Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config

[jkbach]

Happy holidays everyone, pretty stuck on this one and would appreciate a second set of eyes to see if I missed anything obvious. I'm new to this, so apologies in advance if my understanding is way off.

Device: AC68U
Firmware: 386.12_4

Summary​

I'm trying to set up remote access to my network via Asuswrt-merlin's built-in OpenVPN so that remote clients (my phone) can access hosts on my home network (eg a HomeAssistant instance running on a RaspberryPi). The router handles DNS and DHCP. All static hosts on the network have a URL under the router's domain (`<hostname>.home.arpa`). Some also have custom URLs under some other domain, configured through `dnsmasq` (eg `homeassistant.mycustomdomain.casa`). I describe below how this is configured.

My issue is that clients connected to the LAN directly have no problem resolving hosts via their DHCP <hostname>.home.arpa and their dnsmasq custom URL, but clients connected via the VPN can only resolve hosts via their <hostname>.home.arpa address.

As a concrete example: suppose I have a host called `rasppi` at 192.168.1.7. I give it a static IP in the DHCP server settings, and also add an entry to `/jffs/configs/dnsmasq.conf.add` pointing `rasppi.mycustomdomain.casa` to that static IP. Under this scenario:

• On my home network, I can resolve `rasppi` at both `rasppi.home.arpa` and `rasppi.mycustomdomain.casa`.
• Outside the home network, connected to the VPN, I can only resolve it at `rasppi.home.arpa`.

Curiously, it doesn't seem to be an issue with my `dnsmasq.conf.add` file being picked up, rather it seems that clients only use the router to resolve DNS queries under `.home.arpa`, regardless of whether I define them in the DHCP settings page or in `dnsmasq.conf.add`. To test this, I added an additional entry under `dnsmasq.conf.add` like

address=/somebogushostbname.home.arpa/192.168.1.7 # this is the rasppi IP address

and verified that VPN clients were able to resolve it.

Current config​

DHCP​

• Enable the DHCP server on the router, and set the router's domain to `home.arpa`.
• Configure the "DNS and WNS Server Settings" per https://github.com/RMerl/asuswrt-me...mains-with-dnsmasq#adjust-dhcp-server-options
  • I don't really understand step 3 in the link above, so I left "Advertise router's IP in addition to user-specified DNS" off, as the instruction seemed to suggest.
• Enable manual assignment and add a static IP and host name for each host under "Manually Assigned IP around the DHCP list".

DNS​

• The DHCP "DNS and WNS Server Settings" described above should send the router's IP as the DNS server when clients connect to the network.
• Set up the router as described in https://github.com/RMerl/asuswrt-me...ains-with-dnsmasq#adjust-router-configuration
  • DNS Director is OFF
• Add entries to `/jffs/configs/dnsmasq.conf.add` for the custom URLs:
  

  address=/rasppi.mycustomdomain.casa/192.168.1.7

• Under "WAN" -> "WAN DNS Setting", configure the upstream DNS server:
  • DNS Server: 1.1.1.2
  • Forward local domain queries to upstream DNS: No
  • Enable DNS rebind protection: No
  • Enable DNSSEC support: No
  • Prevent client auto DoH: Auto
  • DNS privacy protocol: None

At this point, clients on the LAN can resolve all the host names as expected. Last thing to do is OpenVPN:

Open VPN​

General settings:

• Client will use VPN to access: LAN only

Advanced settings:

• Interface Type: TUN
• Protocol: UDP
• Server Port: 1195
• Username/Password Authentication: Yes
• Username/Password Authentication Only: No
• Advertise DNS to clients: Yes

My guess​

In the logs below, I see the server sending and the client receiving 192.168.1.1 as the DNS server. I also see `DOMAIN home.arpa` from the server, which I assume tells the client that the router is the nameserver for that domain. Maybe the iPhone is only using the router as a DNS server when resolving URLs under that domain, and is bypassing the router's DNS for everything else (eg rasppi.mycustomdomain.casa) and sending it to some other DNS server? I'm not sure how to validate this, nor enforce that ALL DNS queries go through the VPN.

 

[jkbach]

