VPN connection from the server breaks the DNS [solved]

[misiu_mp]

I try to connect from the bubba 3 with an external OpenVPN server The connection is established but name resolution stops working. I can ping from the b3 to the outside using ip numbers, but the name resolution doesn't work.

I did modify /etc/network/firewall.conf by adding:
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT

The same OpenVPN configuration works great when run from a laptop on the b3 governed local network.

[nobody]

did you *check* the name resolution or did you just assume that this did not work because your pings did not return?
try 'host' and 'dig' to verify the problem is with DNS, and on which end of the DNS. My guess it you're facing a routing issue, not a DNS issue.

[Gordon]

Did you check your resolv.conf file?

[misiu_mp]

Thanks for your interest. I didnt expect to get a response so quick.
I get unknown host from ping. The rosolv.cof is populated and the addresses are pingable. Its not changed by openvpn.
This is with the vpn on:

Code: Select all

   root@b3:/home/username# cat /etc/resolv.conf 
   nameserver 193.150.193.150
   nameserver 83.255.245.11
   root@b3:/home/username# dig @83.255.245.11 google.com

   ; <<>> DiG 9.7.3 <<>> @83.255.245.11 google.com
   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20139
   ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
   ;; WARNING: recursion requested but not available

   ;; QUESTION SECTION:
   ;google.com.			IN	A

   ;; Query time: 19 msec
   ;; SERVER: 83.255.245.11#53(83.255.245.11)
   ;; WHEN: Mon Sep 17 00:36:20 2012
   ;; MSG SIZE  rcvd: 28

The other server gives the same result.

With vpn off:

Code: Select all

root@b3:/home/username#dig @83.255.245.11 google.com
; <<>> DiG 9.7.3 <<>> @83.255.245.11 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20504
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		33	IN	A	173.194.32.2
google.com.		33	IN	A	173.194.32.1
google.com.		33	IN	A	173.194.32.9
google.com.		33	IN	A	173.194.32.6
google.com.		33	IN	A	173.194.32.4
google.com.		33	IN	A	173.194.32.8
google.com.		33	IN	A	173.194.32.7
google.com.		33	IN	A	173.194.32.0
google.com.		33	IN	A	173.194.32.3
google.com.		33	IN	A	173.194.32.5
google.com.		33	IN	A	173.194.32.14

;; Query time: 22 msec
;; SERVER: 83.255.245.11#53(83.255.245.11)
;; WHEN: Mon Sep 17 00:45:06 2012
;; MSG SIZE  rcvd: 204

I'am no specialist at making sense of this but it looks like I am connecting to the DNS but it 'refuses' my request. Sometimes the refused answer comes right away and sometimes after a short timeout.

[misiu_mp]

try 'host' and 'dig' to verify the problem is with DNS, and on which end of the DNS.

it looks like I am connecting to the DNS but it 'refuses' my request.

Ah, a spark of brilliance: what if my ISP dns refuses requests from outside of their networks?

I added 8.8.4.4 and 8.8.8.8 (google's dns) to resolv.conf et voila! - it works!

Hope this might be useful to someone else.

[misiu_mp]

Anybody can shed some info on whether this is common for ISPs to block dns requests in this manner?

Btw, of what I can tell, the reason it worked on the laptop is that it uses the b3 as dns (local network), which in turn requests the isp dns outside of vpn (so your isp knows it's you requesting the name resolutions). I see this as a privacy vulnerability when using vpn on the clients with the b3 as dns.
Any thoughts?

[Gordon]

Hmmm right, that explains it then.

The issue here is that your default route is changed, which is actually strange for non-PPTP VPN. Now *all* your traffic gets routed through the VPN and it is very likely that you will have several issues with services that your ISP provides, including email. If this is not your intention but you just want to have a secure line to a remote LAN environment, you should change your VPN parameters so that it only adds a route to that remote network and not change defaultroute.

[nobody]

Tis is actually not trivial, as the vpn-connector (at least the one to connect to cisco vpn) ignores these options and keeps on changing default route. Truely annoying. I gave up after a few days as i needed to reboot all the tmes because the vpn connector misroued the active shell session as well....

[Gordon]

Why not add an if-up script for that interface then? Just add routes for whatever networks you want to access on the other side of the tunnel and change defaultroute back to let all the other traffic go straight out. That will also leave your services operable from the outside (if you care for those of course).

[misiu_mp]

The purpose of my setup is anonymisation, so I opted for adding external dns servers to my dhcp client configuration (dhclient.conf) on the b3:

Code: Select all

prepend domain-name-servers 8.8.8.8, 8.8.4.4;

I can confirm though that routing the access to the isp dns servers directly through my isp and outside of vpn also fixed the issue. I didn't try to make this persistent:

Code: Select all

ip rute add 83.255.245.11 via 83.255.245.1