All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Cannot resolve DNS with nyr openvpn script
Hi all, I need help with nyr openvpn script
https://github.com/Nyr/openvpn-install
I have 2 cases here:
First: OS: Centos 7 firewall: iptables IP: my-vps-public-ip protocol: UDP port: 1194 DNS: google
The problem with this configuration is I can ping IP, but cannot ping domain, so this configuration cannot resolve DNS. This is iptables result
# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 10.8.0.0/24 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 !10.8.0.0/24 to:server-public-ip
Second: I get info from https://github.com/Nyr/openvpn-install/issues/357 OS: Centos 7 firewall: iptables IP: my-vps-**private**-ip protocol: UDP port: 1194 DNS: google external IP: my-vps-public-ip
With this configuration, I cannot ping IP and domain.
I don't know what's wrong here. Selinux was already disabled. I Install this script on empty vps. I remember that I can easily setup vpn with this script long time ago, but now it just not working. Trying with ubuntu and default configuration, still no luck
I use manjaro with command sudo openvpn --config client.ovpn. I also ask my friend that use windows to verify if the vpn working, but the DNS problem still appear.
Any recommendation I can try?
Comments
Check to make sure that if you are forcing your dns thru windows etc you disable the part in the openvpn config that blocks outside dns. Also make sure ip forwarding is enabled and you are using iptables to Nat too.
Also you don't need to enable selinux
Any suggestion how can I check about this? When I install openvpn, manually or using script, usually I stuck in DNS like now and I don't know whats wrong here because to be honest I'm not familiar with detailed openvpn configuration
Yes the script already enable ipv4.forward in sysctl. I'm not sure about NAT config in iptables that the script made, but I think there is no problem for this
Openvz or kvm? And do you test with tcp mode maybe your provider blocked udp
After the network is up, what happens if you try to trace to 8.8.8.8?
I try this on digital ocean and vultr with similar results. I think there is no UDP block here. Sometimes ago I also tried to use custom tcp port with no luck
I can ping 8.8.8.8. When I try to trace path, the hop is more than ~30 hops so it was stopped. But I can ensure that there is vpn ip and vps gateway ip in the trace output.
Any of you run this script in DO or vultr, and there is no DNS issue and you can browse websites?
I have not tried it with either DO, or Vultr. The fact that you can send/receive ICMP tells me it seems to be up. What's your /etc/resolv.conf look like?
You may try the fork: https://github.com/Angristan/OpenVPN-install
This Fork uses the official OpenVPN packages instead of the Debian repo, these are newer and could solve your issue.
Also I recommend this Fork, because of the improved security settings.
Try removing the setenv opt block-outside-dns in the openvpn client side config files.
Try the following nat rules before your firewall
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ####IPHERE
In my client, it just 2 nameserver record set by my dhcp server
In the vps, I don't know whose IP is this. I don't edit this manually
Thank you for the suggestion. Can you use the vpn to browse directly after running this script? Can I know your server specification like OS and the server provider?
As long as I remember I also tried this script after I failed using nyr, but the result was similiar. Maybe will try again tomorrow
It looks like it's using your dhcp client to set the DNS. If you set it to 8.8.8.8, it'll probably work perfectly fine. A lot of providers don't like their DNS being used externally.
@akhfa both the scripts are essentially the same. The problem is with your setup
Recently doing this and tried, still same as before
These rule is already in my iptables
I delete this rule to make sure there are no blocking "forward rule", of course after I failed to resolve DNS
what is the different of rule above with created rule below?
Tried this without reboot, the DNS still not resolved. I think my client will use VPS's DNS resolver if I choose it when I install the vpn server. In my case, I choose google DNS (option 2), so I think the DNS request will be forwarded to google dns, isn't it?
This is ovpn option I used now, created by nyr's script, except I delete block-outside-dns
Yes I know that they are basically same, so the result was also same. But I don't know whats wrong with the setup
That depends on how the script is written out. I don't see it altering your local resolv.conf, which would be used if you aren't tunneling all DNS requests. Without examining your server-side script, I can't be 100% sure, but in /etc/openvpn/configfile, it should look like this:
Confirmed
Don't you use nyr script to setup your vpn? Maybe is there any tutorial I can follow, even if the installation was done manually?
I haven't used Nyr's script. I handrolled it because my crappy router only had 2.3.x available at the time and I didn't have enough space to cross-compile. Your connection looks correct, but I wonder if your local client is ignoring the DNS proxy-through.
That is strange that traceroute works, pinging is fine, but DNS isn't working. What happens if you telnet to 8.8.8.8 port 53? Should get an open connection.
In my case, both scripts (Angristan & Nyr) can't push the DNS config into clients, I have to manually add it.
Have you try to using the previous OpenVPN client? 2.3 or 2.2 maybe
@akhfa
I had this case also with some servers, mostly on old openvpn version, however in linux i resolved it with update-resolv-conf.. 1st check if you have it in manjaro in openvpn folder /etc/openvpn/update-resolv-conf, if you have it, add these lines at bottom in your client.
If you dont have the script you can find it easy in google.
Here's an unsolicited bump and somewhat off topic (related to OVPN but not directly to DNS issues). To allow openvpn clients to still access their local networks (i.e. 192.168.0.0/24), can I simply add push "route 192.168.0.0 255.255.255.0 192.168.0.1" to the server config?
Did you reboot after disabling selinux? I've done that in the past and was puzzled for hours. Can explain some of the weirdness goings on.
Thanks all for the reply. Still not succeed since my latest try. Will try your suggestions again tonight. I will update this thread again.
Hi all, sorry for long waiting
I tried this again
Yes I can telnet 8.8.8.8 53
I use OpenVPN 2.4.4 from arch package. I don't tried prev version yet
When I install vultr centos 7 and run
getenforce
, it said disabled. I also tried in ubuntu with no result.I followed arch tutorial here and finally it works
What I did for manjaro OS:
Install fresh centos 7 in vultr
Run the script with nearly all default value
Install update resolv conf script and follow tutorial here, don't forget to add the 3 line in client config. For another linux based OS, I think you can search the script in internet just like what @emperor said
Run openvpn with
sudo openvpn --config client.ovpn
Tested in windows and iphone with openvpn client too.
Thank you all for your help. Really appreciate
The one I don't understand is it works even the iptables is disabled. I think NAT network can't work without masquerade in iptables, but it just work. Maybe some of you know or can point me reference about this :-/
Congrats and thanks for sharing your solution. It'll definitely help others who are in the same boat.