OpenVPN dont push DNS server to Windows clients

Started by trezyckz, May 27, 2024, 12:17:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 27, 2024, 12:17:21 PM Last Edit: May 27, 2024, 12:19:53 PM by germebl
Hey everyone,

in the past days i have setup OpenVPN including LDAP+TOTP Authentication. Actually i'm testing everything whats works and what dont work actually. One thing that does not work: Push DNS server to Windows clients.

The OPNsense version is:
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13

The OpenVPN Connect client version is:
3.4.4 (3412)

The following client settings are set:

  • Dynamic IP: Unchecked
  • Topology: Checked
  • DNS default Domain: Unchecked
  • DNS domain search list: my.lan
  • DNS servers: Checked -> 1 Entry: 10.0.0.1 (The OPNsense interal ip to use unbound)
  • Force DNS cache update: Checked
  • Prevent DNS leaks: Checked
  • NTP Servers: Unchecked
  • NetBIOS Options: Unchecked
  • Client Management Port: Unchecked
  • Use common name: Checked

Further i tried to add the following line to the clients config to test it explicit, but had no other result:
Code Select
dhcp-option DNS 10.0.0.1

I've checked "ipconfig /all" but the TUN device has no DNS server set. My WiFi has it's fritz.box as DNS server set.

We need a big bunch of DNS overrides and thats why i try to get the Unbound get used by the VPN clients explicit.

The System -> General has no DNS servers set and "Do not use the local DNS service as a nameserver for this system" is unchecked. Further "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked.

If i do a DNS lookup from console or WebGUI without setting a DNS server (so its using the default one) its using correctly the Unbound DNS on 127.0.0.1 and resolves correctly with the override.

Would be great if someone can help me out. Maybe i just forgot something?

Best regards
May 27, 2024, 12:26:25 PM #1 Last Edit: May 27, 2024, 12:29:39 PM by tiermutter
Quote from: germebl on May 27, 2024, 12:17:21 PM
  • DNS servers: Checked -> 1 Entry: 10.0.0.1 (The OPNsense interal ip to use unbound)

This should do all you need but
Quote from: germebl on May 27, 2024, 12:17:21 PM
The OpenVPN Connect client version is:
3.4.4 (3412)

This client was intended to be used for OpenVPN CONNECT / OVPN Access Server connections, not for self hosted OVPN servers.
I know that this client can be used today, but I don't know its behaviour. Maybe you should try the OVPN community client: https://openvpn.net/community-downloads/
i am not an expert... just trying to help...
May 27, 2024, 12:42:45 PM #2
Noooo way! It works... amazing... Thank you!

But regarding this - which client you would then recommend for MacOS and Linux?

For Linux i found this:
https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux

But for Mac i just can find OpenVPN Connect. It turned out that Tunnelblick has multiple problems using the OpenVPN client config. I'm not that familiar with MacOS but we need it for some of our employees clients.
May 27, 2024, 12:50:20 PM #3
Sorry, I am also not familiar with Mac and I can also only find Tunnelblick... have you tried the OVPN Connect version here? Maybe on Mac it will work?!
i am not an expert... just trying to help...
May 27, 2024, 01:00:10 PM #4
Tunnelblick has been around for years, is actively maintained, and works great here. What exactly are your problems?

A paid software with a good reputation would be Viscosity, but I don't use it.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 27, 2024, 01:07:45 PM #5
Okay i needed some minutes to get a employee with Mac to test it:
- OpenVPN Connect does not work -> Same issue as mine
- Tunnelblick works

As before we used DNS of our UCS which Tunnelblick seemed to not like really much. I didnt noted down the exact warning but it was something like "warning dns server address is being used but should not be used". But since we changed our DNS now to Unbound DNS from the OPNsense Gateway it seems to work.

Some of our employees will now test it in the next 2-3 weeks. If everything works fine, we will roll out to everyone.

Thanks to you guys to help me out! Got struggled.
May 27, 2024, 01:35:13 PM #6
Tunnelblick has various builtin consistency checks and shows warnings in case the fail.

One of them is "is the DNS server that is configured with the tunnel active reachable through the tunnel at all?"

You can acknowledge and disable all of these warnings. Also if DNS servers pushed by the server are accepted or not is configurable.

Lots of tweaks, great community ... I would not call a single warning "a problem" without a successful investigation of the root cause. Warnings are a helpful thing most of the time.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions