OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: tl5k5 on March 13, 2019, 10:12:00 pm
-
Hey all,
I've configured an instance of OPNsense with a OpenVPN server instance in a lab.
I have the DNS Default Domain and the DNS Servers set and they do show up in the remote windows client NIC status.
For some reason I can only ping IP addresses and not hostnames.
I have Force DNS cache update checked and that doesn't help.
I went with the OpenVPN Wizard's firewall rules. Could that be an issue?
Any help would be appreciated.
Thanks!
-
Can you ping those DNS servers? What happens if you try to do a nslookup using those DNS servers? I have a Pihole running on my network and did have to set it to allow clients not on the same subnet to query it in order for it to work, so depending on what you're doing for DNS, look into that as well. (if you can ping it but not nslookup, that's likely your issue)
-
On the client side nslookup is looking at the client network DNS and not the server side DNS.
How do you get around this?
-
I'm completely stumped by this.
Yes, I can ping the DNS server IP address from the WIndows 10 VPN client.
When I try to nslookup a hostname, it resolves with the local DNS and not the remote DNS.
Yes I have a Pi-Hole, but I've tested this with a co-workers home network and the same issue happens. (also WIndows 10)
BTW..I don't see how a Pi-Hole could stop a VPN connection. I've not had any Pi-Hole related issues when using services like Private Internet Access.
Any guidance would be appreciated!
-
What is the OS for your OpenVPN clients? Only Windows clients accept DHCP options set from the server. Non-Windows clients require a client script that reads the 'foreign_option' parameters pushed from the server.
https://openvpn.net/community-resources/pushing-dhcp-options-to-clients/
Bart...
-
We've only tested Windows 10 clients.
From ipconfig /all...I left out my local NIC info:
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win10-01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home-lan.local
office-lan.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : office-lan.local
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : xxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : xxx(Preferred)
IPv4 Address. . . . . . . . . . . : 10.222.66.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Monday, March 18, 2019 3:04:27 PM
Lease Expires . . . . . . . . . . : Tuesday, March 17, 2020 3:04:27 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.222.66.9
DHCPv6 IAID . . . . . . . . . . . : xxx
DHCPv6 Client DUID. . . . . . . . : xxx
DNS Servers . . . . . . . . . . . : 192.x.x.2
Primary WINS Server . . . . . . . : 192.x.x.2
NetBIOS over Tcpip. . . . . . . . : Enabled
-
Which clients on Windows? Viscocity and tunXten are worth trying beside the official client.
Also try running the client in the foreground; e.g. openvpn <config file> to see if you can spot any errors.
Bart...
-
I'm using the community OpenVPN client.
tuXten has the same symptoms as the community client.
I seemed to get further with Viscocity...ipconfig /all would show their adapter first in the list and the remote DNS would show up before the local. With or without directing all traffic through the tunnel, the nslookup would not reply correctly, but it was at lease showing the IP address of the remote DNS. The "server" would show up as unknown.
-
You can try adding explicit push dhcp-option lines to your server config.
Advanced options, at the bottom of the server edit page.
Bart...
-
Hi!
The DNS queries are made from the tunnel interface, so you have to allow (create a "Pass" Rule for) the tunnel IP address (and even better, for the entire tunnel network, if you so see fit) on the OpenVPN interface in FW.
Hope it helps!
Good luck!
-
@bartjsmit the DHCP seems to be working properly. The config seems to populate correctly. It's just not communicating correctly.
UPDATE: Pushing the DHCP made the DHCP IP show up twice in the list and did not fix the issue.
@hutiucip I have attached an image. Are you saying I need to add a rule that is more specific than this?
UPDATE: I added a pass rule on the OpenVPN to allow all from the tunnel IP network. This didn't help.
-
I was testing on an esxi windows 10 vm. I have switched over to a physical windows 10 machine and I see some different results.
1. OpenVPN client seems to work a little better and tries to resolve to the remote DNS server.
2. An nslookup now shows the following:
C:\Users\user1>nslookup "hostname"
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.x.x.2
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
FYI...
3. direct firewall pass rules tested with the tunnel IP address did not change any results.
