Posted: Fri May 10, 2013 15:35 Post subject: [SOLVED] Forwarding DNS queries through OpenVPN
I have a WRT400N with the following build: DD-WRT v24-sp2 (03/25/13) std - build 21061
I have it set up as a routed OpenVPN server where all traffic is tunneled through the server (redirect-gateway). This was configured via the GUI. Here is the relevant topology:
I also would like to forward all DNS queries through the VPN tunnel. As such, I've added this under "Additional Configuration":
Code:
push "dhcp-option DNS 10.42.0.1"
Clients are able to connect fine and access machines by IP. The DNS and gateways are being properly pushed to the client. However, 10.42.0.1 does not appear to be accepting DNS requests. I tried changing the DNS push to "10.0.0.1" (since my LAN sends DNS requests locally to 10.0.0.1) but with no luck.
Does anyone have any suggestions for how to troubleshoot this or why this is happening? I suspect it has something to do with the firewall or DNSMasq, but as far as I can tell, I've tried every combination of configuration options with no luck. Firewall logs show no rejected/dropped packets. I've tried DNSMasq options (Enabling Local DNS and disabling No DNS Rebind) as well.
Any advice/insight would be greatly appreciated!
Last edited by alyptic on Fri May 10, 2013 16:58; edited 1 time in total
I don't think I explained this quite clearly enough -- dnsmasq is running on the same router that OpenVPN is running on. As far as I understand, dnsmasq should forward DNS requests to the DNS server assigned by my ISP. This is the case when connected to the LAN. However, when connected to the VPN, although I can ping 10.0.0.1 (the local subnet assigned router IP), it does not appear to be accepting/forwarding DNS requests from IPs in the 10.42.0.0/24 subnet. I can't tell if this is a dnsmasq configuration error or not.
That being said, I did try your suggestions on the Primary DNS server (in this case, my router). Unfortunately, rebind-domain-ok isn't supported on my installed build of dd-wrt. On top of that, it shouldn't have any effect since I already have "No DNS Rebind" disabled (if I'm reading the dnsmasq man pages correctly).
I looked further into dnsmasq options -- I was able to have dnsmasq listen on the same interface as the server's VPN interface (in my case, tun2). In order to do this, I added the following to Services->Services->DNSMasq->Additional DNSMasq Options:
Code:
interface=tun2
no-dhcp-interface=tun2
These lines tell dnsmasq to listen on the tun2 interface (in addition to whatever default interfaces specified) but to not act as DHCP server on this interface (just forward DNS requests). This solved my problem -- all DNS requests are now forwarded correctly and I am able to access local domains via VPN!
Joined: 14 Jan 2010 Posts: 73 Location: Flint, Michigan
Posted: Mon Aug 19, 2013 19:59 Post subject:
UPDATED BELOW
Quote:
alyptic wrote:
Solved!
I looked further into dnsmasq options -- I was able to have dnsmasq listen on the same interface as the server's VPN interface (in my case, tun2). In order to do this, I added the following to Services->Services->DNSMasq->Additional DNSMasq Options:
Code:
interface=tun2
no-dhcp-interface=tun2
These lines tell dnsmasq to listen on the tun2 interface (in addition to whatever default interfaces specified) but to not act as DHCP server on this interface (just forward DNS requests). This solved my problem -- all DNS requests are now forwarded correctly and I am able to access local domains via VPN!
Original Post
I just ran into this problem after upgrading my build. How do you know what tun interface openvpn is running on? With a previous build I was apparently using tun0 and everything worked great if I just included the following in the dnsmasq options. Now I'm back to situation where clients can't result DNS queries when connecting to VPN.
Code:
interface=tun0
I seem to have found success by adding the following rule to iptables with the address changed to match my vpn subnet settings
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
Sorry for jumping the gun on a forum post w/o first exhausting options. This command was not necessary with my previous EKO build (17084) and I'm not savy enough to see what may have changed in how dd-wrt handles firewall commands. _________________ Netgear R7800
DD-WRT v3.0-r54545 std
Release: 12/18/2023 (SVN revision: 54545)
I looked further into dnsmasq options -- I was able to have dnsmasq listen on the same interface as the server's VPN interface (in my case, tun2). In order to do this, I added the following to Services->Services->DNSMasq->Additional DNSMasq Options:
Code:
interface=tun2
no-dhcp-interface=tun2
These lines tell dnsmasq to listen on the tun2 interface (in addition to whatever default interfaces specified) but to not act as DHCP server on this interface (just forward DNS requests). This solved my problem -- all DNS requests are now forwarded correctly and I am able to access local domains via VPN!
Can't you give some clue as to why the tun interface is tun2 in your case. I assumed it would just be the same tun interface specified in the OpenVPN configuration. But that doesn't work for me.
Joined: 14 Jan 2010 Posts: 73 Location: Flint, Michigan
Posted: Thu Mar 06, 2014 4:12 Post subject:
Quote:
Can't you give some clue as to why the tun interface is tun2 in your case. I assumed it would just be the same tun interface specified in the OpenVPN configuration. But that doesn't work for me.
Provided you can verify that your OpenVPN server is up and running (ie assuming the problem isn't elsewhere), check your router log for OpenVPN-related activity during server start-up. If you comb through the output, you should see it list what TUN interface it is set to. I don't have access to my logs at the moment so I can't be more specific in terms of where to search. Reboot your router, find your log file and grep for OpenVPN.
