DNS resolution not working

[jackmerrill]

Hi there! Sorry ahead of time for the long post.

I'm running the kylemanna/openvpn docker image and I'm having issues with DNS resolution.

My OpenVPN config looks like this:

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/domain.com.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/domain.com.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto tcp
port 443
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
#comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Public IP, hidden for privacy
route xxx.xxx.xxx.xxx 255.255.255.255 net_gateway

### Push Configurations Below
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "comp-lzo no"

My current OpenVPN profile looks like this:

client
nobind
dev tun
remote-cert-tls server

remote domain.com 443 tcp

### Public IP, hidden for privacy
route xxx.xxx.xxx.xxx 255.255.255.255 net_gateway

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

To generate the OpenVPN config, I used this command, apart of the docker image:

docker run -v /root/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -u tcp://domain.com

The docker container is running on a swarm manager (on a swarm network), but as a standalone container, and being routed to by Traefik and a dynamic file provider. (routes domain.com:443 to openvpn:443, doing this to keep 443 open for HTTPS connections)

Command used to make the Docker network (in case it's relevant): docker network create --attachable --subnet=10.1.0.0/24 -d overlay --gateway=10.1.0.1 web

I'm using port 443 to bypass most firewalls (ones that block 1194/etc)

On the Docker host, I'm using Ubuntu 20.04, UFW is disabled. I haven't done anything (that works) with iptables.

I've tried nearly every solution that I've found on the internet, but nothing has helped. I can provide anything that may be needed to help.

Thank you!

[SIGSEGV111]

Hi,

I'm by no means an expert on this container image, but the first thing to check would be /etc/resolv.conf on your client, after it connected to the server. There you should see which DNS server your client is actually trying to use. Please note that some distributions meddle with this file regularly (symlink it, overwrite it, etc.).

Also you seem to push public DNS servers to your clients. I'm not sure what you are trying to archive with this. Your clients SHOULD have a working public DNS BEFORE they connect to your openvpn server. There should be no need for you to push anything to the clients.

Such a configuration makes only sense if you intend to push a private DNS server (possibly behind the VPN) to the client. If this is your intention, read on...

You should check that the VPN tunnel itself is working properly. Check that you can ping a host on the other side by IP (removing DNS from the equation). Preferably see if you can ping your DNS server. Check the output of "ip route" on the client to see how the routing was set-up by openvpn.

The third thing that comes to mind is, that your DNS server might refuse to answer to a client not on his own network. You might want to check the DNS servers logs (maybe you need to increase verbosity). Check if you are using iptables MASQUERADE target on the openvpn server. Correctly used, MASQUERADE makes traffic from the client appear as coming from the openvpn server itself to other hosts. Depending on your network setup this might be necessary or it might help attackers to circumvent firewall rules.... be sure to understand what it does (read the man page, consult examples on the internet).

Hope this helps!

• Simon