VPN not resolving DNS of remote lan

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

miodzicho

Occasional Visitor
Hello all.
I'm trying to create multiple remote LANs connected to one OpenVPN server. Server is on fritz box, remote are on asuswrt.
Tunnels are connected, traffic goes through, i can ping, reaches Web interface of remote router. However I cannot resolve local names. On server I have dnsmasq with line server=/remote 1.lan/10.36.92.1 (pointing to one asuswrt. Server also pushes DHCP option. What I'm missing here?
 

miodzicho

Occasional Visitor
I'm step further with this. Nslookup works with command : nslookup host1.domain.lan 10.36.98.1 or nslookup host2.domain2.lan 10.36.92.1
But when I try only host1.domain.lan or host2.domain2.lan I see request is coming in, but now source is IP of the tunnel (here 192.168.200.1) and dnsmasq is responding but this is somehow ignored:

Code:
192.168.200.1.52528 > somehost.domain.lan.domain: 58398+ A? router.domain.lan. (35)
15:41:03.419299 IP router.domain.lan.domain > 192.168.200.1.52528: 58398* 1/0/0 A 10.36.92.1 (51)

Code:
nslookup somehost.domain.lan
Server:         10.36.98.1
Address:        10.36.98.1#53

*** Can't find somehost.domain.lan: No answer

Configuration as follow :

LAN -- router 10.36.98.1 - tunnel 192.168.200.1 ------- 192.168.200.8 tunnel - 10.36.92.1 router -- LAN

Code:
OpenVPN Server 10.36.98.1

mode server
tls-server
auth-nocache
allow-pull-fqdn
port 1194
keepalive 10 60
cipher AES-128-CBC
client-to-client
#push "redirect-gateway def1"
ca /tmp/flash/openvpn/ca.crt
cert /tmp/flash/openvpn/box.crt
key /tmp/flash/openvpn/box.key
dh /tmp/flash/openvpn/dh.pem
dev tun
#user nobody
chroot /tmp/flash/openvpn
#group nobody
ifconfig-pool-persist /tmp/flash/openvpn/ipp.txt
client-config-dir ccd
topology subnet
push "dhcp-option DOMAIN domain.lan"
push "dhcp-option DNS 10.36.98.1"
server 192.168.200.0 255.255.255.0
#push "route 10.36.98.0 255.255.255.0"
route 10.36.92.0 255.255.255.0 192.168.200.2
route 10.36.96.0 255.255.255.0 192.168.200.5
verb 3
persist-key
persist-tun
#status /var/log/openvpn.log
 

eibgrad

Very Senior Member
Given you're working w/ unknown firmware (at least to me), it's difficult to provide specific advice. Despite that, what I can say is that I know of three things that need to be considered when dealing w/ local name resolution across a site-to-site VPN.

1) You need server directives in DNSMasq that point to the other device's IP for those same domains (which you seem to have done already).

Code:
server=/remote1.lan/10.36.92.1

2) DNSMasq on each side of the tunnel must be listening to its respective tunnel network interface. IOW, if the tunnel is named tun11 on the client, DNSMasq would need a directive like the following.

Code:
interface=tun11

Same thing on the server side (which probably uses a different network interface name).

3) If you have DNS rebind protection enabled, you either need to disable it, or better yet, make an exception for those local domains in DNSMasq.

Code:
rebind-domain-ok=remote1.lan

With these things in place, it should be working.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top