Posted: Tue Feb 18, 2020 16:55 Post subject: OpenVPN server: everything OK except name resolution
I've setup the DD-WRT OpenVPN server on my Asus RT-AC66U router.
But when I try to connect to the router from an OpenVPN client on my laptop (under Windows 10), it works, the client connects to the server, I have access to Internet through OpenVPN, I have access to my LAN, I can among other access my Synology NAS via its IP address, BUT... I can't access any shared folder mapped under Windows Explorer via the Synology NAS name. The name resolution is not working
In fact, it used to work but it's not working any more and I can't find why it's not working any more.
I've read a lot of topics on the forums, but so far I can't find the solution.
Here are my settings on DD-WRT...
OpenVPN server of DD-WRT build 36995.
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
OpenVPN 2.4.6-I602 on Windows 10.
remote 184.108.40.206 1194
But to be honest, I'm not sure to properly understand your advises, your 4 steps.
In my signature the OpenVPN server setup guide which should provide all the answers
I have your guide. I tried to find a solution in it even before to post my question here but I had a hard time finding it.
I guess, you are referring to the page 17 as it's the only page where we can find the word "resolve", but there's no functional description in the introduction to confirm what this section is about, what it can fix or enable.
Redirect-gateway def1 (which is enabled by enabling "Redirect default Gateway" in settings) pushes a default route to the client, if done manually you could add the following commands in the Additional Config of the OpenVPN server settings:
push "route 0.0.0.0 220.127.116.11 vpn_gateway"
push "route 18.104.22.168 22.214.171.124 vpn_gateway"
push "redirect-gateway def1" (def 1 preserves the old default gateway and is recommended)
I guess this section is an explanation regarding the theory of pushing routes.
We can either...
- enable the "Redirect default Gateway" setting
- or set commands more manually, thanks to the "push" command and either the parameters "route 0.0.0.0 0.0.0.0 vpn_gateway" or "redirect-gateway def1"
But I have "Redirect default Gateway" enabled, so if I have to push anything, I should not be concerned by the manual way to set it.
If you want to connect to the local subnet where OpenVPN server resides (which is often done) and you do not have "Redirect Default Gateway" enabled then you have to push that local route to your client e.g.:
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
To push a route to the client not going through the VPN:
push "route 126.96.36.199 255.255.255.255 net_gateway"
By default a route is added to the clients routing table establishing a route to the openVPN server e.g. to 10.8.0.0. So it is not necessary to push this route.
This looks more like a more detailed example of the first explanation above.
So I should still not be concerned as once again "Redirect Default Gateway" is enabled; even though I still don't really understand what's the purpose of pushing those routes, so what we can functionally do or solve by pushing those routes.
If you want to resolve DNS names over the VPN you will need to add the below lines to "Additional Config."
If you want to use a public DNS server (e.g. Google's ):
push "dhcp-option DNS 188.8.131.52"
If you want to use your own router/OpenVPN server (my lan Domain is named "home"):
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN HOME"
Ok, resolving names. That's what I need to do!
But... "184.108.40.206", Google's DNS, it doesn't look like it's what I need. I can access Internet to somewhere a DNS is already doing the job.
"push "dhcp-option DNS 192.168.0.1"" looks maybe more appropriate as I need to resolve local names.
But I tried (my router is on the 192.168.0.1 IP address) but it didn't fixed the issue.
And regarding the "DOMAIN" setting, I don't exactly know what it's referring to.
Is it the optional DD-WRT setting "Domain Name" in Setup > Basic Setup?
In this case, so far it's blank for me.
Here’s a breakdown of what’s going on:
The local DNS server at 192.168.1.1 is pushed to clients so they can make queries on the server’s network.
The domain is specified so hostnames will resolve without specification.
So does it means it's mandatory to set a Domain name?
Ok, why not but it worked before without.
If you are using DD-WRT as a DNS server you’ll need to tell DNSMasq to listen for requests on the interface your VPN clients will query on. To do this you’ll need to figure out what interface that is.
To see the interface your VPN clients will query on, you can find this in the GUI by clicking "Setup" > "Advanced Routing" > "Routing Table." In there you’ll see a route that specifies the tun adapter you are using and the IP net see below. For me it is tun2.
Take that piece of information and navigate to "Services" > "Services." Scroll down to "Additional DNSMasq Options" and enter
where # is the number you pulled from routing table, in this case tun2.
I guess I've already done it.
And that's it.
But it's still not working for me.
Unless of course, I did not properly understood your advises
First check if local DNS is working from your LAN.
You should make certain that you can can reach your NAS from the local lan as a test that local DNS is setup correctly (point 1)
So far I've still not setup any domain name.
But if I connect my laptop directly on the LAN (no VPN), open Windows Explorer and type "\\storage_master" (my NAS name), it already works fine. Windows Explorer immediately displays all the shared folders.
