Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Cannot resolve DNS with nyr openvpn script

Cannot resolve DNS with nyr openvpn script

akhfaakhfa Member

Hi all, I need help with nyr openvpn script

https://github.com/Nyr/openvpn-install

I have 2 cases here:

First: 
OS: Centos 7
firewall: iptables
IP: my-vps-public-ip
protocol: UDP
port: 1194
DNS: google

The problem with this configuration is I can ping IP, but cannot ping domain, so this configuration cannot resolve DNS. This is iptables result

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1194
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24         !10.8.0.0/24          to:server-public-ip
Second: I get info from https://github.com/Nyr/openvpn-install/issues/357
OS: Centos 7
firewall: iptables
IP: my-vps-**private**-ip
protocol: UDP
port: 1194
DNS: google
external IP: my-vps-public-ip

With this configuration, I cannot ping IP and domain.

I don't know what's wrong here. Selinux was already disabled. I Install this script on empty vps. I remember that I can easily setup vpn with this script long time ago, but now it just not working. Trying with ubuntu and default configuration, still no luck :(

I use manjaro with command sudo openvpn --config client.ovpn. I also ask my friend that use windows to verify if the vpn working, but the DNS problem still appear.

Any recommendation I can try? :(

Comments

  • AlexJonesAlexJones Member
    edited September 30

    Check to make sure that if you are forcing your dns thru windows etc you disable the part in the openvpn config that blocks outside dns. Also make sure ip forwarding is enabled and you are using iptables to Nat too. Also you don't need to enable selinux

    Thanked by 1akhfa
  • akhfaakhfa Member
    edited September 30

    @AlexJones said: Check to make sure that if you are forcing your dns thru windows etc you disable the part in the openvpn config that blocks outside dns.

    Any suggestion how can I check about this? When I install openvpn, manually or using script, usually I stuck in DNS like now and I don't know whats wrong here because to be honest I'm not familiar with detailed openvpn configuration

    Also make sure ip forwarding is enabled and you are using iptables to Nat too

    Yes the script already enable ipv4.forward in sysctl. I'm not sure about NAT config in iptables that the script made, but I think there is no problem for this

  • Openvz or kvm? And do you test with tcp mode maybe your provider blocked udp

    Thanked by 1akhfa
  • WSSWSS Member
    edited September 30

    After the network is up, what happens if you try to trace to 8.8.8.8?

    In 2001, Bugle Boy closed all 215 of its U.S. outlet stores in an agreement with the U.S. Bankruptcy Court.

  • akhfaakhfa Member
    edited September 30

    @robohost said: Openvz or kvm? And do you test with tcp mode maybe your provider blocked udp

    I try this on digital ocean and vultr with similar results. I think there is no UDP block here. Sometimes ago I also tried to use custom tcp port with no luck

    @WSS said: After the network is up, what happens if you try to trace to 8.8.8.8?

    I can ping 8.8.8.8. When I try to trace path, the hop is more than ~30 hops so it was stopped. But I can ensure that there is vpn ip and vps gateway ip in the trace output.

    Any of you run this script in DO or vultr, and there is no DNS issue and you can browse websites?

  • WSSWSS Member

    I have not tried it with either DO, or Vultr. The fact that you can send/receive ICMP tells me it seems to be up. What's your /etc/resolv.conf look like?

    In 2001, Bugle Boy closed all 215 of its U.S. outlet stores in an agreement with the U.S. Bankruptcy Court.

    Thanked by 1akhfa
  • NeoonNeoon Member
    edited September 30

    You may try the fork: https://github.com/Angristan/OpenVPN-install

    This Fork uses the official OpenVPN packages instead of the Debian repo, these are newer and could solve your issue.

    Also I recommend this Fork, because of the improved security settings.

