Menu
What's new
By:
Filters Better Search

OpenVPN and Resolving DNS names on VPN network

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

X

xendrome

New Around Here
Curious if I am just missing something or it is not possible.

When connecting from my work system to my OpenVPN connection. It connects fine, I am able to ping IPs on my remote network on the other side of the VPN. However I cannot resolve any DNS names on the remote network.

Obviously my local DNS servers 172.16.50.6 and 172.16.50.5 are not going to be able to resolve names on my remote network. So I have tried to force a domain suffix to the VPN Server connection, like "domain.local" and then resolving "computername.domain.local" should see "domain.local" is bound to the VPN adapter and try to resolve via the DNS server on that adapter of 192.168.1.1.

But this is not happening either.

Any suggestions or has anyone else gotten this to work?
 
Enable "Advertise DNS to clients" and "Respond to DNS" on the server.
 
xendrome said:
Already turned on. No change in behavior. I messed with that last night.

Any other ideas or feedback I can provide to help troubleshoot?
Click to expand...

Make sure your client does actually configure the nameserver that gets pushed by OpenVPN. This might not be the case for mobile device clients.
 
xendrome said:
Where would I check that at in a Windows box or how can I tell?
Click to expand...

Code: 
ipconfig /all

Check what DNS is used by the TAP interface. It should be the router's IP. It will require the FQDN (i.e. computer1.local.lan). You also need to configure the domain on the router's LAN page.
 
RMerlin said:
Code: 
ipconfig /all

Check what DNS is used by the TAP interface. It should be the router's IP. It will require the FQDN (i.e. computer1.local.lan). You also need to configure the domain on the router's LAN page.
Click to expand...

Code: 
Connection-specific DNS Suffix  . : digital.lan
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-95-1A-99-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::644b:4a61:b7cc:e5d2%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 21, 2016 3:33:13 PM
   Lease Expires . . . . . . . . . . : Tuesday, March 21, 2017 3:33:13 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.254
   DHCPv6 IAID . . . . . . . . . . . : 167837589
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-AA-DA-38-18-03-73-49-24-2F
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Address shows DNS Server as the router IP on the VPN server side. Also I set "push "dhcp-option DOMAIN digital.lan" " in the custom settings, so you can see it is setting the DNS Suffix.

When I try to do a "ping computername.digital.lan" on the remote computer to a computer on the VPN it just says "Ping request could not find host computername.digital.lan. Please check the name and try again." instantly, like it isn't even trying to query the 192.168.1.1 server.

If I do a NSLOOKUP and server 192.168.1.1, I get

Code: 
> server 192.168.1.1
1.1.168.192.in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
Default Server:  [192.168.1.1]
Address:  192.168.1.1

> computername.digital.lan
Server:  [192.168.1.1]
Address:  192.168.1.1

*** [192.168.1.1] can't find computername.digital.lan: Non-existent domain

Of course replacing "computername" with the actual computer name throughout this text.
 
BTW same issue from a Windows computer, or connecting to the VPN via 4G LTE on my phone. Can ping IPs fine, but not resolve any DNS names on the VPN network.
 
OK figured something out. It works fine with DHCP clients on the VPN network. It does not work with Static IP clients on the network. I've tried to "append" the DNS Suffix for the LAN adapter with Static IPs. and ipconfig /registerdns.

Any ideas?
 
xendrome said:
OK figured something out. It works fine with DHCP clients on the VPN network. It does not work with Static IP clients on the network. I've tried to "append" the DNS Suffix for the LAN adapter with Static IPs. and ipconfig /registerdns.

Any ideas?
Click to expand...

The router has no idea of the existence of those static IPs, as those PC never talk to your DHCP/DNS server to identify themselves. You need to use DHCP reservations instead of static IPs for name resolution to work. That's just how Windows networking works.
 
That kind of sucks, I would think that applying the domain suffix to the network adapter TCP/IPv4 and then doing a ipconfig /registerdns would trigger something in the 192.168.1.1 DNS server to register the entry. I guess it doesn't work the same as MS DNS server services.
 
xendrome said:
That kind of sucks, I would think that applying the domain suffix to the network adapter TCP/IPv4 and then doing a ipconfig /registerdns would trigger something in the 192.168.1.1 DNS server to register the entry. I guess it doesn't work the same as MS DNS server services.
Click to expand...

dnsmasq does not support DNS registration - this is a proprietary Microsoft feature. Just create static entries, this will resolve your problem.

dnsmasq is not a full-featured nameserver like bind, it's only meant to act as a cacheing nameserver.
 
RMerlin said:
dnsmasq does not support DNS registration - this is a proprietary Microsoft feature. Just create static entries, this will resolve your problem.

dnsmasq is not a full-featured nameserver like bind, it's only meant to act as a cacheing nameserver.
Click to expand...

Tagging onto/resurrecting and old thread b/c I'm having the same issue but all of my clients are set for DHCP - no static IP's.

