Opened 3 years ago

Closed 3 years ago

#982 closed Bug / Defect (fixed)

iOS: DNS settings still not apllied

Reported by: nodefeet Owned by: Antonio
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for iOS v1.2.6
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: DNS gateway
Cc:

Description

The issue from:
https://forums.openvpn.net/viewtopic.php?f=36&t=25598
is still not solved.

Change History (22)

comment:1 Changed 3 years ago by Antonio

Owner: set to Antonio
Status: newassigned

Could you please post the connection log?

Thanks

comment:2 Changed 3 years ago by nodefeet

Here you go:

2018-01-17 08:30:43 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 14 2018 14:23:32
2018-01-17 08:30:43 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-17 08:30:43 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [verb] [4] 
13 [mute] [20] 

2018-01-17 08:30:43 EVENT: RESOLVE
2018-01-17 08:30:43 Contacting [x.x.x.x]:1724/TCP via TCP
2018-01-17 08:30:43 EVENT: WAIT
2018-01-17 08:30:43 Connecting to [x.myfritz.net]:1724 (91.14.239.55) via TCPv4
2018-01-17 08:30:43 EVENT: CONNECTING
2018-01-17 08:30:43 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2018-01-17 08:30:43 Creds: UsernameEmpty/PasswordEmpty
2018-01-17 08:30:43 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.6-4
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1

2018-01-17 08:30:45 VERIFY OK : depth=1
cert. version    : 3
serial number    : FE:1D:6D:D1:E7:E4:C5:CF
issuer name      : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=x GmbH CA, ??=EasyRSA, emailAddress=info@bab-tec.de
subject name      : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=BAB TECHNOLOGIE GmbH CA, ??=EasyRSA, emailAddress=info@bab-tec.de
issued  on        : 2017-11-29 10:42:20
expires on        : 2027-11-27 10:42:20
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true

2018-01-17 08:30:45 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=BAB TECHNOLOGIE GmbH CA, ??=EasyRSA, emailAddress=info@bab-tec.de
subject name      : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=server, ??=EasyRSA, emailAddress=info@bab-tec.de
issued  on        : 2017-11-29 10:42:26
expires on        : 2027-11-27 10:42:26
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : server
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2018-01-17 08:30:47 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
2018-01-17 08:30:47 Session is ACTIVE
2018-01-17 08:30:47 EVENT: GET_CONFIG
2018-01-17 08:30:47 Sending PUSH_REQUEST to server...
2018-01-17 08:30:47 OPTIONS:
0 [route-gateway] [10.8.0.1] 
1 [topology] [subnet] 
2 [ping] [10] 
3 [ping-restart] [90] 
4 [ifconfig] [10.8.0.2] [255.255.255.0] 

2018-01-17 08:30:47 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA1
  compress: LZO
  peer ID: -1
2018-01-17 08:30:47 EVENT: ASSIGN_IP
2018-01-17 08:30:47 NIP: preparing TUN network settings
2018-01-17 08:30:47 NIP: init TUN network settings with endpoint: x.x.x.x
2018-01-17 08:30:47 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0
2018-01-17 08:30:47 Connected via NetworkExtensionTUN
2018-01-17 08:30:47 LZO-ASYM init swap=0 asym=0
2018-01-17 08:30:47 EVENT: CONNECTED @x.myfritz.net:1724 (x.x.x.x) via /TCPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]

comment:3 Changed 3 years ago by Antonio

2018-01-17 08:30:47 OPTIONS:
0 [route-gateway] [10.8.0.1] 
1 [topology] [subnet] 
2 [ping] [10] 
3 [ping-restart] [90] 
4 [ifconfig] [10.8.0.2] [255.255.255.0] 

There is no gateway being set in your config. How are you pushing the DNS setting?

comment:4 Changed 3 years ago by nodefeet

Well, you are right there should be the local gateway address like 192.168.1.1 instead of the VPN-Server 10.8.0.1, right? (Please bear in mind that I'm not a professional). However this is the log file from 1.1.1 and it worked just fine with the same option.

