send DNS requests trough OpenVPN Tunnel

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jan 18, 2017 18:38    Post subject: Reply with quote
P.S. I think I know why this happens too.

When DNSMasq is restarted, that kicks off immediately as a background process and the script continues on. DNSMasq then reads the resolv.dnsmasq file, but sometimes that occurs before resolv.dnsmasq has been updated w/ the DNS servers of the VPN. And even though resolv.dnsmasq is eventually updated, the startup process of DNSMasq has not yet finished, so it misses the fact that resolv.dnsmasq just changed in that split second. What Kong should have done is updated resolv.dnsmasq first, then restarted DNSMasq. Or perhaps not restart DNSMasq at all. It's not obvious to me why he added it.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4315
Location: Netherlands

PostPosted: Wed Jan 18, 2017 18:58    Post subject: Reply with quote
Great!
Of course my suggestion (putting in sleep) was nonsense, I knew that the minute after I uploaded my message, these files are of course not persistent Sad

Will you add this to the bugtracker (you have much more authority then me Smile )

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135#1183135
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jan 18, 2017 19:06    Post subject: Reply with quote
I'll report it. Kong can then get back to me if he has questions. I'll post the bug # back here for posterity sake.

Btw, I suspect we're the only ones who even know this problem exists. Pretty hard to detect unless you're actually looking for it. Insidious.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jan 19, 2017 16:46    Post subject: Reply with quote
FYI, bug reported.

http://svn.dd-wrt.com/ticket/5697
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4315
Location: Netherlands

PostPosted: Fri Jan 20, 2017 13:59    Post subject: Reply with quote
Good Job!

I cobbled a script together which can be saved as startup script from the Administration commands tab, which "touches" the file to give it a later timestamp so that DNSMasq rereads the file and uses the pushed DNS servers. I did not test extensively so check!
Code:

#!/bin/sh
file="/tmp/resolv.dnsmasq"
Number=0

logger "File attempting to touch: $file"
logger "Starting number $Number of 10 attempts"

if [ ! -f "$file" ]; then
  until [ ! -f "$file" ]; do
    sleep 2
    Number=$((Number+1))
    logger "Wating for $Number"
    if [ -f "$file" ]; then
       touch "$file"
       logger "$file has been touched"
       break     
    elif [ $Number -eq 10 ]; then
        logger "Can not execute touch, Beware of DNS Leak"
        break
    fi
  done
elif [ -f "$file" ]; then
   sleep 2
   touch "$file"
   logger "$file has been touched"
else
  logger "Can not execute touch, Beware of DNS Leak"
fi


Beware if you hit Apply Settings, you could have the problem again, so always reboot.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135#1183135


Last edited by egc on Sat Jan 21, 2017 9:45; edited 1 time in total
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jan 20, 2017 20:23    Post subject: Reply with quote
I threw something together as well.

http://pastebin.com/P08XbCeJ

In my case, I look for the creation of the backup resolv file (resolv.dnsmasq_isp) to signal the change, wait a few seconds, then touch resolv.dnsmasq.

Note, there's not much point in using echo to send messages since there is no console. That's why I send all output to the syslog. Makes it easier to debug as well.

I also turned it into an infinite loop so in case the VPN was stopped (i.e., disabled) and started again (i.e., enabled), it would fix the DNS leak again. However, that part of it isn't working (at least on my build) since doing a disable/enable doesn't create the resolv.dnsmsq_isp file. Either the VPN is not shutting down properly, or is otherwise getting confused when started again. Whatever the reason, it *should* be working correctly, and not like this.

I have to say, it's stuff like this and the DNS leak that make me less than happy w/ the OpenVPN implementation in dd-wrt. We shouldn't have to reboot.

Anyway, I guess given how the restart process doesn't work, my script could be simplified even further. But I left the infinite loop in place just in case some other dd-wrt build restarts correctly.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4315
Location: Netherlands

PostPosted: Sat Jan 21, 2017 12:03    Post subject: Reply with quote
That's much more sophisticated Smile
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135#1183135
ReaperX3
DD-WRT Novice


Joined: 11 Dec 2016
Posts: 5

PostPosted: Thu Mar 30, 2017 19:36    Post subject: Reply with quote
I seem to have a much more basic problem with getting my DNS queries routed through the VPN. Short story: the pushed PIA DNS servers don't seem to replace the static ones even though OpenVPN connects correctly and "Use DNSMasq for DNS" is checked.

