Friday, April 3, 2015

ubuntu - OpenVPN: Not all DNS entries get pushed to clients from server. (dnsmasq)

I have been trying to find a solution to this problem, but have found no answer so far, so I hope you guys can help me out.



I have a server running Ubuntu 10.04, which has a static IP address and an URL pointing to it, say server.foo.com




On this server I got an OpenVPN server running with the following configuration:



port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option DOMAIN foo.com"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key

persist-tun
status openvpn-status.log
log openvpn.log
verb 1
plugin /usr/lib/openvpn/openvpn-auth-pam.so vpnlogin


Clients are configured as followed:



client

dev tun
proto udp
remote server.foo.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca ca.crt
cert server.crt

key server.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 1
auth-nocache


As you can see in the server configuration, I got a DNS server running on it as well. This server is a dnsmasq server, with the following configuration in /etc/dnsmasq.conf:




interface=tun0
listen-address=127.0.0.1
dhcp-authoritative
cache-size=0
no-negcache


In /etc/dnsmasq.d/ there are files that route URLs back to this server, which should be pushed to VPN clients. The most important of those contains:



address=/server.foo.com/10.8.0.1



Note that this URL is exactly the same on as my public URL. I have also created other DNS entries to test, for example address=/server2.foo.com/10.8.0.1



Now I've got a HTTP service running on this server, and I only want to allow users from within my LAN as well as OpenVPN clients to reach it. I have blocked all incoming traffic in ufw, with the exceptions being:



To         Action       From
1194       ALLOW        Anywhere
53         ALLOW        10.8.0.0/24
80/tcp     ALLOW        10.8.0.0/24

80/tcp     ALLOW        192.168.0.0/24


Now to finally come to my problem. When an OpenVPN client connects, the DNS entries from dnsmasq should get pushed to the clients, which they do.



However the entry server.foo.com apparently gets ignored, perhaps in favour of a public DNS. When I type server.foo.com in Firefox or Chrome while being outside my LAN but connected to the VPN, I get a timeout. 10.8.0.1, and other entries such as server2.foo.com all work.



A traceroute in Windows 7 32-bit shows that for example server2.foo.com gets sent in one jump to 10.8.0.1, but server.foo.com goes through a public DNS server and tries to connect to my public static IP, which is blocked, thus giving a timeout.



I have so far tried a number of things, yet it still doesn't work:





  1. Setting the DNS server authoritative (as seen in the above dnsmasq.conf: dhcp-authoritative).

  2. push "dhcp-option DOMAIN foo.com" in the server.conf for OpenVPN.



Sorry for such a long post for what is perhaps a quite short question. And I hope someone can help me.



Best regards,
Mike.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...