2

I'm in a strange situation.

  • At work, I've set up OpenVPN + DNSMasq DNS server.
  • 10.0.0.100 is the internal IP of the VPN server.
  • 10.0.0.200 is the internal IP of the DNS server.

If I connect to the VPN server from external network, it all works fine - I can ping and ssh in to the local machines by their ip addresses.

However, for some reason, I cannot access the DNS service. I can ssh into 10.0.0.200. So I tried nslookup HOSTNAME 10.0.0.200, but I only get ;; connection timed out; no servers could be reached. This occurs both for internal and external domain names.

While OpenVPN is running, If I ssh into any of the machine in local area network, and run nslookup HOSTNAME 10.0.0.200, it works as the intended. Morever, I can even telnet to the port 53 of the machine10.0.0.200.

To debug the problem, I tried few more things. I gave an external IP to the DNS server, 10.0.0.200, say, 1.2.3.4. In external network, I can run nslookup HOSTNAME 1.2.3.4, the command executes as expected - it resolves both internal and external domain names.

However, when I start Openvpn client in the client machine, and run nslookup HOSTNAME 1.2.3.4, it did not execute with the same connection timed out; error message.

traceroute to 1.2.3.4 (1.2.3.4), 30 hops max, 60 byte packets
 1  5.5.0.1 (5.5.0.1)  25.705 ms  25.714 ms  25.790 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * as7065.xe-1-0-6.ar1.pao1.us.nlayer.net (69.22.130.86)  25.742 ms
12  tengig4-3.cr1.lsatca11.sonic.net (69.12.211.6)  25.658 ms  33.069 ms  33.067 ms
13  po2.cr1.colaca01.sonic.net (70.36.205.65)  33.075 ms  33.009 ms  37.902 ms
14  gig1-1-1.gw.snfcca01.sonic.net (70.36.228.102)  40.420 ms  40.332 ms  40.364 ms
15  * * *
16 ...(and go on)

5.5.0.1 is the gateway of the virtual interface created by OpenVPN.

At that point, I also noticed that Wed May 18 22:32:44 2011 /sbin/route add -net 1.2.3.4 netmask 255.255.255.255 gw 5.5.0.1 metric 101 was in the startup message of of the openvpn client.

So, I suspect that routing DNS query traffic over OpenVPN is somehow causing the problem. However, I do not know

This is a lot of fragmented information, with a lot of more uncertainties. To summarize:

  • The problem: I cannot properly access the DNS server in local network via VPN, even though everything else seem to work fine.
  • I suspect that routing DNS traffic via OpenVPN is a problem, but I am not sure, and I do not know the solution for it.
Jeeyoung Kim
  • 229
  • 2
  • 8

3 Answers3

5

I believe the problem you have is with the DNSMasq config since you keep getting the ;; connection timed out; no servers could be reached error message.

I encountered the same problem while configuring my DD-WRT with OpenVPN and fixed it by adding:

interface=tun0

to my dnsmasq.conf (Services | Additional DNSMasq Options from DD-WRT HTTP interface) [1]

You can then push the proper DNS server to clients by adding the following:

push "dhcp-options DNS 10.x.x.x"

to the OpenVPN config [2], however this only works 'out of the box' on windows [3]. On Ubuntu clients I just manually set my internal DNS server instead of writing scripts to parse the foreign_option_n parameter.

  1. http://www.dd-wrt.com/phpBB2/viewtopic.php?p=680573
  2. OpenVPN and DNS. How to?
  3. http://openvpn.net/archive/openvpn-users/2006-06/msg00097.html
Community
  • 1
tam7t
  • 51
  • 1
  • 1
3

It's most helpful if you post your /etc/openvpn/server.conf config file. In particular, check that you are pushing routes and dns servers to the clients:

# give clients access to the whole work network, not just the server.
push "route 192.168.10.0 255.255.255.0"
# tell clients to use your internal dns server
push "dhcp-option DNS 10.8.15.1"
push "dhcp-option DOMAIN inside.example.com"

See my openvpn setup howto for more details. Also check that your dns server is configured to allow access from the remote clients, and that the firewall on the vpn server is allowing dns traffic to pass.

Phil Hollenback
  • 14,647
  • 4
  • 34
  • 51
  • I'm using OpenVPN AS right now, and I don't think I have the file /etc/openvpn/server.conf - is there easy way to see / generate server.conf in this case? – Jeeyoung Kim May 19 '11 at 07:58
  • I assume it's got the conf file in there somewhere. If you're on a rhel type of system run 'rpm -qa' to list installed packages, and 'rpm -ql xxx' on the opernserver as package to get a list of installed files. If you poke around in there you should find the directory where the openserver config file lives. – Phil Hollenback May 19 '11 at 08:09
1

You need to configure your VPN client machine to use 10.0.0.200 as its resolver upon connecting to the VPN.

http://openvpn.net/index.php/open-source/documentation/howto.html#dhcp

You could try this manually by editing the /etc/resolv.conf (or your OS equivalent) and issuing DNS queries.

To further troubleshoot, please provide:

  • OS and DNS configuration for the VPN client
  • DNS configuration for your DNS server at 10.0.0.200 (recursive, authoritative, firewall, default route, etc)
dmourati
  • 24,720
  • 2
  • 40
  • 69