OpenVPN DNS what am I doing wrong?

[tl5k5]

Hey all,
I've configured an instance of OPNsense with a OpenVPN server instance in a lab.
I have the DNS Default Domain and the DNS Servers set and they do show up in the remote windows client NIC status.
For some reason I can only ping IP addresses and not hostnames.
I have Force DNS cache update checked and that doesn't help.
I went with the OpenVPN Wizard's firewall rules.  Could that be an issue?

Any help would be appreciated.
Thanks!

[cryogenic666]

Can you ping those DNS servers? What happens if you try to do a nslookup using those DNS servers? I have a Pihole running on my network and did have to set it to allow clients not on the same subnet to query it in order for it to work, so depending on what you're doing for DNS, look into that as well. (if you can ping it but not nslookup, that's likely your issue)

[tl5k5]

On the client side nslookup is looking at the client network DNS and not the server side DNS.
How do you get around this?

[tl5k5]

I'm completely stumped by this.
Yes, I can ping the DNS server IP address from the WIndows 10 VPN client.
When I try to nslookup a hostname, it resolves with the local DNS and not the remote DNS.
Yes I have a Pi-Hole, but I've tested this with a co-workers home network and the same issue happens. (also WIndows 10)
BTW..I don't see how a Pi-Hole could stop a VPN connection.  I've not had any Pi-Hole related issues when using services like Private Internet Access.

Any guidance would be appreciated!

[bartjsmit]

What is the OS for your OpenVPN clients? Only Windows clients accept DHCP options set from the server. Non-Windows clients require a client script that reads the 'foreign_option' parameters pushed from the server.

https://openvpn.net/community-resources/pushing-dhcp-options-to-clients/

Bart...

[tl5k5]

We've only tested Windows 10 clients.

From ipconfig /all...I left out my local NIC info:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : Win10-01
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home-lan.local
                                       office-lan.local


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : office-lan.local
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : xxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : xxx(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.222.66.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Monday, March 18, 2019 3:04:27 PM
   Lease Expires . . . . . . . . . . : Tuesday, March 17, 2020 3:04:27 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.222.66.9
   DHCPv6 IAID . . . . . . . . . . . : xxx
   DHCPv6 Client DUID. . . . . . . . : xxx
   DNS Servers . . . . . . . . . . . : 192.x.x.2
   Primary WINS Server . . . . . . . : 192.x.x.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

[bartjsmit]

Which clients on Windows? Viscocity and tunXten are worth trying beside the official client.

Also try running the client in the foreground; e.g. openvpn <config file> to see if you can spot any errors.

Bart...

[tl5k5]

I'm using the community OpenVPN client.
tuXten has the same symptoms as the community client.

I seemed to get further with Viscocity...ipconfig /all would show their adapter first in the list and the remote DNS would show up before the local.  With or without directing all traffic through the tunnel, the nslookup would not reply correctly, but it was at lease showing the IP address of the remote DNS.  The "server" would show up as unknown.

[bartjsmit]

You can try adding explicit push dhcp-option lines to your server config.

Advanced options, at the bottom of the server edit page.

Bart...

[Ciprian]

Hi!
The DNS queries are made from the tunnel interface, so you have to allow (create a "Pass" Rule for) the tunnel IP address (and even better, for the entire tunnel network, if you so see fit) on the OpenVPN interface in FW.
Hope it helps!
Good luck!

[tl5k5]

@bartjsmit the DHCP seems to be working properly.  The config seems to populate correctly.  It's just not communicating correctly.
UPDATE:  Pushing the DHCP made the DHCP IP show up twice in the list and did not fix the issue.

@hutiucip I have attached an image.  Are you saying I need to add a rule that is more specific than this?
UPDATE:  I added a pass rule on the OpenVPN to allow all from the tunnel IP network.  This didn't help.

[tl5k5]

I was testing on an esxi windows 10 vm.  I have switched over to a physical windows 10 machine and I see some different results.
1.  OpenVPN client seems to work a little better and tries to resolve to the remote DNS server.
2.  An nslookup now shows the  following:
C:\Users\user1>nslookup "hostname"
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.x.x.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

FYI...
3.  direct firewall pass rules tested with the tunnel IP address did not change any results.
4.  DNS is not provided by OPNsense, but a Nethserver instance. (if this makes a difference)

Thanks!

[bartjsmit]

Do you have a fully populated reverse zone on your DNS server? Windows clients do a reverse lookup of the DNS server itself.

Try a packet capture on the client to see any failed lookups.

Bart...

[tl5k5]

You may have just pushed me out of my knowledge zone.
I'll confirm reverse lookup, but I don't have the knowledge to do a packet capture.

It will be my Thursday before I can jump back on this.   Clients are calling!

Thanks!

[bartjsmit]

https://www.plixer.com/blog/scrutinizer/free-wireshark-training-packet-capture-101/
https://www.lifewire.com/wireshark-tutorial-4143298
https://wiki.wireshark.org/DNS

Time spent with the shark is never wasted

Bart...