OpenVPN server configuration with D-Link DSR-250n as client

Question

I am attempting to have my D-Link DSR-250n router connect to my OpenVPN server. I have followed this guide in terms of getting the server up and running, and can successfully establish a client connection and resolve names using both the OpenVPN client for Windows, and the Android OpenVPN client. Here is my server.conf config:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.8.0.1"

I've added my certificates to the DSR-250n, ensured that the protocol (UDP), encryption and has algos are correct, and pointed it at the VPN (there are no other config options); it connects with seemingly no problem and the router logs report no errors. Once the connection is established, I can both ping the VPN server IP from a computer connected to the DSR-250n router and also can SSH to the VPN server without issue. What I can't seem to do once the router has connected is resolve names from both the router using it's built-in tools, or from any router connected computer. On all of the VPN server, router and local computers, I have hard-coded the Google DNS servers, 8.8.8.8, 8.8.8.4.

So I have connectivity to the server and a seemingly good VPN connection that allows me to SSH to the server itself - once there, I can traceroute names without an issue.

What I've tried:

The DSR-250n has a DNS proxy feature that will allow connected computers to use the router's IP as a DNS - I've turned this on and off with no change in functionality. I haven't really changed the above server config, as I wasn't sure where to start.

Any help appreciated!

EDIT1 - Updated information. When the VPN client connection from the router is active, I have the following connectivity:

From the Router:

• I cannot ping any direct public IP's other than my local 192.168.1.x network, and the public IP of the VPN.
• I cannot ping the private subnet of the VPN at 10.8.0.1.
• I cannot resolve any internet names and traceroute fails completely.

From a computer connected to the router via DHCP:

• I cannot ping any direct public IP's other than my local 192.168.x network, and the public IP of the VPN.
• I cannot ping the private subnet of the VPN at 10.8.0.1.
• I cannot resolve any internet names and traceroute fails completely.

Here is the IP4 routing table from the router itself when I've got an active connection to the OpenVPN server with the router as a client:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.1        10.8.0.9        255.255.255.255 UGH   0      0        0 tun1
x.x.x.x (VPN server public IP)    99.231.136.1    255.255.255.255 UGH   0      0        0 eth1
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.1.0    0.0.0.0         255.255.255.0   U     0      0        0 bdg1
99.231.136.0    0.0.0.0         255.255.254.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         10.8.0.9        128.0.0.0       UG    0      0        0 tun1
128.0.0.0       10.8.0.9        128.0.0.0       UG    0      0        0 tun1
0.0.0.0         99.231.136.1    0.0.0.0         UG    0      0        0 eth1

Answer 1

My impression is you do not seem to have followed the dnsmasq part of the instruction to which you linked to the letter, and you could have a possible routing issue too.

What happens if you remove the google dns hardcoding from everywhere except in your ovpn server config? Here is some additional reasoning around dns as per your description and the link you gave:

I recall using resolv.conf with dnsmasq, as I was always on static public addresses with no dynamically assigned dns:es. The instruction in the link seems however to be based on a workaround for picking up dhcp assigned dns addresses. As you are aligning towards the google dns addresses rather than dynamically assigned ones, I would pay particular attention to that part. Make double sure resolution through dnsmasq works before chaining clients through yet another backend dns proxy. If you follow that guide, make sure you understand what each step does, as you may need to change the dnsmasq config procedure a little to get it simple and swinging.

Also, as the solution is explicitly designed around the dnsmasq picking up all dns queries and forwarding them, your hard coding the google dns addresses as primary and secondary resolvers with the dnsmasq address as tertiary resolver in the ovpn server config (I assume you are doing the same everywhere possible as you are writing that you have hard coded even at the clients), a double dns timeout could be expected before resolution is done through dnsmasq when you connect through the vpn.

This is of course not optimal, you should remove references to google dns except as specified for external resolver config in the dnsmasq guide for the ovpn server. When you have it working you could add the google dns addresses in your dns clients of your client machines again. They should then be temporarily replaced with the ones from openvpn as you connect.

Further, consider the possibility that the dlink router does not accept three dns server addresses in its dynamic dns client, consider as well the possibility of conflict between hard coding the addresses and having them dynamically assigned to the dlink at the same time. Perhaps it doesn't handle such a config well? I do not have access to your dlink model and don't really wish to read its documentation, but just indicate some possible error sources.

So I really get the impression you need to simplify the dns part:

• Make sure the ovpn server dnsmasq resolves to google dns and google dns alone.
• Remove references to google dns everywhere except in your dnsmasq server resolv.conf or in its interfaces file as indicated in the guide to which you refer.
• Use your dnsmasq address as dns server address in your dlink dns client, first try hard coding it and if that works try pushing it dynamically from the ovpn server.
• When the above works, at the client try using the dlink or the dnsmasq address depending on your dns proxy toggle in the dlink.

If you have additional networks at your ovpn server beside the path indicated by the default route, and which you depend upon to make the final leg to the internet, you need to push those routes tho the dlink using the 'push "route x.x.x.0 255.255.255.0"' directive. Just to rule that out.

In order for clients on the vpn network to reach each other, use the 'client-to-client' directive in your ovpn server config.

Furthermore, your dlink routers routing table does look a bit odd to me. I could be wrong about this, as the dlink may present its routing table in an unfamiliar way (to me). The way it looks, as I compare it to a working ovpn client which I have access to, is that you have placed both the internal network connecting the dlink AND the vpn tunnel network on subnet 10.8.0.0/24, whilst having configured a routed rather than a bridged vpn. That would make for trouble in the routing department.

As said, I'm not sure how the dlink presents itself routing table wise, so additional details about your network (in particular how the internal ip subnets are planned and the key server ip addresses such as the ovpn server address, dnsmasq address, internal vpn network space, internal client subnets as-is without vpn) would make it easier to help you with that part. Obfuscate as you feel necessary, but make it representative and consistent.

I hope this is of some help.