    Thanked by 1akhfa
  • AlexJonesAlexJones Member
    edited September 30

    Try removing the setenv opt block-outside-dns in the openvpn client side config files. Try the following nat rules before your firewall

    /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    /sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

    /sbin/iptables -A FORWARD -j DROP

    /sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ####IPHERE

  • akhfaakhfa Member
    edited September 30

    @WSS said: I have not tried it with either DO, or Vultr. The fact that you can send/receive ICMP tells me it seems to be up. What's your /etc/resolv.conf look like?

    In my client, it just 2 nameserver record set by my dhcp server In the vps, I don't know whose IP is this. I don't edit this manually

    ; generated by /usr/sbin/dhclient-script
    nameserver 108.61.10.10
    

    @Neoon said: You may try the fork: https://github.com/Angristan/OpenVPN-install

    This Fork uses the official OpenVPN packages instead of the Debian repo, these are newer and could solve your issue.

    Also I recommend this Fork, because of the improved security settings.

    Thank you for the suggestion. Can you use the vpn to browse directly after running this script? Can I know your server specification like OS and the server provider?

    As long as I remember I also tried this script after I failed using nyr, but the result was similiar. Maybe will try again tomorrow

  • WSSWSS Member

    It looks like it's using your dhcp client to set the DNS. If you set it to 8.8.8.8, it'll probably work perfectly fine. A lot of providers don't like their DNS being used externally.

    In 2001, Bugle Boy closed all 215 of its U.S. outlet stores in an agreement with the U.S. Bankruptcy Court.

  • @akhfa both the scripts are essentially the same. The problem is with your setup

  • akhfaakhfa Member
    edited September 30

    @AlexJones said: Try removing the setenv opt block-outside-dns in the openvpn client side config files.

    Recently doing this and tried, still same as before

    Try the following nat rules before your firewall

    /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    /sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

    These rule is already in my iptables

    /sbin/iptables -A FORWARD -j DROP

    I delete this rule to make sure there are no blocking "forward rule", of course after I failed to resolve DNS

    /sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ####IPHERE

    what is the different of rule above with created rule below?

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source ####IPHERE

  • @WSS said: It looks like it's using your dhcp client to set the DNS. If you set it to 8.8.8.8, it'll probably work perfectly fine. A lot of providers don't like their DNS being used externally.

    Tried this without reboot, the DNS still not resolved. I think my client will use VPS's DNS resolver if I choose it when I install the vpn server. In my case, I choose google DNS (option 2), so I think the DNS request will be forwarded to google dns, isn't it?

  • akhfaakhfa Member
    edited September 30

    This is ovpn option I used now, created by nyr's script, except I delete block-outside-dns

    client
    dev tun
    proto udp
    sndbuf 0
    rcvbuf 0
    remote 45.32.x.x 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    auth SHA512
    cipher AES-256-CBC
    comp-lzo
    key-direction 1
    verb 3
    
  • @AlexJones said: @akhfa both the scripts are essentially the same. The problem is with your setup

    Yes I know that they are basically same, so the result was also same. But I don't know whats wrong with the setup :(

  • WSSWSS Member

    That depends on how the script is written out. I don't see it altering your local resolv.conf, which would be used if you aren't tunneling all DNS requests. Without examining your server-side script, I can't be 100% sure, but in /etc/openvpn/configfile, it should look like this:

    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    

    In 2001, Bugle Boy closed all 215 of its U.S. outlet stores in an agreement with the U.S. Bankruptcy Court.

  • @WSS said: That depends on how the script is written out. I don't see it altering your local resolv.conf, which would be used if you aren't tunneling all DNS requests. Without examining your server-side script, I can't be 100% sure, but in /etc/openvpn/configfile, it should look like this:

    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    

    Confirmed

    # cat /etc/openvpn/server.conf 
    port 1194
    proto udp
    dev tun
    sndbuf 0
    rcvbuf 0
    ca ca.crt
    cert server.crt
    key server.key
    dh dh.pem
    auth SHA512
    tls-auth ta.key 0
    topology subnet
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 10 120
    cipher AES-256-CBC
    comp-lzo
    user nobody
    group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    crl-verify crl.pem
    

    Don't you use nyr script to setup your vpn? Maybe is there any tutorial I can follow, even if the installation was done manually?

