Linux – nslookup over openvpn does not work, while other services are functional

domain-name-systemlinuxnetworkingopenvpn

I'm in a strange situation.

  • At work, I've set up OpenVPN + DNSMasq DNS server.
  • 10.0.0.100 is the internal IP of the VPN server.
  • 10.0.0.200 is the internal IP of the DNS server.

If I connect to the VPN server from external network, it all works fine – I can ping and ssh in to the local machines by their ip addresses.

However, for some reason, I cannot access the DNS service. I can ssh into 10.0.0.200. So I tried nslookup HOSTNAME 10.0.0.200, but I only get ;; connection timed out; no servers could be reached. This occurs both for internal and external domain names.

While OpenVPN is running, If I ssh into any of the machine in local area network, and run nslookup HOSTNAME 10.0.0.200, it works as the intended. Morever, I can even telnet to the port 53 of the machine10.0.0.200.

To debug the problem, I tried few more things. I gave an external IP to the DNS server, 10.0.0.200, say, 1.2.3.4. In external network, I can run nslookup HOSTNAME 1.2.3.4, the command executes as expected – it resolves both internal and external domain names.

However, when I start Openvpn client in the client machine, and run nslookup HOSTNAME 1.2.3.4, it did not execute with the same connection timed out; error message.

traceroute to 1.2.3.4 (1.2.3.4), 30 hops max, 60 byte packets
 1  5.5.0.1 (5.5.0.1)  25.705 ms  25.714 ms  25.790 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * as7065.xe-1-0-6.ar1.pao1.us.nlayer.net (69.22.130.86)  25.742 ms
12  tengig4-3.cr1.lsatca11.sonic.net (69.12.211.6)  25.658 ms  33.069 ms  33.067 ms
13  po2.cr1.colaca01.sonic.net (70.36.205.65)  33.075 ms  33.009 ms  37.902 ms
14  gig1-1-1.gw.snfcca01.sonic.net (70.36.228.102)  40.420 ms  40.332 ms  40.364 ms
15  * * *
16 ...(and go on)

5.5.0.1 is the gateway of the virtual interface created by OpenVPN.

At that point, I also noticed that
Wed May 18 22:32:44 2011 /sbin/route add -net 1.2.3.4 netmask 255.255.255.255 gw 5.5.0.1 metric 101 was in the startup message of of the openvpn client.

So, I suspect that routing DNS query traffic over OpenVPN is somehow causing the problem. However, I do not know

This is a lot of fragmented information, with a lot of more uncertainties. To summarize:

  • The problem: I cannot properly access the DNS server in local network via VPN, even though everything else seem to work fine.
  • I suspect that routing DNS traffic via OpenVPN is a problem, but I am not sure, and I do not know the solution for it.

Best Answer

I believe the problem you have is with the DNSMasq config since you keep getting the ;; connection timed out; no servers could be reached error message.

I encountered the same problem while configuring my DD-WRT with OpenVPN and fixed it by adding:

interface=tun0

to my dnsmasq.conf (Services | Additional DNSMasq Options from DD-WRT HTTP interface) [1]

You can then push the proper DNS server to clients by adding the following:

push "dhcp-options DNS 10.x.x.x"

to the OpenVPN config [2], however this only works 'out of the box' on windows [3]. On Ubuntu clients I just manually set my internal DNS server instead of writing scripts to parse the foreign_option_n parameter.

  1. http://www.dd-wrt.com/phpBB2/viewtopic.php?p=680573
  2. OpenVPN and DNS. How to?
  3. http://openvpn.net/archive/openvpn-users/2006-06/msg00097.html
Related Topic