Details:

I have PIA and set up my dd-wrt router (a Netgear WNDR3700 v4 with the DD-WRT v3.0-r31722 std (03/21/17) firmware) to route all traffic through the VPN.

I generally followed the instructions at

https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn

Status/OpenVPN reports success (Client: CONNECTED SUCCESS). IP address checking sites show that I'm going through the VPN.

I'm seeing the VPN's DNS servers being pushed in the OpenVPN log:

PUSH_REPLY redirect-gateway def1 dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 ping 10 comp-lzo no route 10.67.10.1 topology net30 ifconfig 10.67.10.6 10.67.10.5'

In the setup, "Use DNSMasq for DNS" is checked. I have three static DNS servers configured as suggested by PIA support.

When I telnet into my router and do cat /tmp/resolv.dnsmaq, all I get is the three static DNS servers:

Code:
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 4.2.2.3


I even put eibgrad's script into my startup and rebooted, but I'm still seeing the same problem.

Any help would be appreciated!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Mar 30, 2017 20:37    Post subject: Reply with quote
@ReaperX3

Whether you're experiencing the same or different problem is hard to say. But let's put that aside for the moment.

IMO, I don't think it's important whether you use the VPN's DNS servers, as much as you DON'T use the ISP's DNS servers. Because it's the use of the ISP's DNS servers that defines a DNS leak. And I would go farther and not even allow the ISP to snoop on your DNS queries (or worse, manipulate them) by routing them over the VPN.

So w/ that in mind, why not just route those *non* ISP DNS servers over the VPN by adding them to the Additional Config field?

Code:
route 4.2.2.1
route 4.2.2.2
route 4.2.2.3


So now, whenever the VPN is down, those DNS servers are accessed over the WAN. But when the VPN comes up, they're routed over the VPN.

IOW, who cares about the VPN provider's DNS servers? The only reason I can imagine wanting to use them is under the assumption they might respond faster (which makes sense). But beyond that, they aren't really necessary since they don't provide any particular advantage. All we're really interested in is just making sure we get the ISP out of the loop wrt DNS.

Now one caution is in order here. If you use the policy based routing field of the GUI, this technique won't work. And that's because when you use that field, the router adds the route-noexec directive to the OpenVPN client config (that's what stops the gateway from being changed to the VPN). But a side effect of that directive is that now the OpenVPN client is responsible for handling any routes defined in Additional Config. But the router has a bug in this regard. It doesn't handle them. It ignores them! IOW, your routes won't get bound to the VPN whenever policy based routing is enabled in the GUI. So just keep that in mind.
ReaperX3
DD-WRT Novice


Joined: 11 Dec 2016
Posts: 5

PostPosted: Thu Mar 30, 2017 20:54    Post subject: Reply with quote
thanks for that quick and substantial response. Smile I was wondering about policy-based routing myself, thanks for anticipating that question and answering it as well.
makos
DD-WRT Novice


Joined: 04 May 2019
Posts: 2

PostPosted: Sat May 04, 2019 12:38    Post subject: Reply with quote
Hello,

Not sure if I sould start a new topic but this one looks like most relevant for me.

I have set up routed OpenVPN client (tun) on DD-WRT 3.0-r39715 to connect local LAN to remote LAN.

Everything is working fine with only exception that pushed remote DNS by OpenVPN server is not updating Dnsmasq resolv.

GUI settings

Setup->Basic [ Network Address Server Settings (DHCP) ]
Code:
Use DNSMasq for DNS - checked
DHCP-Authoritative - checked
Forced DNS Redirection - unchecked

Services->Services [ Dnsmasq ]
Code:
Dnsmasq - Enable
Cache DNSSEC data - Disable
Local DNS - Enable
No DNS Rebind - Enable
Query DNS in Strict Order - Enable
Add Requestor MAC to DNS Query - Disable
RFC4039 Rapid Commit support - Disable
Maximum Cached Entries - 1500
Additional Dnsmasq Options - blank


Generated dnsmasq.conf
Code:
less /tmp/dnsmasq.conf

interface=br0
resolv-file=/tmp/resolv.dnsmasq
strict-order
domain=local.net
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=50
dhcp-option=br0,3,192.168.7.250 //LAN IP address of dd wrt router
dhcp-range=br0,192.168.7.129,192.168.7.178,255.255.255.128,1440m
bogus-priv
conf-file=/etc/rfc6761.conf
dhcp-option=252,"\n"
cache-size=1500

dd wrt OpenVPN client receives remote DNS address along with static routes:
Code:
May  4 12:27:58 gate daemon.notice openvpn[7589]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.3.201,route 10.0.0.0 255.255.0.0,route 192.168.3.0 255.255.255.0

However /tmp/resolv.dnsmasq remains unchanged - only my ISP's DNS adresses there:
Code:
less /tmp/resolv.dnsmasq

nameserver 195.122.12.242
nameserver 80.232.230.242


Kindly point me to the right direction.

