OpenVPN DNS solutions

[Deleted member 9563]

I just set up an OpenVPN server on a VPS and the only thing I can't get to work is DNS. I'll post my iptables script and server.conf in the hopes that someone can show me a solution. This is a single client setup and I'm not using TLS (so the update-resolv-conf script won't work). I am also using static IP everywhere so DHCP solutions are not immediately available.

It would seem that OpenVPN is intended for DHCP only, but I could be wrong. I'm hoping that I either got something wrong, or that there is a creative solution using iptables.

#server.conf
dev tun
proto tcp-server
secret static.key
port 443
comp-lzo
ifconfig 10.x.x.1  10.x.x.2
#neither of below works:
#push "redirect-gateway def1"
#push "redirect-gateway local def1"

This script runs at boot time:

#!/bin/sh
iptables -A INPUT -i venet0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i venet0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.x.x/255.255.255.0 -j SNAT
iptables -A OUTPUT -o tun+ -j ACCEPT

Edit: perhaps I should add that I'm running Debian 7 32bit on the server and FreeBSD 10.1-RELEASE on the client.

 

[kpa]

How are you setting /etc/resolv.conf on the client?

 

[Deleted member 9563]

How are you setting /etc/resolv.conf on the client?

By editing the file directly. That's been working for a very long time. It works because I put this in /etc/resolvconf.conf:

resolv_conf="/dev/null" # prevent updating /etc/resolv.conf

 

[Deleted member 9563]

I should probably post my client.conf as well:

dev tun
proto tcp-client
secret static.key
comp-lzo
verb 6
ifconfig 10.x.x.2 10.x.x.1
redirect-gateway def1
remote xxx.xxx.xxx.xxx 443

 

[Deleted member 9563]

I may have been too hasty with the title. I was making an incorrect assumption and I'm in deeper trouble than I though. What I'm seeing is that I can ping the server with the tunnel address, and from the server I can ping everything. Checking ifconfig on both machines, the tunnel is definitely set up.

I have since checked and double checked my configuration against the OpenVPN instructions and man page. IP port forwarding is set up on the server and it has the exact iptables rules which are what are recommended in several places. The end result is that traffic is not going through the tunnel.

A key observation is that there is no traffic (other than ping to the server tunnel address) going anywhere when I have this in the client config:

redirect-gateway def1

When I remove that, traffic moves as usual, but not through the tunnel.

I am going through a router, but I doubt that matters. I am able to use OpenVPN with a commercial VPN provider, but I have no idea what they're doing on the server side. The setup for that is minimal on the client side and looks about like what I've done for this setup.

Since I posted the above config I have tried more combinations of common options than I can remember, but to no avail. I have also changed to UDP port 1194 just to check. Anyway, after spending two days on this I am not about to give up though. Any suggestions for what I can check or try would be gratefully accepted.

 

[Oko]

OJ I have two OpenVPN servers in production running on OpenBSD with zero downtime between 6 months updates. I am too tired after the work to go carefully through your posts. I can tell you just by skimming over your posts that most of your injuries are self inflicted. OpenVPN actually has a very good and extensive documentation. I recall it took me almost a week to read through it first time I got my feet wet.

 

[junovitch@]

I should probably post my client.conf as well:

...
ifconfig 10.x.x.2 10.x.x.1
redirect-gateway def1
...

I would have to check the OpenVPN documentation on this but I believe pushing routes as the configuration shows won't work when you do a static point to point configuration like this. If you want the client to accept routes you would need to use the client key word in your configuration. If you want to use a point to point tunnel you need to define a route as show at the bottom of https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html.

 

[Deleted member 9563]

Thanks @junovitch. Yes, the

redirect-gateway def1

directive is the part that doesn't work. I don't think it is needed or right, but try it anyway because of the large number of forums and web sites that quote that as a solution to IP not being redirected at the server.

The tunnel works just fine without that. I'm pretty sure I have the correct setup since it follows the documentation example. Also, on the client side OpenVPN works with a commercial server that I often use. I probably shouldn't have to push any routes or do anything on the client side and I'm just trying things in order to either get something that works or learn something. (hopefully both) BTW, the client directive gives this:

/etc/openvpn SCO#  openvpn --config /etc/openvpn/client.conf
Options error: specify only one of --tls-server, --tls-client, or --secret

I'm using the

proto tcp-client

directive though.

Thanks for the link by the way. It's a confirmation, but I've followed it to a "T". It's what I keep going back to after I've changed something. Like I said, the tunnel works just fine. The problem is that web traffic is not going over it. My static home IP is still showing.

The only thing I can think of is natting with iptables on the server. I've fooled with that quite a bit, but most examples in various how-to's are what I have already. I've followed this, and this.

I'm thinking that the static setup is simply not designed for redirection. The official documentation is heavily weighted toward office use and doesn't talk much about privacy. Perhaps I should change to TLS even though it's not quite right for this application. After several days of doing nothing but reading about this and trying various things, I'm about ready to accept that this is beyond me.

PS: I'm using OpenVZ based VPS from RamNode and I have TUN/TAP and PPP turned on.

 

[Oko]

I'm thinking that the static setup is simply not designed for redirection. The official documentation is heavily weighted toward office use and doesn't talk much about privacy.

I am not sure what you are after but OpenVPN biggest selling point IMHO is asymmetric approach. For example I have an external site which is firewalled and I want 24/7 the access to one of the machines. My solution is to use OpenVPN from that machine back to my main site. In some sense L2PT/IPsec works somewhat similarly. For site-to-site VPN IPSec is no brainier. Unfortunately FreeBSD doesn't come with IPSec so that is why I use OpenIKED/OpenBSD.

As a side note you really lost me with IPTables. The first thing I do on any Linux machine is turn off firewalled, IP tables, SELinux and all that stuff and put OpenBSD firewall in front of it

 

[Deleted member 9563]

I am not sure what you are after

I'm looking to use another IP and location. I buy services from a commercial vendor who provides that and gives me the advantage of choosing from a large number of servers around the world. However, I mostly just need something different from what I have and US based, so thought setting up my own (and faster) server would work, especially since strong security is not very important to me on a day to day basis.

As a side note you really lost me with IPTables. The first thing I do on any Linux machine is turn off firewalled, IP tables, SELinux and all that stuff and put OpenBSD firewall in front of it

Well that's what people are saying is a solution to the redirect problem. I'm not the only one who's encountered that, in fact it appears to be common. However, the solution that works seems to be either the redirect-gateway def1 directive, or iptables natting on the server, or both. Just as a check, I'll clear the iptables entries on the server and see what happens.

 

[Deleted member 9563]

The first thing I do on any Linux machine is turn off . . . IP tables . . .

Yes!!! Thanks man.

I made a script to clear the iptables so I could experiment. I didn't realize that the other stuff there was interacting negatively. Everything I put in was copied verbatim from several identical sets of instructions for OpenVpn that I found on the net. After clearing, I put one thing back (new tunnel address):

iptables -t nat -A POSTROUTING -s 192.x.x.0/24 -o venet0 -j MASQUERADE

and then added redirect-gateway def1 to client.conf.

And it's working!

I'm not sure where I'm at firewall wise now, but I'll look at that next. Also, I need to fix the DNS leak, but that's not crucial for this usage . . . and perhaps MASQUERADE should be SNAT instead, we'll see. Anyway, I'm on my way now!

Thanks too junovitch@ for looking at this.