4. DNS is not provided by OPNsense, but a Nethserver instance. (if this makes a difference)
Thanks!
-
Do you have a fully populated reverse zone on your DNS server? Windows clients do a reverse lookup of the DNS server itself.
Try a packet capture on the client to see any failed lookups.
Bart...
-
You may have just pushed me out of my knowledge zone.
I'll confirm reverse lookup, but I don't have the knowledge to do a packet capture.
It will be my Thursday before I can jump back on this. Clients are calling!
Thanks!
-
https://www.plixer.com/blog/scrutinizer/free-wireshark-training-packet-capture-101/
https://www.lifewire.com/wireshark-tutorial-4143298
https://wiki.wireshark.org/DNS
Time spent with the shark is never wasted
Bart...
-
Do you have a fully populated reverse zone on your DNS server? Windows clients do a reverse lookup of the DNS server itself.
Try a packet capture on the client to see any failed lookups.
Bart...
I'm using Nethserver for DNS among other things. Nethserver uses dnsmasq and the FQDN are in the /etc/hosts file.
Is there anything else in my dnsmasq setup I should look for?
I'm still working through wireshark. When I know something I'll post it.
Thanks!
-
Wireshark shows the following when I run nslookup on the client:
OpenVPN local and VPN traffic allowed
395 40.241244 127.0.0.1 127.0.0.1 TCP 128 25340 → 52564 [PSH, ACK] Seq=352 Ack=1 Win=10233 Len=22
396 40.241276 127.0.0.1 127.0.0.1 TCP 84 52564 → 25340 [ACK] Seq=1 Ack=374 Win=1270 Len=0
nslookup returns pi-hole as server with local pi-hole IP address
No DNS info detected
OpenVPN VPN traffic only allowed
289 105.769055 127.0.0.1 127.0.0.1 TCP 128 25341 → 52578 [PSH, ACK] Seq=440 Ack=1 Win=10233 Len=22
290 105.769078 127.0.0.1 127.0.0.1 TCP 84 52578 → 25341 [ACK] Seq=1 Ack=462 Win=1270 Len=0
nslookup returns pi-hole as server with local pi-hole IP address
No DNS info detected
Viscosity local and VPN traffic allowed
47 31.517657 127.0.0.1 127.0.0.1 DNS 140 Standard query 0x0001 PTR 1.0.0.127.in-addr.arpa
48 31.517855 127.0.0.1 127.0.0.1 DNS 230 Standard query response 0x0001 PTR 1.0.0.127.in-addr.arpa PTR Viscosity
49 31.519132 127.0.0.1 127.0.0.1 DNS 150 Standard query 0x0002 PTR 21.x.x.192.in-addr.arpa
50 35.520116 127.0.0.1 127.0.0.1 DNS 84 Standard query 0xd161
nslookup returns Viscosity as the server with 127.0.0.1 IP address
DNS info detected but still no proper nslookup info returned on screen.
-
Does any DNS traffic make it to the Pi? None seems to go out from your traces
-
1. On the VM running OpenVPN, nslookup shows the pi-hole as the dns server...but wireshare shows no DNS traffic.
2. On a physical machine running OpenVPN, nslookup shows no name for the server but returns the proper remote DNS IP address.
a. On the physical machine, OpenVPN local and remote traffic allowed = no wireshark traffic
b. Also on the physical machine, OpenVPN all traffic tunneled = shows some MDNS traffic, but nothing returns.
This MDNS traffic seems to mainly be this:
2029 126.772892 10.222.77.6 224.0.0.251 MDNS 116 Standard query 0x0000 A wpad.local, "QM" question
This is really starting to wear on me. Is there any hope or should I just use IP addresses???
UPDATE:
I've attached a wireshark screen capture of just the OpenVPN interface. Maybe this will shed some light.
-
Troubleshooting this is tricky and mostly iterative.
If you can, set up a test environment that is much simpler. I.e. confirm that DNS works with OpenVPN and Unbound on OPNsense and then introduce elements from your setup until it breaks.
Bart...
-
This is a demo/lab setup.
I'll switch to Unbound on OPNsense to see what happens.
Thanks!