2018-01-09 15:29:23 ----- OpenVPN Start ----- OpenVPN core 3.1.2 ios armv7a thumb2 32-bit built on Dec 5 2016 12:50:25
2018-01-09 15:29:23 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-09 15:29:23 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [verb] [4] 
13 [mute] [20] 

2018-01-09 15:29:23 EVENT: RESOLVE
2018-01-09 15:29:23 Contacting x.x.x.x:1724 via TCP
2018-01-09 15:29:23 EVENT: WAIT
2018-01-09 15:29:23 SetTunnelSocket returned 1
2018-01-09 15:29:23 Connecting to [x.myfritz.net]:1724 (x.x.x.x) via TCPv4
2018-01-09 15:29:23 EVENT: CONNECTING
2018-01-09 15:29:23 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2018-01-09 15:29:23 Creds: UsernameEmpty/PasswordEmpty
2018-01-09 15:29:23 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1

2018-01-09 15:29:23 NET Internet:ReachableViaWiFi/-R t------
2018-01-09 15:29:25 VERIFY OK: depth=1
cert. version : 3
serial number : FE:1D:6D:D1:E7:E4:C5:CF
issuer name : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=BAB TECHNOLOGIE GmbH CA, ??=EasyRSA, emailAddress=info@bab-tec.de
subject name : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=BAB TECHNOLOGIE GmbH CA, ??=EasyRSA, emailAddress=info@bab-tec.de
issued on : 2017-11-29 10:42:20
expires on : 2027-11-27 10:42:20
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true

2018-01-09 15:29:25 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=BAB TECHNOLOGIE GmbH CA, ??=EasyRSA, emailAddress=info@bab-tec.de
subject name : C=DE, ST=NRW, L=Dortmund, O=BAB TECHNOLOGIE GmbH, OU=BAB TECHNOLOGIE Signing CA, CN=server, ??=EasyRSA, emailAddress=info@bab-tec.de
issued on : 2017-11-29 10:42:26
expires on : 2027-11-27 10:42:26
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : server
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2018-01-09 15:29:27 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
2018-01-09 15:29:27 Session is ACTIVE
2018-01-09 15:29:27 EVENT: GET_CONFIG
2018-01-09 15:29:27 Sending PUSH_REQUEST to server...
2018-01-09 15:29:27 OPTIONS:
0 [route-gateway] [10.8.0.1] 
1 [topology] [subnet] 
2 [ping] [10] 
3 [ping-restart] [90] 
4 [ifconfig] [10.8.0.2] [255.255.255.0] 

2018-01-09 15:29:27 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: LZO
peer ID: -1
2018-01-09 15:29:27 EVENT: ASSIGN_IP
2018-01-09 15:29:27 Connected via tun
2018-01-09 15:29:27 LZO-ASYM init swap=0 asym=0
2018-01-09 15:29:27 EVENT: CONNECTED @x.myfritz.net:1724 (x.x.x.x) via /TCPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-01-09 15:29:27 SetStatus Connected

comment:5 in reply to:  4 Changed 3 years ago by Antonio

Replying to nodefeet:

Well, you are right there should be the local gateway address like 192.168.1.1 instead of the VPN-Server 10.8.0.1, right? (Please bear in mind that I'm not a professional). However this is the log file from 1.1.1 and it worked just fine with the same option.

No, the route-gateway is correct as it is (unless you know what you are doing and want to change it, but this is not normally the case).

This said, the "issue" you have is not clear to me.

Could you please explain what does not work exactly?
What is the behaviour you see and what would you expect?

I am asking because, given your configuration, this issue is different from what was reported in the forum: in this case there is no DNS setting to apply, but probably you want to refer to something else.

comment:6 Changed 3 years ago by matthiasue

Hello,
i have the same Problem in Version 1.2.6 too.

my log:

2018-01-17 09:35:10 EVENT: RESOLVE
2018-01-17 09:35:11 Contacting [XXX]:1199/UDP via UDP
2018-01-17 09:35:11 EVENT: WAIT
2018-01-17 09:35:11 Connecting to [XXX]:1199 (XX) via UDPv4
2018-01-17 09:35:11 EVENT: CONNECTING
2018-01-17 09:35:11 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
2018-01-17 09:35:11 Creds: Username/Password?
2018-01-17 09:35:11 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.6-4
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2

2018-01-17 09:35:11 VERIFY OK : depth=1
cert. version : 3
serial number : 00
issuer name : XXX
subject name : XXX
issued on : 2018-01-01 00:00:00
expires on : 2037-12-31 23:59:59
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true

2018-01-17 09:35:11 VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : XXX
subject name : XXX
issued on : 2018-01-01 00:00:00
expires on : 2037-12-31 23:59:59
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=false
cert. type : SSL Server
ext key usage : TLS Web Server Authentication

2018-01-17 09:35:11 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
2018-01-17 09:35:11 Session is ACTIVE
2018-01-17 09:35:11 EVENT: GET_CONFIG
2018-01-17 09:35:11 Sending PUSH_REQUEST to server...
2018-01-17 09:35:11 OPTIONS:
0 [dhcp-option] [DOMAIN] [XXX.local]
1 [route] [XXX] [255.255.248.0]
2 [route] [XXX] [255.255.252.0]
3 [dhcp-option] [DNS] [XXX]
4 [dhcp-option] [DNS] [XXX]
5 [route-gateway] [192.168.16.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig] [192.168.16.2] [255.255.255.0]

2018-01-17 09:35:11 PROTOCOL OPTIONS:

cipher: AES-128-CBC
digest: SHA256
compress: NONE
peer ID: -1

2018-01-17 09:35:11 EVENT: ASSIGN_IP
2018-01-17 09:35:11 NIP: preparing TUN network settings
2018-01-17 09:35:11 NIP: init TUN network settings with endpoint: XXX
2018-01-17 09:35:11 NIP: adding IPv4 address to network settings 192.168.16.2/255.255.255.0
2018-01-17 09:35:11 NIP: adding (included) IPv4 route XXX
2018-01-17 09:35:11 NIP: adding (included) IPv4 route XXX
2018-01-17 09:35:11 NIP: adding match domain XXX.local
2018-01-17 09:35:11 NIP: no DNS provided. Ignoring match domain
2018-01-17 09:35:11 NIP: adding DNS XXX
2018-01-17 09:35:11 NIP: adding DNS XXX
2018-01-17 09:35:11 NIP: setting MTU to 1500
2018-01-17 09:35:11 NIP: adding DNS specific routes:
2018-01-17 09:35:11 NIP: adding (included) IPv4 route XXX/32
2018-01-17 09:35:11 NIP: adding (included) IPv4 route XXX/32
2018-01-17 09:35:11 Connected via NetworkExtensionTUN
2018-01-17 09:35:11 EVENT: CONNECTED XXX:1199 (XXX) via /UDPv4 on NetworkExtensionTUN/192.168.16.2/ gw=/

comment:7 in reply to:  6 ; Changed 3 years ago by Antonio

Replying to matthiasue:

Hello,
i have the same Problem in Version 1.2.6 too.

What hostnames are you trying to resolve exactly?

As a test, could you please edit the config file and move the DOMAIN directive *after* the DNS ones please? (not sure if these options are pushed by the server or not, but wherever they are configured, please try changing the order)

comment:8 Changed 3 years ago by nodefeet

The issue from:
https://forums.openvpn.net/viewtopic.php?f=36&t=25598
is still not solved.

I am asking because, given your configuration, this issue is different from what was reported in the forum: in this case there is no DNS setting to apply, but probably you want to refer to something else.

Ok sorry I thought it is this issue because the workaround of adding „redirect-gateway def1“ to the client file is working for me as well.

Without this workaround the OpenVPN-App says it is connected (although the last “SetStatus? Connected” line form the previous version is missing in the log) but I still cannot ping the VPN-Server.

I would guess it has something to do with the empty

gw=[/] 

part in the last line of version 1.2.5 and 1.2.6

comment:9 in reply to:  7 ; Changed 3 years ago by matthiasue

i try to resolve internal hosts like server.domain.local
i can try to change the order, but this information are pushed by my firewall.

Replying to ordex:

Replying to matthiasue:

Hello,
i have the same Problem in Version 1.2.6 too.

What hostnames are you trying to resolve exactly?

As a test, could you please edit the config file and move the DOMAIN directive *after* the DNS ones please? (not sure if these options are pushed by the server or not, but wherever they are configured, please try changing the order)

comment:10 in reply to:  8 Changed 3 years ago by Antonio

Replying to nodefeet:

The issue from:
https://forums.openvpn.net/viewtopic.php?f=36&t=25598
is still not solved.

I am asking because, given your configuration, this issue is different from what was reported in the forum: in this case there is no DNS setting to apply, but probably you want to refer to something else.

Ok sorry I thought it is this issue because the workaround of adding „redirect-gateway def1“ to the client file is working for me as well.

Without this workaround the OpenVPN-App says it is connected (although the last “SetStatus? Connected” line form the previous version is missing in the log) but I still cannot ping the VPN-Server.

I would guess it has something to do with the empty

gw=[/] 

part in the last line of version 1.2.5 and 1.2.6

Same medicine doesn't imply same sickness :-)
However, could you please open another ticket and report exactly what you wrote in your last reply? You already managed to isolate interesting details.

Thanks!

Here we will continue tracking issues related to the DNS option.

comment:11 in reply to:  9 Changed 3 years ago by Antonio

Replying to matthiasue:

i try to resolve internal hosts like server.domain.local
i can try to change the order, but this information are pushed by my firewall.

Yeah, testing that would be helpful, thanks

comment:12 Changed 3 years ago by martux

The same problem as version 1.2.5. I have a Pfsense 2.4.1 with Openvpn 2.4.4 and Openvpn-client-export-2.4.4

OpenVpn? correctly connects but does not apply DNS settings. If you enter our portal by IP address there are no problems but if I try to enter by DNS does not work. I'm using Safari.

I do not know if I have to make any changes to the configuration of my server, but everything worked correctly before the update to 1.2.5.

Uninstall the previous version and install a new clean OpenVpn? (1.2.6) but it does not work, I do not assign the DNS.

if they need any other information or that they perform some test, they let me know and we do it.

I have a a Internal DNS with Windows Server and our Server Portal is a Apache Web.

This is an example of a ovpn client file:

persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
remote 111.111.111.111 1194 udp
verify-x509-name "openvpn-server" name
auth-user-pass
remote-cert-tls server
comp-lzo adaptive

then comes the configuration of CERTIFICATE, PRIVATE KEY and OpenVPN Static key...

This is the log of one ios phone.

2018-01-17 10:37:06 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 14 2018 14:23:32
2018-01-17 10:37:06 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-17 10:37:06 UNUSED OPTIONS
0 [persist-tun]
1 [persist-key]
3 [ncp-ciphers] [AES-256-GCM:AES-128-GCM]
5 [tls-client]
8 [verify-x509-name] [openvpn-server] [name]

2018-01-17 10:37:06 EVENT: RESOLVE
2018-01-17 10:37:06 Contacting [111.111.111.111]:1194/UDP via UDP
2018-01-17 10:37:06 EVENT: WAIT
2018-01-17 10:37:06 Connecting to [111.111.111.111]:1194 (111.111.111.111) via UDPv4
2018-01-17 10:37:06 EVENT: CONNECTING
2018-01-17 10:37:06 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2018-01-17 10:37:06 Creds: Username/Password?
2018-01-17 10:37:06 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.6-4
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1

2018-01-17 10:37:06 VERIFY OK : depth=1
cert. version : 3
serial number : 00
issuer name : C=UY, ST=Mdeo, L=Montevideo, O=Pulso, emailAddress=soporte@…, CN=internal-ca
subject name : C=UY, ST=Mdeo, L=Montevideo, O=Pulso, emailAddress=soporte@…, CN=internal-ca
issued on : 2017-11-03 01:53:31
expires on : 2027-11-01 01:53:31
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign

2018-01-17 10:37:06 VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : C=UY, ST=Mdeo, L=Montevideo, O=Pulso, emailAddress=soporte@…, CN=internal-ca
subject name : C=UY, ST=Mdeo, L=Montevideo, O=Pulso, emailAddress=soporte@…, CN=openvpn-server
issued on : 2017-11-03 01:57:16
expires on : 2027-11-01 01:57:16
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : openvpn-server
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, ???

2018-01-17 10:37:07 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-01-17 10:37:07 Session is ACTIVE
2018-01-17 10:37:07 EVENT: GET_CONFIG
2018-01-17 10:37:07 Sending PUSH_REQUEST to server...
2018-01-17 10:37:07 OPTIONS:
0 [route] [192.168.150.0] [255.255.255.0]
1 [dhcp-option] [DOMAIN] [portovenus.local]
2 [dhcp-option] [DNS] [192.168.150.2]
3 [route-gateway] [192.168.2.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [192.168.2.4] [255.255.255.0]
8 [peer-id] [3]
9 [cipher] [AES-256-GCM]

2018-01-17 10:37:07 PROTOCOL OPTIONS:

cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 3

2018-01-17 10:37:07 EVENT: ASSIGN_IP
2018-01-17 10:37:07 NIP: preparing TUN network settings
2018-01-17 10:37:07 NIP: init TUN network settings with endpoint: 111.111.111.111
2018-01-17 10:37:07 NIP: adding IPv4 address to network settings 192.168.2.4/255.255.255.0
2018-01-17 10:37:07 NIP: adding (included) IPv4 route 192.168.150.0/24
2018-01-17 10:37:07 NIP: adding match domain portovenus.local
2018-01-17 10:37:07 NIP: no DNS provided. Ignoring match domain
2018-01-17 10:37:07 NIP: adding DNS 192.168.150.2
2018-01-17 10:37:07 NIP: adding DNS specific routes:
2018-01-17 10:37:07 NIP: adding (included) IPv4 route 192.168.150.2/32
2018-01-17 10:37:07 Connected via NetworkExtensionTUN
2018-01-17 10:37:07 LZO-ASYM init swap=0 asym=0
2018-01-17 10:37:07 EVENT: CONNECTED igutierrez@111.111.111.111:1194 (111.111.111.111) via /UDPv4 on NetworkExtensionTUN/192.168.2.4/ gw=/

comment:13 in reply to:  7 ; Changed 3 years ago by gregecslo

Replying to ordex:

Replying to matthiasue:

Hello,
i have the same Problem in Version 1.2.6 too.

What hostnames are you trying to resolve exactly?

As a test, could you please edit the config file and move the DOMAIN directive *after* the DNS ones please? (not sure if these options are pushed by the server or not, but wherever they are configured, please try changing the order)

Hi!
I tried it and then it works. Order does matter.
This is config generated by pfsense, search domain is above DNS and hence DOMAIN is being omitted...

comment:14 in reply to:  13 Changed 3 years ago by martux

Replying to gregecslo:

Replying to ordex:

Replying to matthiasue:

Hello,
i have the same Problem in Version 1.2.6 too.

What hostnames are you trying to resolve exactly?

As a test, could you please edit the config file and move the DOMAIN directive *after* the DNS ones please? (not sure if these options are pushed by the server or not, but wherever they are configured, please try changing the order)

Hi!
I tried it and then it works. Order does matter.
This is config generated by pfsense, search domain is above DNS and hence DOMAIN is being omitted...

HI!!

It has not worked for me!

I have modified the openvpn configuration file but it does not resolve the DNS.

From the pfsense website, the order of the fields is:

Default domain DNS: portovenus.local
DNS server 1: 192.168.150.2

The problem that I see is that when making any modification from the pfsense web or reboot the server, it will modify the configuration file and invert the order of the fields again.

I sent them the modified configuration file where I inverted the DNS and DOMAIN fields.

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 111.111.111.111
tls-server
server 192.168.2.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TG9jYWwgRGF0YWJhc2U= false server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn-server' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.150.0 255.255.255.0"
push "dhcp-option DNS 192.168.150.2"
push "dhcp-option DOMAIN portovenus.local"

ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
comp-lzo adaptive
topology subnet

Last edited 3 years ago by martux (previous) (diff)

comment:15 Changed 3 years ago by Keet70x

I Confirm that changing order the config directives are pushed fixes this. DNS first, then DOMAIN results in dns working properly again.

I am using pfsense as the OpenVPN host. As a workaround to the pfsense gui options resulting in the incorrect order and the misconfig, I did the following to resolve it:

  1. Uncheck the “provide a default domain name to clients” option on the OpenVPN server options page on pfsense.
  1. Add a custom config directive in the advanced section that does the same thing e.g.

push "dhcp-option DOMAIN foo.bar"

After doing these 2 steps, pfsense sends the 2 directives in the right order and everything works.

comment:16 Changed 3 years ago by Antonio

Status: assignedaccepted

Thanks for testing this.
This should be fixed in the app as well, but it's good to have a workaround in the meantime.

comment:17 Changed 3 years ago by matthiasue

hello, i change the ordner in my firewall and now the DNS is working

comment:18 Changed 3 years ago by Antonio

A fix will be available in the next release, thanks for the information

comment:19 in reply to:  15 Changed 3 years ago by martux

Replying to Keet70x:

Thank you very much!! Now it works!

comment:20 Changed 3 years ago by Antonio

v1.2.7 is being rolled out to the various AppStore? as we speak. Please test it once you have a chance to upgrade and update this ticket accordingly, if possible. Thanks!

comment:21 Changed 3 years ago by nodefeet

Yes everything works again, thank you very much!

comment:22 Changed 3 years ago by Antonio

Resolution: fixed
Status: acceptedclosed

Great! thanks for the update!
I am closing this ticket.

Note: See TracTickets for help on using tickets.