search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.75k stars 2.39k forks source link

Unable to access local domains (private DNS) and public domains using same set of options #532

Open francium opened 4 years ago

francium commented 4 years ago

I've got a private DNS server that is used to lookup local domains such as kitchen-computer.localdomain. I've been trying to setup this container so that I can access kitchen-computer.localdomain and google.com while connected to the VPN from outside my network.

So far, all combinations options I've tried are only able to either (one or the other, NOT both)

  1. Access public domains (VPN client's requests get forwarded through the VPN server to public domains and public website see VPNs IP not the client's)
    • Note that here I CAN access local devices, such as kitchen-computer.localdomain, but ONLY by their private IPs -- 192.123.4.56 -- which isn't ideal in my case because I want to be able to access things by domain name for an internal nginx reverse proxy to work correctly
  2. Access private devices using the local domain, kitche-computer.localdomain, but NO access to any public domains (I can't connect to google.com

In case 1., I've used nothing but the steps provided in the README's quickstart section. In case 2., I've used same steps with a modification of how I run the openvpn server process (I've added a --network host to be able to access private domains),

Ideally I would like to be able to access both internal domains and external domains, is it possible to do this?

nmccready commented 4 years ago

It would be great to get an update on this.

francium commented 4 years ago

@nmccready I made a bit of progress on this since posting this issue.

It appears that the issue is with the DNS either on the client device connecting to the openvpn server, the DNS server itself that I'm running, the config I'm using to spin up this container (possibly some combination of these things).

I thought it might have to do with some iptables that need to be manually configured, but I don't believe that is the case. My notes are a bit of a mess, but I'll dive into this stuff soon and see if I can make any more progress with this.

If I remember correctly, I used this to spin up the container,

docker volume create --name $OVPN_DATA
sudo docker volume create --name $OVPN_DATA
sudo docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://YOUR_DOMAIN_OR_PUBLIC_IP
sudo docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
sudo docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
sudo docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
sudo docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

Then I connected to the VPN using a laptop and once connected, I used dig <private domain or public domain> @<my dns server's ip> (or maybe I also used nslookup as well, don't remember) to see if I could resolve domains (see NOTE-1 below). I believe I was able to resolve the domains, which suggested that the issue is with the DNS config somewhere (host, dns server, vpn client, vpn server not sure).

NOTE-1: I do however recall running into issues hitting the DNS when it was running as another container on the same host, but that issue went away when I ran a DNS server baremetal on the host instead of in a container on the host.

nmccready commented 4 years ago

NOTE-1: I do however recall running into issues hitting the DNS when it was running as another container on the same host, but that issue went away when I ran a DNS server baremetal on the host instead of in a container on the host.

Sounds like an internal DNS needs to be set or allowed to be set within the container itself. I did see that the container was hardcoded to google's name servers. Also I see that this fork primary reason for existence was to get rid of exactly that looks to be more secure and maybe flexible.

https://github.com/kylemanna/docker-openvpn/compare/master...chadoe:master

nmccready commented 4 years ago

Actually it looks like both support overriding the DNS via setting $OVPN_DNS.

nmccready commented 4 years ago

Honestly, ethernet bridging seems to look more like what I need .

https://openvpn.net/community-resources/ethernet-bridging/

nmccready commented 4 years ago

It might be easier to do the bridging from the docker side to the private eth1 network.

https://docs.docker.com/network/bridge/

carlonluca commented 4 years ago

I am in a similar situation. I need to connect to my VPN and use a DNS server running in the host where docker-openvpn is running, where some local names are defined. I solved by using host network mode as you did and pushing the DNS from the openvpn configuration using the IP in the VPN space. For example:

[...]
server 192.168.255.0 255.255.255.0
push "dhcp-option DNS 192.168.255.1"
push "route 192.168.0.0 255.255.255.0"
client-to-client

With this configuration I set the clients to only root addresses in that subnet to the VPN. I tested this on Linux, Android and Mac OS.

SergeiCherevko commented 2 years ago

I have the same problem, using docker bind DNS for local zone and external internet (forwarders 8.8.8.8,1.1.1.1)

I have host on which i start two contaners (bind + openvpn), i don use "network host in docker compose" After connect to openvpn server i can't resolve anything at all. If i add to entrypoint iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - i can resolve internal domains, but not external (google.com)

May be anybody know how to resolve this problem?