Some logs​

Server logs when a client connects​

Dec 27 23:55:19 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:18063 Delayed exit in 5 seconds
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 VERIFY OK: depth=1, CN=<redacted server name>
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 VERIFY OK: depth=0, CN=jkbachs-iphone
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_VER=3.8.3connect1
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_PLAT=ios
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_NCP=2
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_TCPNL=1
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_PROTO=990
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_MTU=1600
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_SSO=webauth,openurl,crtext
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 peer info: IV_BS64DL=1
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 TLS: Username/Password authentication succeeded for username 'jkbach'
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 TLS: tls_multi_process: initial untrusted session promoted to trusted
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bits EC, curve secp521r1, signature: ecdsa-with-SHA512, peer temporary key: 253 bits X25519
Dec 27 23:55:24 ovpn-server1[25603]: 172.58.88.48:65506 [jkbachs-iphone] Peer Connection Initiated with [AF_INET]172.58.88.48:65506 (via [AF_INET]135.180.68.255%eth0)
Dec 27 23:55:24 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Dec 27 23:55:24 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 MULTI: Learn: 10.8.0.4 -> jkbachs-iphone/172.58.88.48:65506
Dec 27 23:55:24 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 MULTI: primary virtual IP for jkbachs-iphone/172.58.88.48:65506: 10.8.0.4
Dec 27 23:55:24 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 SENT CONTROL [jkbachs-iphone]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DOMAIN home.arpa,dhcp-option DNS 192.168.1.1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.4 255.255.255.0,peer-id 2,cipher CHACHA20-POLY1305,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Dec 27 23:55:24 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 PUSH: Received control message: 'PUSH_REQUEST'
Dec 27 23:55:25 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:18063 SIGTERM[soft,delayed-exit] received, client-instance exiting
Dec 27 23:55:25 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 Data Channel: cipher 'CHACHA20-POLY1305', peer-id: 0
Dec 27 23:55:25 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 Timers: ping 15, ping-restart 120
Dec 27 23:55:25 ovpn-server1[25603]: jkbachs-iphone/172.58.88.48:65506 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

Client logs when connecting​

[Dec 28, 2023, 13:56:49] Sending Peer Info:
IV_VER=3.8.3connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1


[Dec 28, 2023, 13:56:49] VERIFY OK: depth=1, /CN=<redacted server name>, signature: ecdsa-with-SHA512

[Dec 28, 2023, 13:56:49] VERIFY OK: depth=0, /CN=<redacted server name>, signature: ecdsa-with-SHA512

[Dec 28, 2023, 13:56:49] SSL Handshake: peer certificate: CN=<redacted server name>, 521 bit EC, group:secp521r1, cipher: TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD


[Dec 28, 2023, 13:56:49] Session is ACTIVE

[Dec 28, 2023, 13:56:49] EVENT: GET_CONFIG

[Dec 28, 2023, 13:56:49] Sending PUSH_REQUEST to server...

[Dec 28, 2023, 13:56:49] OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0] [vpn_gateway] [500]
1 [dhcp-option] [DOMAIN] [home.arpa]
2 [dhcp-option] [DNS] [192.168.1.1]
3 [redirect-gateway] [def1]
4 [route-gateway] [10.8.0.1]
5 [topology] [subnet]
6 [ping] [15]
7 [ping-restart] [60]
8 [ifconfig] [10.8.0.2] [255.255.255.0]
9 [peer-id] [0]
10 [cipher] [CHACHA20-POLY1305]
11 [protocol-flags] [cc-exit] [tls-ekm] [dyn-tls-crypt]
12 [tun-mtu] [1500]


[Dec 28, 2023, 13:56:49] PROTOCOL OPTIONS:
  cipher: CHACHA20-POLY1305
  digest: NONE
  key-derivation: TLS Keying Material Exporter [RFC5705]
  compress: NONE
  peer ID: 0
  control channel: dynamic tls-crypt enabled

[Dec 28, 2023, 13:56:49] EVENT: ASSIGN_IP

[Dec 28, 2023, 13:56:49] NIP: preparing TUN network settings

[Dec 28, 2023, 13:56:49] NIP: init TUN network settings with endpoint: 2607:7700:0:2e:0:1:87b4:9e7f

[Dec 28, 2023, 13:56:49] NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

[Dec 28, 2023, 13:56:49] NIP: adding (included) IPv4 route 10.8.0.0/24

[Dec 28, 2023, 13:56:49] NIP: adding (included) IPv4 route 192.168.1.0/24

[Dec 28, 2023, 13:56:49] NIP: redirecting all IPv4 traffic to TUN interface

[Dec 28, 2023, 13:56:49] NIP: adding match domain home.arpa

[Dec 28, 2023, 13:56:49] NIP: adding DNS 192.168.1.1

[Dec 28, 2023, 13:56:49] NIP: allowFamily(AF_INET, 1)

[Dec 28, 2023, 13:56:49] NIP: allowFamily(AF_INET6, 1)

[Dec 28, 2023, 13:56:49] NIP: setting MTU to 1500

[Dec 28, 2023, 13:56:49] Connected via NetworkExtensionTUN

[Dec 28, 2023, 13:56:49] EVENT: CONNECTED jkbach@<redacted server name>.asuscomm.com:1195 (2607:7700:0:2e:0:1:87b4:9e7f) via /UDP on NetworkExtensionTUN/10.8.0.2/ gw=[/] mtu=(default)

 

[jkbach]

Turns out my guess was spot on. Confirmed and resolved after testing on a non-iOS client and sharpening my Google fu a bit.

The problem is that on iOS, OpenVPN only routes DNS queries to the VPN's DNS server for specified search domains. In my case, the search domain was "home.arpa", so DNS queries for "mycustomdomain.casa" were going to some other DNS server.

This is documented by OpenVPN: https://openvpn.net/faq/how-does-ios-interpret-pushed-dns-servers-and-search-domains/
A nearly identical post was also solved... 7 years ago: https://www.snbforums.com/threads/asuswrt-merlin-push-hostnames-to-openvpn-clients.18457/

The solution is to add the following to the "Custom Configuration" box at the bottom of the advanced VPN options:

Cheers all,
John