And like I say in my 1st post, I already have several shared folders mapped using names, so I guess name resolution on the LAN works fine.
Second push your router as DNS server
You have done point 2 and 3
The DOMAIN is "needed" so that you do not have to use the suffix of your domain.
my domain is "home"...
I'm not sure to properly understand when you say the "The DOMAIN is "needed" so that...".
Like I said, I've not set any domain and my local DNS is working fine without it and without the need to type a suffix.
So does "The DOMAIN is "needed" so that..." mean:
- IF you set a domain, then a push using "DOMAIN" is needed
- or in any case you need to set a domain + a push using "DOMAIN" if you don't have it yet?
Third listen on the VPN interface (you did )
You have done point 2 and 3
I guess it refers to the "Additional DNSMasq Options > interface=tun2" already set, but I'm not 100% sure.
Fourth block outside DNS for windows 10
You should also execute point 4 detailed on page 21.
You can check from your windows PC when connected via VPN with nslookup (via cmd), open a cmd window and do nslookup [nas name]
Here is the nslookup...
DNS request timed out.
timeout was 2 seconds.
Then I've added "push "block-outside-dns"" in the Additional Config of the OpenVPN server.
It didn't change anything.
After I've also added "block-outside-dns" in the .ovpn file used by the windows client and it still did not fix the issue.
If you are using a recent ddwrt version do not forget to disable the CVE 14899 patch or take other appropriate measures.
Well, I don't know which patch you're referring to, I can search but I guess I'm not concerned (so far) as like you mentioned my DD-WRT version is from 09/2018, so a bit old.
However if you have a link, I'm interested to have a look as I may sooner or later update my DD-WRT firmware.
You NAS will have a firewall which should block queries from other subnets like the VPN so tweak the firewall of your NAS (or other clients) to allow the VPN's subnet, or NAT the VPN out via br0 (detailed in the guide under CVE 14899 problems on page 6/7)
I don't think it's the issue:
1/ Everything works fine if I use IP addresses. I can access my NAS through the VPN using IP addresses, so the firewall is allowing it.
2/ I've tried to disable the NAS Firewall and it changes nothing
3/ Here are the NAS firewall rules...
Thanks for the link. It indeed answers my question.
So I've set:
- Used Domain: LAN & WLAN
- Domain name: home
- Static Leases: I've added a line for the NAS, even though the NAS is on a fixed IP address, not a DHCP static lease, but at least "so that its name is known to DNSMAsq" like you said
- VPN Additional Config: I've added "push "dhcp-option DOMAIN home""
And that's it. It suddenly started to work
Then I've ran some few tests to check if everything was really mandatory and it looks like yes, nearly.
Remove just 1 of those settings and it will not work any more:
- DHCP Server > Used Domain: LAN & WLAN
- DHCP Server > Domain name: xxxx
- DHCP Server > Static Leases: add 1 entry by name we want to be recognized
- DNSMasq > Additional DNSMasq Options: add the following line...
interface=tun2 (where tun2 is the interface name used by the VPN; cf. Setup > Advanced Routing > Show Routing Table)
- OpenVPN Server > Additional Config: add the following lines...
push "dhcp-option DNS 192.168.0.1" (where 192.168.0.1 is the router's IP)
push "dhcp-option DOMAIN xxxx" (where xxxx is the Domain name)
On the other hand, it does work even if we don't add "push "block-outside-dns"" or "block-outside-dns".
BUT... the nslookup fails.
Then I don't really know if it's important or not to add this parameter but I've decided to add "block-outside-dns" on the Windows client side to avoid impose "push "block-outside-dns"" to other clients than Windows, like iOS or others.
So I tried to disable it to go back to the default setting and everything is still working fine.
I don't know if there's any interest in enabling this setting or not?
At last one question: it looks like we have to add in the DHCP section 1 entry by name we want to be recognized. It's not super convenient. Is there any setting that allows to avoid having to declare any name prior to be able to address them? Something that can search by itself if such name is on the network?
Joined: 18 Mar 2014 Posts: 6406 Location: Netherlands
Posted: Wed Feb 19, 2020 13:13 Post subject:
There is no advertising between subnets (it can be made with Avahi or mDNS) so you have to make the names known to DNSMasq with a static lease (actually you do not need to specify an IP address just the MAC and name)
When testing be ware of the DNS cache, your windows client caches DNS and your browser also.
When testing I use a web browser which deletes everything on shut down and I do ipconfig /flushdns from command line to clear the cache.
Otherwise it seems to work without anything because the DNS is cached
Yes that is what you are doing, local DNS, so it will not work if not enabled
Well, I'm not so sure.
1/ Apart from the name resolution issue to access the shared folders mapped with names, all the rest has always work fine with this setting "Disable"
2/ And now I've run a new test with the setting "Disable" and after flushing the cache (ipconfig /flushdns) and it still works fine.
So far I can't find any case where something is not working despite Local DNS is disabled.