Page 1 of 1
VPN connection from the server breaks the DNS [solved]
Posted: 16 Sep 2012, 11:27
by misiu_mp
I try to connect from the bubba 3 with an external OpenVPN server The connection is established but name resolution stops working. I can ping from the b3 to the outside using ip numbers, but the name resolution doesn't work.
I did modify /etc/network/firewall.conf by adding:
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
The same OpenVPN configuration works great when run from a laptop on the b3 governed local network.
Re: VPN connection from the server breaks the DNS
Posted: 16 Sep 2012, 13:53
by nobody
did you *check* the name resolution or did you just assume that this did not work because your pings did not return?
try 'host' and 'dig' to verify the problem is with DNS, and on which end of the DNS. My guess it you're facing a routing issue, not a DNS issue.
Re: VPN connection from the server breaks the DNS
Posted: 16 Sep 2012, 14:50
by Gordon
Did you check your resolv.conf file?
Re: VPN connection from the server breaks the DNS
Posted: 16 Sep 2012, 19:09
by misiu_mp
Thanks for your interest. I didnt expect to get a response so quick.
I get unknown host from ping. The rosolv.cof is populated and the addresses are pingable. Its not changed by openvpn.
This is with the vpn on:
Code: Select all
root@b3:/home/username# cat /etc/resolv.conf
nameserver 193.150.193.150
nameserver 83.255.245.11
root@b3:/home/username# dig @83.255.245.11 google.com
; <<>> DiG 9.7.3 <<>> @83.255.245.11 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20139
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 19 msec
;; SERVER: 83.255.245.11#53(83.255.245.11)
;; WHEN: Mon Sep 17 00:36:20 2012
;; MSG SIZE rcvd: 28
The other server gives the same result.
With vpn off:
Code: Select all
root@b3:/home/username#dig @83.255.245.11 google.com
; <<>> DiG 9.7.3 <<>> @83.255.245.11 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20504
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 33 IN A 173.194.32.2
google.com. 33 IN A 173.194.32.1
google.com. 33 IN A 173.194.32.9
google.com. 33 IN A 173.194.32.6
google.com. 33 IN A 173.194.32.4
google.com. 33 IN A 173.194.32.8
google.com. 33 IN A 173.194.32.7
google.com. 33 IN A 173.194.32.0
google.com. 33 IN A 173.194.32.3
google.com. 33 IN A 173.194.32.5
google.com. 33 IN A 173.194.32.14
;; Query time: 22 msec
;; SERVER: 83.255.245.11#53(83.255.245.11)
;; WHEN: Mon Sep 17 00:45:06 2012
;; MSG SIZE rcvd: 204
I'am no specialist at making sense of this but it looks like I am connecting to the DNS but it 'refuses' my request. Sometimes the refused answer comes right away and sometimes after a short timeout.
Re: VPN connection from the server breaks the DNS
Posted: 16 Sep 2012, 19:36
by misiu_mp
nobody wrote:
try 'host' and 'dig' to verify the problem is with DNS, and on which end of the DNS.
misiu_mp wrote:
it looks like I am connecting to the DNS but it 'refuses' my request.
Ah, a spark of brilliance: what if my ISP dns refuses requests from outside of their networks?
I added 8.8.4.4 and 8.8.8.8 (google's dns) to resolv.conf et voila! - it works!
Hope this might be useful to someone else.
Re: VPN connection from the server breaks the DNS
Posted: 16 Sep 2012, 19:51
by misiu_mp
Anybody can shed some info on whether this is common for ISPs to block dns requests in this manner?
Btw, of what I can tell, the reason it worked on the laptop is that it uses the b3 as dns (local network), which in turn requests the isp dns outside of vpn (so your isp knows it's you requesting the name resolutions). I see this as a privacy vulnerability when using vpn on the clients with the b3 as dns.
Any thoughts?
Re: VPN connection from the server breaks the DNS
Posted: 17 Sep 2012, 11:46
by Gordon
Hmmm right, that explains it then.
The issue here is that your default route is changed, which is actually strange for non-PPTP VPN. Now *all* your traffic gets routed through the VPN and it is very likely that you will have several issues with services that your ISP provides, including email. If this is not your intention but you just want to have a secure line to a remote LAN environment, you should change your VPN parameters so that it only adds a route to that remote network and not change defaultroute.
Re: VPN connection from the server breaks the DNS
Posted: 18 Sep 2012, 12:32
by nobody
Tis is actually not trivial, as the vpn-connector (at least the one to connect to cisco vpn) ignores these options and keeps on changing default route. Truely annoying. I gave up after a few days as i needed to reboot all the tmes because the vpn connector misroued the active shell session as well....
Re: VPN connection from the server breaks the DNS
Posted: 19 Sep 2012, 05:26
by Gordon
Why not add an if-up script for that interface then? Just add routes for whatever networks you want to access on the other side of the tunnel and change defaultroute back to let all the other traffic go straight out. That will also leave your services operable from the outside (if you care for those of course).
Re: VPN connection from the server breaks the DNS
Posted: 19 Sep 2012, 08:42
by misiu_mp
The purpose of my setup is anonymisation, so I opted for adding external dns servers to my dhcp client configuration (dhclient.conf) on the b3:
Code: Select all
prepend domain-name-servers 8.8.8.8, 8.8.4.4;
I can confirm though that routing the access to the isp dns servers directly through my isp and outside of vpn also fixed the issue. I didn't try to make this persistent:
Code: Select all
ip rute add 83.255.245.11 via 83.255.245.1