786896] S=[9216->9216]
2019-05-31 08:46:30.121375 UDP link local: (not bound)
2019-05-31 08:46:30.121390 UDP link remote: [AF_INET]gg.hh.ii.jj:1194
2019-05-31 08:46:30.121512 MANAGEMENT: >STATE:1559317590,WAIT,,,,,,
2019-05-31 08:46:30.139410 MANAGEMENT: >STATE:1559317590,AUTH,,,,,,
2019-05-31 08:46:30.139467 TLS: Initial packet from [AF_INET]gg.hh.ii.jj:1194, sid=f0ddc816 e55d8fb7
2019-05-31 08:46:30.169026 VERIFY OK: depth=1, CN=OpenVPN CA
2019-05-31 08:46:30.171123 VERIFY OK: nsCertType=SERVER
2019-05-31 08:46:30.171170 VERIFY OK: depth=0, CN=OpenVPN Server
2019-05-31 08:46:30.226097 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2019-05-31 08:46:30.226417 [OpenVPN Server] Peer Connection Initiated with [AF_INET]gg.hh.ii.jj:1194
2019-05-31 08:46:31.541213 MANAGEMENT: >STATE:1559317591,GET_CONFIG,,,,,,
2019-05-31 08:46:31.541856 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2019-05-31 08:46:37.193250 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2019-05-31 08:46:37.219417 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway mm.nn.oo.1,route 10.100.1.0 255.255.255.0,route 10.100.2.0 255.255.255.0,route 10.100.4.0 255.255.255.0,route 10.100.10.0 255.255.255.0,route 10.100.200.0 255.255.255.0,route mm.ss.1.0 255.255.255.0,route mm.ss.2.0 255.255.255.0,route mm.ss.3.0 255.255.255.0,route mm.ss.10.0 255.255.255.0,route mm.nn.oo.0 255.255.252.0,route mm.nn.ww.0 255.255.240.0,block-ipv6,ifconfig mm.nn.oo.xx 255.255.252.0,peer-id 2,cipher AES-256-GCM'
2019-05-31 08:46:37.219544 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.7)
2019-05-31 08:46:37.219586 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.7)
2019-05-31 08:46:37.219612 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.7)
2019-05-31 08:46:37.219688 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:27: block-ipv6 (2.4.7)
2019-05-31 08:46:37.219791 OPTIONS IMPORT: timers and/or timeouts modified
2019-05-31 08:46:37.219851 OPTIONS IMPORT: explicit notify parm(s) modified
2019-05-31 08:46:37.219886 OPTIONS IMPORT: compression parms modified
2019-05-31 08:46:37.219923 OPTIONS IMPORT: --ifconfig/up options modified
2019-05-31 08:46:37.219957 OPTIONS IMPORT: route options modified
2019-05-31 08:46:37.220821 OPTIONS IMPORT: route-related options modified
2019-05-31 08:46:37.220858 OPTIONS IMPORT: peer-id set
2019-05-31 08:46:37.220879 OPTIONS IMPORT: adjusting link_mtu to 1625
2019-05-31 08:46:37.220898 OPTIONS IMPORT: data channel crypto options modified
2019-05-31 08:46:37.220918 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-05-31 08:46:37.221137 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-05-31 08:46:37.221162 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-05-31 08:46:37.221533 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2019-05-31 08:46:37.221673 Opened utun device utun1
2019-05-31 08:46:37.221707 MANAGEMENT: >STATE:1559317597,ASSIGN_IP,,mm.nn.oo.xx,,,,
2019-05-31 08:46:37.222086 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2019-05-31 08:46:37.253925 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2019-05-31 08:46:37.254466 /sbin/ifconfig utun1 mm.nn.oo.xx mm.nn.oo.xx netmask 255.255.252.0 mtu 1500 up
2019-05-31 08:46:37.257790 /sbin/route add -net mm.nn.oo.0 mm.nn.oo.xx 255.255.252.0
add net mm.nn.oo.0: gateway mm.nn.oo.xx
2019-05-31 08:46:42.857868 /sbin/route add -net gg.hh.ii.jj 192.168.x.1 255.255.255.255
add net gg.hh.ii.jj: gateway 192.168.x.1
2019-05-31 08:46:42.865552 /sbin/route add -net 0.0.0.0 mm.nn.oo.1 128.0.0.0
add net 0.0.0.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.868526 /sbin/route add -net 128.0.0.0 mm.nn.oo.1 128.0.0.0
add net 128.0.0.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.871541 MANAGEMENT: >STATE:1559317602,ADD_ROUTES,,,,,,
2019-05-31 08:46:42.871586 /sbin/route add -net 10.100.1.0 mm.nn.oo.1 255.255.255.0
add net 10.100.1.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.874487 /sbin/route add -net 10.100.2.0 mm.nn.oo.1 255.255.255.0
add net 10.100.2.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.877944 /sbin/route add -net 10.100.4.0 mm.nn.oo.1 255.255.255.0
add net 10.100.4.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.881463 /sbin/route add -net 10.100.10.0 mm.nn.oo.1 255.255.255.0
add net 10.100.10.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.886599 /sbin/route add -net 10.100.200.0 mm.nn.oo.1 255.255.255.0
add net 10.100.200.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.892094 /sbin/route add -net mm.ss.1.0 mm.nn.oo.1 255.255.255.0
add net mm.ss.1.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.895338 /sbin/route add -net mm.ss.2.0 mm.nn.oo.1 255.255.255.0
add net mm.ss.2.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.898075 /sbin/route add -net mm.ss.3.0 mm.nn.oo.1 255.255.255.0
add net mm.ss.3.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.901154 /sbin/route add -net mm.ss.10.0 mm.nn.oo.1 255.255.255.0
add net mm.ss.10.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.904565 /sbin/route add -net mm.nn.oo.0 mm.nn.oo.1 255.255.252.0
add net mm.nn.oo.0: gateway mm.nn.oo.1
2019-05-31 08:46:42.907492 /sbin/route add -net mm.nn.ww.0 mm.nn.oo.1 255.255.240.0
add net mm.nn.www.0: gateway mm.nn.oo.1
*Tunnelblick: **********************************************
*Tunnelblick: Start of output from client.up.tunnelblick.sh
*Tunnelblick: NOTE: No network configuration changes need to be made.
*Tunnelblick: WARNING: Will NOT monitor for other network configuration changes.
*Tunnelblick: WARNING: Will NOT disable IPv6 settings.
*Tunnelblick: DNS servers '192.168.x.1' will be used for DNS queries when the VPN is active
*Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
*Tunnelblick: WARNING: Unable to flush the DNS cache via dscacheutil
*Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
*Tunnelblick: Not notifying mDNSResponder that the DNS cache was flushed because it is not running
*Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
*Tunnelblick: End of output from client.up.tunnelblick.sh
*Tunnelblick: **********************************************
2019-05-31 08:46:45.139594 Initialization Sequence Completed
2019-05-31 08:46:45.139664 MANAGEMENT: >STATE:1559317605,CONNECTED,SUCCESS,mm.nn.oo.xx,gg.hh.ii.jj,1194,,
2019-05-31 08:46:45.289286 *Tunnelblick: No 'connected.sh' script to execute
2019-05-31 08:46:45.366642 *Tunnelblick: Warning: DNS server address 192.168.x.1 is a private address but is not being routed through the VPN.
============================
Non-work Tunnelblick VPN config that works great.
client
auth RSA-SHA256
cipher AES-256-CBC
auth-nocache
dev tun2
tun-mtu 1500
remote aa.bb.cc 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca AA1-ca.crt
cert MM1.crt
key MM1.key
tls-auth AA1.key 1
remote-cert-tls server
compress lzo
float
======================================================
Here is the config for OpenVPN Server on my home router running DD-WRT
On the Services, VPN area of the router's DD-WRT web configuration page:
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: System
Config as: Server
Server mode: Router (TUN)
Network: (local private network that is different from your primary LAN - My primary LAN is 192.168.x.0 and I put in 10.x.y.0)
Netmask: 255.255.255.0
Port: 80
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA256
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Yes
Redirect default Gateway: Enable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: Leave blank
Tunnel UDP MSS-Fix: Disable
CCD-Dir DEFAULT file: Leave empty
Client connect script: Leave empty
Static Key: Leave empty
PKCS12 Key: Leave empty
Public Server Cert: Paste the contents of the server.crt file.
CA cert: Paste the contents of ca.crt file.
Private Server Key: Paste the contents of the server.key file.
DH PEM: Paste the contents of the dh.pem file.
Additional Config:
push "route 192.168.x.0 255.255.255.0"
push "dhcp-option DNS 192.168.x.1"
TLS Auth Key: Paste the contents of the ta.key file
Additional DNSMasq Options: interface=tun2 |
|
