DOMAIN-SEARCH does not work with eduVPN app, but does with OpenVPN

[ghost]

Seems DOMAIN does work with eduVPN client, but DOMAIN-SEARCH not.

[ghost]

push "explicit-exit-notify 1"
push "route 195.30.8.34 255.255.255.255"
push "route-ipv6 2001:608:0:1007::1:34/128"
push "route-ipv6 2001:608:0:1007::34/128"
push "route 9.9.9.9 255.255.255.255"
push "route-ipv6 2620:fe::fe/128"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 2620:fe::fe"
push "dhcp-option DOMAIN-SEARCH tuxed.net"

[ghost]

You can test this yourself with "Split Tunnel (v6.de only)" profile on vpn.tuxed.net.

[ghost]

The screenshot is not accurate, it is an old one. The ping idp DOES work when using OpenVPN community client, but does NOT work with eduVPN client.

(Previously I forgot to add routes sending also the traffic to DNS servers over the VPN, without doing that it didn't work in OpenVPN and eduVPN). When also sending traffic to DNS servers over VPN it starts working with OpenVPN community, but still not with eduVPN.

Perhaps the wintun driver lacks the option to specify search domains?

Also it seems that OpenVPN+tap also sets the connection specific domain when there is no connection specific domain specified, i.e. using the DOMAIN push option in addition to setting the search domains. This is weird! Not sure why it does that!

[ghost]

OpenVPN manpage:

              DOMAIN name
                     Set Connection-specific DNS Suffix to name.

              DOMAIN-SEARCH name
                     Add name to the domain search list.  Repeat this option to add more entries. Up to 10 domains are supported.

[rozmansi]

When using TAP-Windows6 driver, the DOMAIN-SEARCH is added to the DHCP server message. This makes Windows DHCP Client service maintain the per-adapter domain search list.

However, when using Wintun driver, there is no DHCP, and OpenVPN does not implement any DOMAIN-SEARCH support outside the DHCP case yet. eduVPN client switched to Wintun which explains your different experience between stock OpenVPN GUI defaulting to TAP-Windows6 and the eduVPN client.

A DOMAIN-SEARCH implementation for non-DHCP case is not that straightforward: Windows 10 1809 introduced an API to set the per-adapter domain seach list. With older Windows the only reliable way to programatically achieve this is to use registry and adapter connection suffix. In other words: DOMAIN. Which allows using only one "domain search" name.

Can you test the DOMAIN option and we ensure it works with eduVPN client first?

Related to: #110 Reference: https://community.openvpn.net/openvpn/ticket/1209

[ghost]

Can you test the DOMAIN option and we ensure it works with eduVPN client first?

The OP mentions explicitly that this works. Or do you mean something else?

[rozmansi]

The OP mentions explicitly that this works. Or do you mean something else?

Oh, missed that. My bad, and it is explained in the first words of the first line of this issue?!

[ghost]

So, what you would like to see tested is this:

push "explicit-exit-notify 1"
push "route 195.30.8.34 255.255.255.255"
push "route-ipv6 2001:608:0:1007::1:34/128"
push "route-ipv6 2001:608:0:1007::34/128"
push "route 9.9.9.9 255.255.255.255"
push "route-ipv6 2620:fe::fe/128"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 2620:fe::fe"
push "dhcp-option DOMAIN tuxed.net"

Right?

[rozmansi]

Right.

Furthermore, I was hoping that OpenVPN 2.x would support the DOMAIN-SEARCH for non-DHCP use case upstream in due time. However, the ticket for this is now 3 years old. Maybe, eduVPN client should add support for this in our branch - I would prefer doing this a lot more than going back to TAP-Windows6.

[ghost]

Could the fix be this: https://github.com/eduvpn/vpn-server-node/blob/v2/src/OpenVpn.php#L387 (see the comment) where we would push multiple times DOMAIN or is this broken now on OpenVPN that supports DOMAIN-SEARCH?

[rozmansi]

The _WIN32 OpenVPN supports only one DOMAIN option: when multiple provided, the last one overwrites the one and only tuntap_options->domain member. This is correctly explained in the comment on the link to OpenVpn.php you provided. The Windows itself can set only one adapter domain suffix. Which also serves as the domain search suffix. Windows 10 1809 and later can set more per-adapter domain search suffixes.

Mind that the DOMAIN and DOMAIN-SEARCH behaviour on Windows differ a lot whether TAP-Windows6 or Wintun is used.

1. The TAP-Windows6 mimics DHCP server to push adapter domain suffix and domain search suffixes. So, one DOMAIN and up to 10 DOMAIN-SEARCH options work. The Microsoft's DHCP Client service configures the adapter.

2. The Wintun has no DHCP (it's a TUN == L3 adapter, DHCP happens on L2). Hence, the adapter IP address, subnet mask, DNS servers, domain suffix and domain search suffixes must be configured by other means. Some of those settings may be configured via netsh.exe, some via iphlpapi, some using wmic... Configuring DOMAIN-SEARCH is not implemented in OpenVPN source code on none of those paths. Yet.