LAN DNS resolution fails through OpenVPN when Adguard is enabled

Started by baz, October 20, 2022, 09:46:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 20, 2022, 09:46:58 PM Last Edit: October 21, 2022, 04:10:46 AM by baz
When I connect to OpenVPN with my roadwarrior, unbound DNS resolution for local servers on the home network works fine. However when AdGuard is enabled, DNS resolution for local computers fails when connected to the VPN, but works fine otherwise. Any ideas what the issue could be?
October 21, 2022, 06:45:50 AM #1
How do you achieve that clients use AGH? Are there port forwards redirecting DNS to AGH? Is AGH listening on OVPN IP? Does it work for roadwarriors not connected to LAN?
i am not an expert... just trying to help...
October 21, 2022, 09:48:05 AM #2
Are you running AdGuard Home on your OPNsense or are you running AdGuard in your client systems. Two different products.  ;)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 24, 2022, 04:22:07 PM #3 Last Edit: October 24, 2022, 04:36:26 PM by baz
>Are there port forwards redirecting DNS to AGH?

Adguard is set to port 53 and unbound was changed to port 5353, so no changes were needed to get clients to go to adguard on port 53, the only config change was setting adguard to use unbound for upstream.

> Is AGH listening on OVPN IP?

When I go to "setup guide" in adguard I do see my openvpn tunnel address listed: "172.16.1.1" - this is the root address of the tunnel network I setup "172.16.1.0/24".

> Does it work for roadwarriors not connected to LAN?

Yes, when I am on the mobile netowrk, for example, I can navigate lan servers by name.

> Are you running AdGuard Home on your OPNsense or are you running AdGuard in your client systems.

Adguard is running directly on the opnsense box through opnsense, same IP except on port 8080.
October 24, 2022, 04:36:13 PM #4
UPDATE:

@tiermutter your probing led me to discover something. In my openvpn client on my phone, I have been setting "override DNS settings by Server" to manually specify my DNS server at 192.168.10.1. This allows everything to work while I am on the mobile network but then causes DNS resolution to fail when I reconnect back to the LAN.If I undo this setting, and let the server specify everything, the reverse happens: I am able to navigate to services while connected to the LAN but not when on the mobile network. What is going on?
October 24, 2022, 06:20:59 PM #5
Quote from: baz on October 24, 2022, 04:22:07 PM
Adguard is running directly on the opnsense box through opnsense, same IP except on port 8080.
AdGuard cannot run on OPNsense. AdGuard Home can.

This is AdGuard, available for Windows, Mac, iOS, Android:
https://adguard.com/en/welcome.html

This is AdGuard Home, a DNS based ad blocker available for various platforms:
https://adguard.com/en/adguard-home/overview.html
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2022, 01:38:41 AM #6
Gotcha, I am running Adguard Home installed through the plugins.
October 26, 2022, 07:13:27 PM #7
I have exactly the same issue. Switching off Adguard plugin, setting unbound back to port 53 (from 5353) and reconnecting to the OpenVPN server solves the issue.

The log from Adguard does show DNS requests from the connected OpenVPN client ip (from the openVPN client ip range). Apparently the reply does not arrive back at the client for some reason. I am unable to track where it is blocked.
October 26, 2022, 09:13:26 PM #8
Problem solved. The problem was caused by two mistakes I made in the configuration.
1) I forgot to activate the "DNS local domain" setting in the OpenVPN server setting and enter the local domain name in that settling. This makes sure that local names get trailed by the local domain for proper resolution
2) I initially entered the local LAN ip for the local DNS server (192.168.10.254) in the OpenVPN server settings to pass to connected clients as DNS to use. This actually needs to be the (unassigned) interface address of the ovpns interface that hosts the tunnel network. In my case this is 192.168.20.1, which is automatically set when configuring the tunnel network as 192.168.20.0/24.

These two changes solved the problem. In Adguard settings I noticed that Adguard also listens on 192.168.20.1 next to 192.168.10.254. While I am unsure why it does work properly with 192.168.10.254 set in OpenVPN server as client DNS without Adguard installed (DNS local domain needs to be set in both cases) I guess it has something to do with routing between the two networks. As mentioned in my previous post the DNS request comes in, is forwarded to the local DNS (192.168.10.254:5353), a correct reply is received by Adguard, but somehow the reply is not sent back from 192.168.10.254 to the client at 192.168.20.x/24. While this does work without AdGuard..... Maybe an Adguard application issue..? :P
Print
Go Up Pages1
User actions