0

So to the best of my understanding, I have all the pieces, namely, DNSmasq and OpenVPN working fine, although independently. What I've done?

  • Installed OpenVPN using this: https://github.com/Nyr/openvpn-install
    • After install, I'm able to connect client (PC, phone), works. No issue.
  • I've installed DNSmasq and also appears to be running and working as expected
    • I've blocked one or two sites i.e pointed them to 0.0.0.0 in the /etc/hosts file, and when I do nslookup thatdomain.com, I get the 0.0.0.0 response

This is currently my /etc/openvpn/server/server.conf

local 134.122.60.252
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
duplicate-cn

And the only change I've made to the default /etc/dnsmasq.conf file is uncommenting and indicating the interface this line:

interface=tun0

Where I need help?

How to make OpenVPN use DNSmasq for all DNS requests. I just can't seem to find a definite answer on how to achieve that, which of the files to change, and what to add.

Am I missing any steps?

Edit: With the above conf, when I ssh into the openvpn server (the dnsmasq runs also on same server), and I do

nslookup google.com 10.8.0.1, it resolve correctly

When I do nslookup blockthis.com 10.8.0.1 it resolves correct to 0.0.0.0 as expected, as per outlined in the /etc/hosts file.

Problem is, when I connect from client to the openvpn, somehow the openvpn isn't handing over the dns resolution to dnsmasq, yet the line interface=tun0 is enabled in the dnsmasq, and a netstat -plunt indicates port 53 is up and running, listened by dnsmasq.

KhoPhi
  • 53
  • 7
  • 1
    What are `94.140.14.14` and `94.140.15.15`? If you are running dnsmasq on the same host as the openvpn server, you should probably use `push "dhcp-option DNS 10.8.0.1"` instead. (It does not guarantee that all the clients can / will only use it as the DNS server though, for that you probably need some port-based traffic redirection.) – Tom Yan Sep 12 '21 at 05:44
  • The `94.140.14.14` is DNS IP address for AdGuard. Yes, I'm running Dnsmasq on the same host with the OpenVPN server. They both on a single VPS. – KhoPhi Sep 12 '21 at 08:12
  • You should configure dnsmasq to use them as its upstream servers. – Tom Yan Sep 12 '21 at 09:04
  • @TomYan I think I have already. When I run `sudo service dnsmasq status`, I get one of the lines saying, `using nameserver 94.140.14.14`. Yet when I connect to the VPN, no request works, and DNS resolution doesn't work – KhoPhi Sep 12 '21 at 10:09
  • Then update your question, with the current configuration – djdomi Sep 12 '21 at 12:28
  • @djdomi Updated, only change being from the 94.140.14.14 to 10.8.0.1 in the openvpn server conf – KhoPhi Sep 12 '21 at 14:28
  • Since I don't know what kind of clients are used. Please do a `nslookup google.com 10.8.0.1` to verify that the revolver is working. If not, go to the server and do `lsof -i :53` to verify it's listen to all devices. And please remove the incorrect server conf. Show only please the current state. If you like you can also use `block-outside-dns` – djdomi Sep 12 '21 at 15:23
  • Not sure if there are specific type of clients, however in my case, it's a phone and laptop, running the openvpn client, connecting to the server using the .ovpn file. `lsof -i :53` shows nothing, but `netstat -plunt` shows port 53 is running listened by dnsmasq. When connected to vpn, `nslookup google.com 10.8.0.1` can't resolve. Same command on server resolves without issue. – KhoPhi Sep 12 '21 at 16:45

1 Answers1

0

Okay, got it resolved. Needed to open Firewall.

ufw allow out on tun0

ufw allow in on tun0

KhoPhi
  • 53
  • 7