Iptables – OpenVPN DNS resolution not working

I'm currently trying to get a simple OpenVPN setup working and I'm almost there, except for a DNS (or routing) issue I seem to be having.

The client connects to the server just fine, and I can ping both the server (10.8.0.1) and internet IPs (8.8.8.8). The issue comes when I try to resolve any domain names. Here's what happens when the VPN connection is up:

[test@localhost etc]$ dig www.google.ca

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> www.google.ca
;; global options: +cmd
;; connection timed out; no servers could be reached
[test@localhost etc]$ dig @<client network DNS server> www.google.ca

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @<client network DNS server> www.google.ca
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[test@localhost etc]$ dig @8.8.8.8 www.google.ca

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @8.8.8.8 www.google.ca
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.ca.         IN  A

;; ANSWER SECTION:
www.google.ca.      299 IN  A   172.217.1.3

;; Query time: 32 msec
;; SERVER: 8.8.8.8

As far as I know I'm pushing DNS to my client from my server:

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"

And I've also established routes to the client:

client-config-dir ccd
route <client subnet IP> 255.255.255.0

And in my client file:

iroute <client subnet IP> 255.255.255.0

My iptables rules on the server:

*nat
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s <client subnet IP>/24 -o tun0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

COMMIT

I've enabled ip forwarding in sysctl. Not really sure where to look from here, so any insight would be greatly appreciated.

Best Answer

Seems you've resolved this problem. Just repeat it here for others. These options:

push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"

will not work on Linux client without appropriate --up script. So it's necessary to add

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

to the client settings. And I think that specified script is something like this one (UPD: in my Kubuntu something similar has been installed on installing openvpn itself)

Best Answer

Related Solutions

Ubuntu – OpenVPN server will not redirect traffic

Linux – How to get OpenVPN Client (Mikrotik RouterOS) <-> OpenVPN server (Debian/Linux) setup to work

Related Topic