Home / server / Questions / 740719
In Process
Naftuli Kay
Asked: 2015-12-04 22:36:08 +0800 CST

DNS resolution happening inconsistently over OpenVPN

  • 772

Here's my OpenVPN server configuration:

port 1194
proto udp

dev tun

ca ca.crt
cert server.crt
key server.key
dh dh4096.pem

topology subnet

server 10.224.127.0 255.255.255.0 # AKA 10.224.127.0/24

ifconfig-pool-persist ipp.txt

push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.0.9.102"
push "dhcp-option DNS 10.0.8.186"
push "dhcp-option DOMAIN dc1.lam.myname.net aws.myname.net myname.local"

keepalive 10 120

comp-lzo

max-clients 10

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH_AES-128-CBC-SHA

client-cert-not-required
username-as-common-name
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

I basically want to do the following:

  • Use our internal DNS servers for name resolution.
  • Allocate client IP addresses within the 10.224.127.0/24 range.
  • Only route traffic going to 10.0.0.0/8 over the VPN link.
  • Use a few search domains for DNS lookups.
  • Generic hardening and good crypto.
  • Use PAM for logging in.

So it "basically" works, with a few caveats. DNS resolution only works for a few seconds after the VPN server comes online and then stops working. I can route TCP packets just fine regardless of whether DNS is working or not.

Why does DNS only work for the first few seconds of my connection? What am I doing wrong?

The clients I plan on using are Linux and OSX. How can I push DNS resolution down to them?

domain-name-system

1 Answers

  1. Because OpenVPN's DNS push option only works with Windows, I assume this is the OS your VPN clients run under.

    This is likely that (as @HåkanLindqvist mentioned) some piece of software modifies your DNS settings. This is a common feature of security-related software (like antivirus), as fake DNS server can be used for ie. phishing attacks. You will have to find that application yourself and, if possible, run a script from OpenVPN which will disable the DNS protection feature on connect.

    Also, if you use PAM, you need to provide credentials from userspace, so OpenVPN cannot be run as a Windows service. Do you run OpenVPN GUI or command line only? Do you start it with elevated privileges?

    If you want to use server-provided DNS addresses under UNIX client, you need a script to be run from OpenVPN on connection up which reads OpenVPN environment and put received values to /etc/resolv.conf. Check the manual for reference. The other option is to install dnsmasq locally on the client and provide --server /LOCAL_DOMAIN/LOCAL_DNS_IP options, which will provide name resolving over VPN tunnel only for hosts in chosen domain(s).

    • 2