0

I got my OpenVPN server running, by using this script: https://github.com/angristan/openvpn-install

I can connect to VPN network, ping local and external IP addresses, access HTTP server (by using local and external IP).

DNS is not working on clients, when I try pinging google.com/any-other-domain it displays IP resolve error. When I try nslookup on all domains, it retries few times and returns dns timeout.

  • My external IP: 147.135.XXX.XXX
  • My VPN network: 10.8.0.0/24
  • My internal IP: 10.8.0.1

I tried

  • Default and non default VPN server port
  • TCP and UDP
  • Adguard, Google, and local hosted DNS server (on VPN)
  • Opening port 53 UDP on VPN server

None worked so far.

Then I disabled OVH firewall. After that, DNS stared working on VPN clients.

So, how should I configure OVH firewall? I don't want to disable it completely, because I'm hosting many other things on that server.

I know, that rules are applied from the lowest priority to highest. So if rule 0 is matched, then rules 1-19 are not executed.

My current configuration: Click here for screenshot

Hidden ports are set up exactly like 80 and 443. Established TCP connections are accepted, connections on specific ports are accepted and TCP/UDP on 1194 is also accepted.

Thanks for help. Also, please post comment, if I missed something.

Balonowy
  • 3
  • 1
  • 3
  • Have you tried creating a rule to allow DNS queries to pass through ? Ie. allow UDP from your clients to outside with a target port set to 53 – NaeiKinDus Aug 17 '20 at 15:43
  • @NaeiKinDus Thanks for comment. I opened port 53 UDP on VPN server and this solution didn't fix the problem. New rule: _[Protocol: UDP, Source IP: Any, Source port: Any, Target port: 53]_. – Balonowy Aug 18 '20 at 16:08

1 Answers1

0

Maybe this is a bit late but I answer. For my openvpn server to forward properly I had to open UDP SOURCE port 53.

So, the rule is not:

  • [Protocol: UDP, Source IP: Any, Source port: Any, Target port: 53],

but:

  • [Protocol: UDP, Source IP: Any, Source port: 53, Target port: any].
Michaelsoft
  • 116
  • 1
  • I am not familiar with OVH firewall, but by the looks of it it probably needs a _pair_ of rules -- one to allow the local machine to query any remote DNS server ( "allow remote UDP port 53" ) and one more for replies to pass through the firewall ( "allow return UDP packets _from_ port 53" ) . To add, one may want to do the same for _TCP_ port 53, since longer DNS queries may use the TCP protocol instead of UDP . – ジョージ Sep 30 '20 at 04:51
  • I'll keep in mind if something does not work. – Michaelsoft Sep 30 '20 at 09:49
  • It started working after adding: [Protocol: UDP, Source IP: any, Source port: any, Target port: 53] [Protocol: UDP, Source IP: any, Source port: 53, Target port: any] [Protocol: TCP, Source IP: any, Source port: 53, Target port: any] – Balonowy Oct 01 '20 at 15:45
  • Anyway, I won't apply these rules to production, because I don't think, that allowing TCP traffic to _any_ port is safe. Also, I updated my project to not use any DNS at all. – Balonowy Oct 01 '20 at 15:52
  • Very strange thing, I didn't need to open all tcp ports. I just made a private transparent vpn for myself on ovh vps and just opened UDP source port 53 to have forwarding working. VPS is configured to forward properly. – Michaelsoft Oct 01 '20 at 20:53