Summary is RT-AC68U running firmware 380.63_2 with "VPN Server - OpenVPN" -> "Advanced Settings" as follows:
**************************************************
Advanced Settings
Interface Type
Protocol
Server Port (Default : 1194)
Firewall
Authorization Mode Content modification of Keys & Certification.
Username/Password Authentication Yes No
Username / Password Auth. Only Yes No
Extra HMAC authorization (TLS-Auth)
Auth digest
VPN Subnet / Netmask
Poll Interval minute(s) (Disable : 0)
Push LAN to clients Yes No
Direct clients to redirect Internet traffic Yes No
Respond to DNS Yes No
Advertise DNS to clients Yes No
Encryption cipher
Compression
TLS Renegotiation Time seconds (Default : -1)
Global Log verbosity (Between 0 and 11. Default: 3)
Manage Client-Specific Options Yes No

Custom Configuration (none)
**************************************************

- Testing setup is Win10 laptop tethered to cell and running OpenVPN 2.4.0 x86_64-w64-mingw32.
- I can connect to the OpenVPN server w/o issue (default 10.8.0.0/24)
- I can connect to my multiple servers/devices/LAN resources just fine (192.168.123.0/24) by IP address or if I manually set a host file in Windows
- External DNS works just fine (i.e. - ping google.com)
- LAN DNS is not working (i.e. - ping localPC)

- Do I have to set a Domain Name on the RT-AC68U and call the local host by their FQDN? (i.e. - Advanced Settings -> LAN ->DHCP Server -> RT-AC68U's Domain Name)?
- Any objections to just ".local" if yes to the above?

What else am I missing here?
 
mgreig said:
Tagging onto/resurrecting and old thread b/c I'm having the same issue but all of my clients are set for DHCP - no static IP's.

Summary is RT-AC68U running firmware 380.63_2 with "VPN Server - OpenVPN" -> "Advanced Settings" as follows:
**************************************************
Advanced Settings
Interface Type
Protocol
Server Port (Default : 1194)
Firewall
Authorization Mode Content modification of Keys & Certification.
Username/Password Authentication Yes No
Username / Password Auth. Only Yes No
Extra HMAC authorization (TLS-Auth)
Auth digest
VPN Subnet / Netmask
Poll Interval minute(s) (Disable : 0)
Push LAN to clients Yes No
Direct clients to redirect Internet traffic Yes No
Respond to DNS Yes No
Advertise DNS to clients Yes No
Encryption cipher
Compression
TLS Renegotiation Time seconds (Default : -1)
Global Log verbosity (Between 0 and 11. Default: 3)
Manage Client-Specific Options Yes No

Custom Configuration (none)
**************************************************

- Testing setup is Win10 laptop tethered to cell and running OpenVPN 2.4.0 x86_64-w64-mingw32.
- I can connect to the OpenVPN server w/o issue (default 10.8.0.0/24)
- I can connect to my multiple servers/devices/LAN resources just fine (192.168.123.0/24) by IP address or if I manually set a host file in Windows
- External DNS works just fine (i.e. - ping google.com)
- LAN DNS is not working (i.e. - ping localPC)

- Do I have to set a Domain Name on the RT-AC68U and call the local host by their FQDN? (i.e. - Advanced Settings -> LAN ->DHCP Server -> RT-AC68U's Domain Name)?
- Any objections to just ".local" if yes to the above?

What else am I missing here?
Click to expand...

And for anyone else working on this same issue - yes, it was as simple as adding a Domain Name to the router. I then added a DNS Suffix of "local" so it would be appended to my requests (b/c I'm lazy) and all is working perfectly

Thanks a ton Merlin for the excellent firmware support!
 
L
Martineau said:
Is your 'solution' appropriate?

http://www.snbforums.com/threads/advisory-special-case-tlds-and-zeroconf.36345/#post-296472
Click to expand...

Looks like it's only partly appropriate ... I'm not experiencing any issues at the moment but I certainly don't want to set myself up for potential future issues. Especially the kind that pop up 6-12 months from now and I will never be able to trace it back to a ".local" domain suffix set forever ago without a *ton* of headache.

thanks for the heads-up Martineau - I'll change the suffix to ".lan" as it looks like that's suggested (you agree?)
 
You must log in or register to reply here.

Similar threads

J
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
Replies
2
Views
640
jkbach
J
F
OpenVPN client not resolving server local DNS names
Replies
9
Views
1K
felixdd
F
M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
347
elorimer
E
C
Does default dnsmasq configuration store LAN names?
Replies
6
Views
383
chrisisbd
C
icanfly
DNS fails for local devices when there is no WAN!
Replies
2
Views
481
icanfly
icanfly
Similar threads
Thread starter Title Forum Replies Date
F OpenVPN client not resolving server local DNS names Asuswrt-Merlin 9
P Openvpn internet access Asuswrt-Merlin 0
E OpenVPN TAP internet access problem Asuswrt-Merlin 0
M OpenVPN clients cannot connect to LAN computers. Asuswrt-Merlin 0
M OpenVPN / site to site with special security/routing constraints Asuswrt-Merlin 7
R OpenVPN keeps on turning itself off Asuswrt-Merlin 40
M Best router for wireguard or openVPN Asuswrt-Merlin 1
W OpenVPN Server set to LAN only allows browsing Asuswrt-Merlin 14
A Upgraded my ASUS, issues with NordVPN via OpenVPN Asuswrt-Merlin 4
G openvpn server: can not change/select data cipher Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 685 (members: 25, guests: 660)
Top