Thanks.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat May 04, 2019 18:35    Post subject: Reply with quote
makos wrote:
Hello,

Not sure if I sould start a new topic but this one looks like most relevant for me.

I have set up routed OpenVPN client (tun) on DD-WRT 3.0-r39715 to connect local LAN to remote LAN.

Everything is working fine with only exception that pushed remote DNS by OpenVPN server is not updating Dnsmasq resolv.

GUI settings

Setup->Basic [ Network Address Server Settings (DHCP) ]
Code:
Use DNSMasq for DNS - checked
DHCP-Authoritative - checked
Forced DNS Redirection - unchecked

Services->Services [ Dnsmasq ]
Code:
Dnsmasq - Enable
Cache DNSSEC data - Disable
Local DNS - Enable
No DNS Rebind - Enable
Query DNS in Strict Order - Enable
Add Requestor MAC to DNS Query - Disable
RFC4039 Rapid Commit support - Disable
Maximum Cached Entries - 1500
Additional Dnsmasq Options - blank


Generated dnsmasq.conf
Code:
less /tmp/dnsmasq.conf

interface=br0
resolv-file=/tmp/resolv.dnsmasq
strict-order
domain=local.net
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=50
dhcp-option=br0,3,192.168.7.250 //LAN IP address of dd wrt router
dhcp-range=br0,192.168.7.129,192.168.7.178,255.255.255.128,1440m
bogus-priv
conf-file=/etc/rfc6761.conf
dhcp-option=252,"\n"
cache-size=1500

dd wrt OpenVPN client receives remote DNS address along with static routes:
Code:
May  4 12:27:58 gate daemon.notice openvpn[7589]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.3.201,route 10.0.0.0 255.255.0.0,route 192.168.3.0 255.255.255.0

However /tmp/resolv.dnsmasq remains unchanged - only my ISP's DNS adresses there:
Code:
less /tmp/resolv.dnsmasq

nameserver 195.122.12.242
nameserver 80.232.230.242


Kindly point me to the right direction.

Thanks.


In the future, please, *always* start a new thread. Posting to someone else's thread often causes confusion. In our haste to support users on many other threads (and even other forums), we often assume it's the OP and miss the fact it's someone else posting w/ their own problems. Pretty soon things get confusing, esp. if others follow suit, or the OP chimes back in. If you find one or more existing threads that seem relevant to your problem, just provides links in your new thread.

As far as your stated problem, be aware that only Kong builds update DNSMasq w/ the pushed DNS servers. If using BS (Brainslayer) builds, he completely ignores them!

Yeah, I know, not very consistent. And not obvious unless you happen to examine the underlying route-up scripts used by each developer. They differ in this one particular area. Don't ask me why. I have no clue.

If using a BS build, I recommend adding the following to the Additional DNSMasq Options field on the Services page.

Code:
no-resolv
server=8.8.8.8
server=8.8.4.4


What this does is tell DNSMasq to ignore all other public DNS servers and just use the ones named herein w/ the server directive(s). This prevents DNS leaks!

Of course, that's not going to help in the case of a *private* DNS server pushed from your own OpenVPN server. In that case, I would instead include the private IP of your remote DNS server for that remote domain. IOW, if the domain across the tunnel is xyz.local, then the DNSMasq configuration of the OpenVPN client would look like the following.

Code:
server=/xyz.local/192.168.3.201


You could even combine the two so that you never had DNS leaks for public IPs *and* be able to use the remote DNS server when necessary.

Code:
no-resolv
server=/xyz.local/192.168.3.201
server=8.8.8.8
server=8.8.4.4
makos
DD-WRT Novice


Joined: 04 May 2019
Posts: 2

PostPosted: Sun May 05, 2019 17:44    Post subject: Reply with quote
Thanks for sorting this out.

eibgrad wrote:

In the future, please, *always* start a new thread.

OK. Noted.

eibgrad wrote:
You could even combine the two so that you never had DNS leaks for public IPs *and* be able to use the remote DNS server when necessary.

I think I will switch this one to Kong's build as this solution is not elegant enough. Having a bunch of remote domains and keeping them "hardcoded" in additional options is a bit inconvenient and hard to administer.

Thank you.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum