OpenVPN server: everything OK except name resolution

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 67

PostPosted: Tue Feb 18, 2020 16:55    Post subject: OpenVPN server: everything OK except name resolution Reply with quote
Hi,

I've setup the DD-WRT OpenVPN server on my Asus RT-AC66U router.

But when I try to connect to the router from an OpenVPN client on my laptop (under Windows 10), it works, the client connects to the server, I have access to Internet through OpenVPN, I have access to my LAN, I can among other access my Synology NAS via its IP address, BUT... I can't access any shared folder mapped under Windows Explorer via the Synology NAS name. The name resolution is not working Sad

In fact, it used to work but it's not working any more and I can't find why it's not working any more.
I've read a lot of topics on the forums, but so far I can't find the solution.

Here are my settings on DD-WRT...

Server side
OpenVPN server of DD-WRT build 36995.

Config...



DNSMasq


Firewall...
Code:
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE



Client
OpenVPN 2.4.6-I602 on Windows 10.

Config...
Code:
client
dev tun
proto tcp
remote 82.0.0.0 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 4
float
tun-mtu 1500
auth-nocache

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
</key>


Any idea?
Thanks for your help! Smile


Last edited by FTP on Sun Mar 08, 2020 15:00; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Tue Feb 18, 2020 17:14    Post subject: Reply with quote
First of all you are using a rather old build (but that has probably no relation with your problem)

In my signature the OpenVPN server setup guide which should provide all the answers Smile

Of course there is no network discovery but local DNS should be possible.

First check if local DNS is working from your LAN.

Second push your router as DNS server

Third listen on the VPN interface (you did )

Fourth block outside DNS for windows 10


Everything detailed in the guide Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 67

PostPosted: Tue Feb 18, 2020 20:25    Post subject: Reply with quote
Hi egc,

Thanks for your answer! Smile

But to be honest, I'm not sure to properly understand your advises, your 4 steps.

egc wrote:
In my signature the OpenVPN server setup guide which should provide all the answers Smile

I have your guide. I tried to find a solution in it even before to post my question here but I had a hard time finding it.

I guess, you are referring to the page 17 as it's the only page where we can find the word "resolve", but there's no functional description in the introduction to confirm what this section is about, what it can fix or enable.

Quote:
Redirect-gateway def1 (which is enabled by enabling "Redirect default Gateway" in settings) pushes a default route to the client, if done manually you could add the following commands in the Additional Config of the OpenVPN server settings:
push "route 0.0.0.0 128.0.0.0 vpn_gateway"
push "route 128.0.0.0 128.0.0.0 vpn_gateway"
or
push "redirect-gateway def1" (def 1 preserves the old default gateway and is recommended)

I guess this section is an explanation regarding the theory of pushing routes.
We can either...
- enable the "Redirect default Gateway" setting
- or set commands more manually, thanks to the "push" command and either the parameters "route 0.0.0.0 0.0.0.0 vpn_gateway" or "redirect-gateway def1"

But I have "Redirect default Gateway" enabled, so if I have to push anything, I should not be concerned by the manual way to set it.

Quote:
If you want to connect to the local subnet where OpenVPN server resides (which is often done) and you do not have "Redirect Default Gateway" enabled then you have to push that local route to your client e.g.:
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
To push a route to the client not going through the VPN:
push "route 8.8.8.8 255.255.255.255 net_gateway"
By default a route is added to the clients routing table establishing a route to the openVPN server e.g. to 10.8.0.0. So it is not necessary to push this route.

This looks more like a more detailed example of the first explanation above.
So I should still not be concerned as once again "Redirect Default Gateway" is enabled; even though I still don't really understand what's the purpose of pushing those routes, so what we can functionally do or solve by pushing those routes.

Quote:
If you want to resolve DNS names over the VPN you will need to add the below lines to "Additional Config."
If you want to use a public DNS server (e.g. Google's ):
push "dhcp-option DNS 8.8.8.8"
If you want to use your own router/OpenVPN server (my lan Domain is named "home"):
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN HOME"

Ok, resolving names. That's what I need to do!

But... "8.8.8.8", Google's DNS, it doesn't look like it's what I need. I can access Internet to somewhere a DNS is already doing the job.

"push "dhcp-option DNS 192.168.0.1"" looks maybe more appropriate as I need to resolve local names.
But I tried (my router is on the 192.168.0.1 IP address) but it didn't fixed the issue.

And regarding the "DOMAIN" setting, I don't exactly know what it's referring to.
Is it the optional DD-WRT setting "Domain Name" in Setup > Basic Setup?
In this case, so far it's blank for me.

Quote:
Here’s a breakdown of what’s going on:
The local DNS server at 192.168.1.1 is pushed to clients so they can make queries on the server’s network.
The domain is specified so hostnames will resolve without specification.

So does it means it's mandatory to set a Domain name?
Ok, why not but it worked before without.

Quote:
If you are using DD-WRT as a DNS server you’ll need to tell DNSMasq to listen for requests on the interface your VPN clients will query on. To do this you’ll need to figure out what interface that is.
To see the interface your VPN clients will query on, you can find this in the GUI by clicking "Setup" > "Advanced Routing" > "Routing Table." In there you’ll see a route that specifies the tun adapter you are using and the IP net see below. For me it is tun2.

Take that piece of information and navigate to "Services" > "Services." Scroll down to "Additional DNSMasq Options" and enter
interface=tun#
where # is the number you pulled from routing table, in this case tun2.

I guess I've already done it.

And that's it.
But it's still not working for me.
Unless of course, I did not properly understood your advises Sad
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Wed Feb 19, 2020 7:29    Post subject: Reply with quote
You have done point 2 and 3

The DOMAIN is "needed" so that you do not have to use the suffix of your domain.

my domain is "home"

When I want to reach my NAS (which is called qnap453) I enter in my explorer: \\qnap453 without the pushed domain I should enter: \\qnap453.home

You should make certain that you can can reach your NAS from the local lan as a test that local DNS is setup correctly (point 1)

You should also execute point 4 detailed on page 21.

You can check from your windows PC when connected via VPN with nslookup (via cmd), open a cmd window and do nslookup [nas name]

If you are using a recent ddwrt version do not forget to disable the CVE 14899 patch or take other appropriate measures.

You NAS will have a firewall which should block queries from other subnets like the VPN so tweak the firewall of your NAS (or other clients) to allow the VPN's subnet, or NAT the VPN out via br0 (detailed in the guide under CVE 14899 problems on page 6/7)

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 67

PostPosted: Wed Feb 19, 2020 9:39    Post subject: Reply with quote
Ok, so if I start from your 4 points:

egc wrote:
First check if local DNS is working from your LAN.
(...)
You should make certain that you can can reach your NAS from the local lan as a test that local DNS is setup correctly (point 1)

So far I've still not setup any domain name.

But if I connect my laptop directly on the LAN (no VPN), open Windows Explorer and type "\\storage_master" (my NAS name), it already works fine. Windows Explorer immediately displays all the shared folders.

And like I say in my 1st post, I already have several shared folders mapped using names, so I guess name resolution on the LAN works fine.

egc wrote:
Second push your router as DNS server
(...)
You have done point 2 and 3
(...)
The DOMAIN is "needed" so that you do not have to use the suffix of your domain.

my domain is "home"...

I'm not sure to properly understand when you say the "The DOMAIN is "needed" so that...".
Like I said, I've not set any domain and my local DNS is working fine without it and without the need to type a suffix.

So does "The DOMAIN is "needed" so that..." mean:
- IF you set a domain, then a push using "DOMAIN" is needed
- or in any case you need to set a domain + a push using "DOMAIN" if you don't have it yet?

egc wrote:
Third listen on the VPN interface (you did )
(...)
You have done point 2 and 3

I guess it refers to the "Additional DNSMasq Options > interface=tun2" already set, but I'm not 100% sure.

egc wrote:
Fourth block outside DNS for windows 10
(...)
You should also execute point 4 detailed on page 21.

You can check from your windows PC when connected via VPN with nslookup (via cmd), open a cmd window and do nslookup [nas name]

Here is the nslookup...
Quote:
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.20.10.1

*** UnKnown can't find storage_master: Non-existent domain

Then I've added "push "block-outside-dns"" in the Additional Config of the OpenVPN server.
It didn't change anything.

After I've also added "block-outside-dns" in the .ovpn file used by the windows client and it still did not fix the issue.

Quote:
If you are using a recent ddwrt version do not forget to disable the CVE 14899 patch or take other appropriate measures.

Well, I don't know which patch you're referring to, I can search but I guess I'm not concerned (so far) as like you mentioned my DD-WRT version is from 09/2018, so a bit old.
However if you have a link, I'm interested to have a look as I may sooner or later update my DD-WRT firmware.

Quote:
You NAS will have a firewall which should block queries from other subnets like the VPN so tweak the firewall of your NAS (or other clients) to allow the VPN's subnet, or NAT the VPN out via br0 (detailed in the guide under CVE 14899 problems on page 6/7)

I don't think it's the issue:
1/ Everything works fine if I use IP addresses. I can access my NAS through the VPN using IP addresses, so the firewall is allowing it.
2/ I've tried to disable the NAS Firewall and it changes nothing
3/ Here are the NAS firewall rules...


Thanks for your efforts! Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Wed Feb 19, 2020 10:02    Post subject: Reply with quote
Windows explorer uses WSD and not DNS

The NSlookup gives it away:
*** UnKnown can't find storage_master: Non-existent domain

https://www.howtogeek.com/69696/how-to-access-your-machines-using-dns-names-with-dd-wrt/

Of course you have to set a static lease for the NAS so that its name is known to DNSMAsq

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 67

PostPosted: Wed Feb 19, 2020 11:57    Post subject: Reply with quote
Ok, done it works.
Thanks! Smile

egc wrote:
https://www.howtogeek.com/69696/how-to-access-your-machines-using-dns-names-with-dd-wrt/

Thanks for the link. It indeed answers my question.

So I've set:
- Used Domain: LAN & WLAN
- Domain name: home
- Static Leases: I've added a line for the NAS, even though the NAS is on a fixed IP address, not a DHCP static lease, but at least "so that its name is known to DNSMAsq" like you said
- VPN Additional Config: I've added "push "dhcp-option DOMAIN home""

And that's it. It suddenly started to work Razz


Then I've ran some few tests to check if everything was really mandatory and it looks like yes, nearly.

Remove just 1 of those settings and it will not work any more:
- DHCP Server > Used Domain: LAN & WLAN
- DHCP Server > Domain name: xxxx
- DHCP Server > Static Leases: add 1 entry by name we want to be recognized

- DNSMasq > Additional DNSMasq Options: add the following line...
interface=tun2 (where tun2 is the interface name used by the VPN; cf. Setup > Advanced Routing > Show Routing Table)

- OpenVPN Server > Additional Config: add the following lines...
push "dhcp-option DNS 192.168.0.1" (where 192.168.0.1 is the router's IP)
push "dhcp-option DOMAIN xxxx" (where xxxx is the Domain name)


On the other hand, it does work even if we don't add "push "block-outside-dns"" or "block-outside-dns".
BUT... the nslookup fails.
Then I don't really know if it's important or not to add this parameter but I've decided to add "block-outside-dns" on the Windows client side to avoid impose "push "block-outside-dns"" to other clients than Windows, like iOS or others.

At last, on my first screen shots above I had "DNSMasq > Local DNS: Enable" but before I started working on the issue yesterday it was set to "Disable". Probably disabled by default. I enabled it only to test, because of this post...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=994731#994731

So I tried to disable it to go back to the default setting and everything is still working fine.
I don't know if there's any interest in enabling this setting or not?

Voilà!

At last one question: it looks like we have to add in the DHCP section 1 entry by name we want to be recognized. It's not super convenient. Is there any setting that allows to avoid having to declare any name prior to be able to address them? Something that can search by itself if such name is on the network?

Thanks again for your help egc Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Wed Feb 19, 2020 13:13    Post subject: Reply with quote
There is no advertising between subnets (it can be made with Avahi or mDNS) so you have to make the names known to DNSMasq with a static lease (actually you do not need to specify an IP address just the MAC and name)

When testing be ware of the DNS cache, your windows client caches DNS and your browser also.

When testing I use a web browser which deletes everything on shut down and I do ipconfig /flushdns from command line to clear the cache.

Otherwise it seems to work without anything because the DNS is cached

Glad you could get it working

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 67

PostPosted: Wed Feb 19, 2020 13:45    Post subject: Reply with quote
And "DNSMasq > Local DNS"?
Useful or not?
What is it for?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Wed Feb 19, 2020 14:15    Post subject: Reply with quote
Yes that is what you are doing, local DNS, so it will not work if not enabled
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 67

PostPosted: Wed Feb 19, 2020 17:58    Post subject: Reply with quote
egc wrote:
Yes that is what you are doing, local DNS, so it will not work if not enabled

Well, I'm not so sure.

1/ Apart from the name resolution issue to access the shared folders mapped with names, all the rest has always work fine with this setting "Disable"
2/ And now I've run a new test with the setting "Disable" and after flushing the cache (ipconfig /flushdns) and it still works fine.

So far I can't find any case where something is not working despite Local DNS is disabled.

What is this setting supposed to do anyway?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum