Closed ghost closed 2 years ago
push "explicit-exit-notify 1"
push "route 195.30.8.34 255.255.255.255"
push "route-ipv6 2001:608:0:1007::1:34/128"
push "route-ipv6 2001:608:0:1007::34/128"
push "route 9.9.9.9 255.255.255.255"
push "route-ipv6 2620:fe::fe/128"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 2620:fe::fe"
push "dhcp-option DOMAIN-SEARCH tuxed.net"
You can test this yourself with "Split Tunnel (v6.de only)" profile on vpn.tuxed.net.
The screenshot is not accurate, it is an old one. The ping idp
DOES work when using OpenVPN community client, but does NOT work with eduVPN client.
(Previously I forgot to add routes sending also the traffic to DNS servers over the VPN, without doing that it didn't work in OpenVPN and eduVPN). When also sending traffic to DNS servers over VPN it starts working with OpenVPN community, but still not with eduVPN.
Perhaps the wintun driver lacks the option to specify search domains?
Also it seems that OpenVPN+tap also sets the connection specific domain when there is no connection specific domain specified, i.e. using the DOMAIN
push option in addition to setting the search domains. This is weird! Not sure why it does that!
OpenVPN manpage:
DOMAIN name
Set Connection-specific DNS Suffix to name.
DOMAIN-SEARCH name
Add name to the domain search list. Repeat this option to add more entries. Up to 10 domains are supported.
When using TAP-Windows6 driver, the DOMAIN-SEARCH
is added to the DHCP server message. This makes Windows DHCP Client service maintain the per-adapter domain search list.
However, when using Wintun driver, there is no DHCP, and OpenVPN does not implement any DOMAIN-SEARCH
support outside the DHCP case yet. eduVPN client switched to Wintun which explains your different experience between stock OpenVPN GUI defaulting to TAP-Windows6 and the eduVPN client.
A DOMAIN-SEARCH
implementation for non-DHCP case is not that straightforward: Windows 10 1809 introduced an API to set the per-adapter domain seach list. With older Windows the only reliable way to programatically achieve this is to use registry and adapter connection suffix. In other words: DOMAIN
. Which allows using only one "domain search" name.
Can you test the DOMAIN
option and we ensure it works with eduVPN client first?
Related to: #110 Reference: https://community.openvpn.net/openvpn/ticket/1209
Can you test the DOMAIN option and we ensure it works with eduVPN client first?
The OP mentions explicitly that this works. Or do you mean something else?
The OP mentions explicitly that this works. Or do you mean something else?
Oh, missed that. My bad, and it is explained in the first words of the first line of this issue?!
So, what you would like to see tested is this:
push "explicit-exit-notify 1"
push "route 195.30.8.34 255.255.255.255"
push "route-ipv6 2001:608:0:1007::1:34/128"
push "route-ipv6 2001:608:0:1007::34/128"
push "route 9.9.9.9 255.255.255.255"
push "route-ipv6 2620:fe::fe/128"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 2620:fe::fe"
push "dhcp-option DOMAIN tuxed.net"
Right?
Right.
Furthermore, I was hoping that OpenVPN 2.x would support the DOMAIN-SEARCH for non-DHCP use case upstream in due time. However, the ticket for this is now 3 years old. Maybe, eduVPN client should add support for this in our branch - I would prefer doing this a lot more than going back to TAP-Windows6.
Could the fix be this: https://github.com/eduvpn/vpn-server-node/blob/v2/src/OpenVpn.php#L387 (see the comment) where we would push multiple times DOMAIN
or is this broken now on OpenVPN that supports DOMAIN-SEARCH
?
The _WIN32
OpenVPN supports only one DOMAIN
option: when multiple provided, the last one overwrites the one and only tuntap_options->domain
member. This is correctly explained in the comment on the link to OpenVpn.php you provided. The Windows itself can set only one adapter domain suffix. Which also serves as the domain search suffix. Windows 10 1809 and later can set more per-adapter domain search suffixes.
Mind that the DOMAIN
and DOMAIN-SEARCH
behaviour on Windows differ a lot whether TAP-Windows6 or Wintun is used.
The TAP-Windows6 mimics DHCP server to push adapter domain suffix and domain search suffixes. So, one DOMAIN
and up to 10 DOMAIN-SEARCH
options work. The Microsoft's DHCP Client service configures the adapter.
The Wintun has no DHCP (it's a TUN == L3 adapter, DHCP happens on L2). Hence, the adapter IP address, subnet mask, DNS servers, domain suffix and domain search suffixes must be configured by other means. Some of those settings may be configured via netsh.exe
, some via iphlpapi, some using wmic... Configuring DOMAIN-SEARCH
is not implemented in OpenVPN source code on none of those paths. Yet.
Seems DOMAIN does work with eduVPN client, but DOMAIN-SEARCH not.