OpenVPN tunnel won't return internet pages, but all internal DNS connections work
Posted: Mon Jul 19, 2021 4:21 pm
Ok, first, I'm VERY new to OpenWRT and the use of the The Wireless Haven routers. I'm not new to networking, Linux, Windows, Chrome OS, Android, and other platforms. I am well versed in Servers and currently use 3 Synology boxes (highly customized) and have started messing with a Pi 4 cluster using K8s.
However, until now, I've never needed an LTE capable router nor had a need to do this much customizing, so this side of things is very new to me.
So, basically, I will be using this router (WG3526) in my 5th wheel when we travel. The primary purpose was to VPN back to our home using OpenVPN (the OpenVPN is hosted on my router - another Synology product) so I have a secure connection to our home's resources, but also to use Hulu on the road (they won't allow one to use it away from your home area more than 4 times in a year).
So, I've setup OpenVPN on the router and it appears to run swimmingly. I set it up to be a full tunnel so ALL traffic goes through the VPN and Internet traffic is handled by my home router and our home DNS server. I have both the WG3526 router and my home router running separate subnets on their respective LANs. Everything on the internal LAN (home side) is completely functional and accessible from the LAN on the 3526, including browsing the servers by name instead of IP. This tells me internally, the DNS names are resolving.
However, I can't seem to get any internet addresses to resolve. Primarily I'm using google.com to test.
When I disconnect the VPN on the 3526, internet addresses instantly become available...so it has something to do with the DNS between the VPN server (home router) and the VPN client on the 3526, I think. I just can't seem to figure it out.
Here's a copy of my OpenVPN config file....
dev tun
tls-client
remote host.mydomain.com 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
dhcp-option DNS XX.XX.XX.1 -home DNS server
dhcp-option DNS X.X.X.2 -IP of LAN interface on 3526 router
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode ****I took proto udp6 out because my home IP scheme doesn't use IPv6****
script-security 2
reneg-sec 0
auth SHA512
cipher AES-256-CBC
auth-user-pass /etc/openvpn/HOME.auth
key-direction 1
comp-lzo
explicit-exit-notify
<ca>
client-cert-not-required
-----BEGIN CERTIFICATE-----
DELETED FOR SECURITY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
DELETED FOR SECURITY
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
DELETED FOR SECURITY
-----END OpenVPN Static key V1-----
</tls-auth>
And here's a couple pics of the options I set in OpenVPN Extras - If anyone can spot my error, please let me know...I'm out of ideas even after googling and searching this forum. Thanks!
However, until now, I've never needed an LTE capable router nor had a need to do this much customizing, so this side of things is very new to me.
So, basically, I will be using this router (WG3526) in my 5th wheel when we travel. The primary purpose was to VPN back to our home using OpenVPN (the OpenVPN is hosted on my router - another Synology product) so I have a secure connection to our home's resources, but also to use Hulu on the road (they won't allow one to use it away from your home area more than 4 times in a year).
So, I've setup OpenVPN on the router and it appears to run swimmingly. I set it up to be a full tunnel so ALL traffic goes through the VPN and Internet traffic is handled by my home router and our home DNS server. I have both the WG3526 router and my home router running separate subnets on their respective LANs. Everything on the internal LAN (home side) is completely functional and accessible from the LAN on the 3526, including browsing the servers by name instead of IP. This tells me internally, the DNS names are resolving.
However, I can't seem to get any internet addresses to resolve. Primarily I'm using google.com to test.
When I disconnect the VPN on the 3526, internet addresses instantly become available...so it has something to do with the DNS between the VPN server (home router) and the VPN client on the 3526, I think. I just can't seem to figure it out.
Here's a copy of my OpenVPN config file....
dev tun
tls-client
remote host.mydomain.com 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
dhcp-option DNS XX.XX.XX.1 -home DNS server
dhcp-option DNS X.X.X.2 -IP of LAN interface on 3526 router
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode ****I took proto udp6 out because my home IP scheme doesn't use IPv6****
script-security 2
reneg-sec 0
auth SHA512
cipher AES-256-CBC
auth-user-pass /etc/openvpn/HOME.auth
key-direction 1
comp-lzo
explicit-exit-notify
<ca>
client-cert-not-required
-----BEGIN CERTIFICATE-----
DELETED FOR SECURITY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
DELETED FOR SECURITY
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
DELETED FOR SECURITY
-----END OpenVPN Static key V1-----
</tls-auth>
And here's a couple pics of the options I set in OpenVPN Extras - If anyone can spot my error, please let me know...I'm out of ideas even after googling and searching this forum. Thanks!