  • WSSWSS Member

    I haven't used Nyr's script. I handrolled it because my crappy router only had 2.3.x available at the time and I didn't have enough space to cross-compile. Your connection looks correct, but I wonder if your local client is ignoring the DNS proxy-through.

    That is strange that traceroute works, pinging is fine, but DNS isn't working. What happens if you telnet to 8.8.8.8 port 53? Should get an open connection.

    In 2001, Bugle Boy closed all 215 of its U.S. outlet stores in an agreement with the U.S. Bankruptcy Court.

  • In my case, both scripts (Angristan & Nyr) can't push the DNS config into clients, I have to manually add it.

    Have you try to using the previous OpenVPN client? 2.3 or 2.2 maybe

    Thanked by 1akhfa
  • emperoremperor Member
    edited September 30

    @akhfa

    I had this case also with some servers, mostly on old openvpn version, however in linux i resolved it with update-resolv-conf.. 1st check if you have it in manjaro in openvpn folder /etc/openvpn/update-resolv-conf, if you have it, add these lines at bottom in your client.

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    

    If you dont have the script you can find it easy in google.

    Thanked by 1akhfa
  • rajprakashrajprakash Member
    edited October 12

    Here's an unsolicited bump and somewhat off topic (related to OVPN but not directly to DNS issues). To allow openvpn clients to still access their local networks (i.e. 192.168.0.0/24), can I simply add push "route 192.168.0.0 255.255.255.0 192.168.0.1" to the server config?

    Signatures are to identify who I am. I'm me. Who the hell are you?

    Thanked by 1akhfa
  • oneilonlineoneilonline Member, Provider

    Did you reboot after disabling selinux? I've done that in the past and was puzzled for hours. Can explain some of the weirdness goings on.

    Thanked by 1akhfa
  • akhfaakhfa Member

    Thanks all for the reply. Still not succeed since my latest try. Will try your suggestions again tonight. I will update this thread again.

  • akhfaakhfa Member
    edited October 20

    Hi all, sorry for long waiting

    I tried this again

    @WSS said: That is strange that traceroute works, pinging is fine, but DNS isn't working. What happens if you telnet to 8.8.8.8 port 53? Should get an open connection.

    Yes I can telnet 8.8.8.8 53

    @Coffee said: In my case, both scripts (Angristan & Nyr) can't push the DNS config into clients, I have to manually add it.

    Have you try to using the previous OpenVPN client? 2.3 or 2.2 maybe

    I use OpenVPN 2.4.4 from arch package. I don't tried prev version yet

    @oneilonline said: Did you reboot after disabling selinux? I've done that in the past and was puzzled for hours. Can explain some of the weirdness goings on.

    When I install vultr centos 7 and run getenforce, it said disabled. I also tried in ubuntu with no result.

    @emperor said: @akhfa

    I had this case also with some servers, mostly on old openvpn version, however in linux i resolved it with update-resolv-conf.. 1st check if you have it in manjaro in openvpn folder /etc/openvpn/update-resolv-conf, if you have it, add these lines at bottom in your client.

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    

    If you dont have the script you can find it easy in google.

    I followed arch tutorial here and finally it works :D

    What I did for manjaro OS:

    • Install fresh centos 7 in vultr

    • Run the script with nearly all default value

    • Install update resolv conf script and follow tutorial here, don't forget to add the 3 line in client config. For another linux based OS, I think you can search the script in internet just like what @emperor said

    • Run openvpn with sudo openvpn --config client.ovpn

    Tested in windows and iphone with openvpn client too.

    Thank you all for your help. Really appreciate :D

    The one I don't understand is it works even the iptables is disabled. I think NAT network can't work without masquerade in iptables, but it just work. Maybe some of you know or can point me reference about this :-/

    Thanked by 1ThracianDog
  • Congrats and thanks for sharing your solution. It'll definitely help others who are in the same boat.

Sign In or Register to comment.