OpenVPN - DNS Enquiry

david

You can check the *.ovpn openvpn config file. You can specify what gets routed locally instead of through the vpn, like this:

route 192.168.1.1 255.255.255.255 net_gateway

Is your router IP or DNS included in that?

Also, somebody else mentioned it already, but you might check for ipv6. Without going through a lot of trouble, openvpn ignores ipv6, so all of that will bypass the vpn.

vpnuser

@david said:
You can check the *.ovpn openvpn config file. You can specify what gets routed locally instead of through the vpn, like this:

route 192.168.1.1 255.255.255.255 net_gateway

Is your router IP or DNS included in that?

Unfortunately not - here is my client config in full.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote x.x.x.x 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert cert.crt
key key.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Also, somebody else mentioned it already, but you might check for ipv6. Without going through a lot of trouble, openvpn ignores ipv6, so all of that will bypass the vpn.

Again, this unfortunately isn't the case; I don't have IPv6 configured on the router at all. Either way, thank you for both suggestions.

tehdan

are you sure it doesn't have an IPv6 link-local address? ( if I were to design a box that could always be reached at a dns name, I would use IPv6 dns on a link-local address...)

vpnuser

@tehdan said:
are you sure it doesn't have an IPv6 link-local address? ( if I were to design a box that could always be reached at a dns name, I would use IPv6 dns on a link-local address...)

Sure - I'm 100% definite that this isn't the case - I have IPv6 disabled from within the router directly.

GM2015

can you put in < pre > tags.

#test

hash bolds text.

vpnuser said: Again, this unfortunately isn't the case; I don't have IPv6 configured on the router at all. Either way, thank you for both suggestions.

vpnuser

@GM2015 said:
can you put in < pre > tags.

#test

hash bolds text.

Sure - apologies, all done.

GM2015

no need to say sorry, it's just someone thought it'd be smart to do it that way.

vpnuser said: Sure - apologies, all done.

Ole_Juul

vpnuser said: do you perhaps have your current config set to not push any DNS to the client?

Good point. I just checked both ends and in my server.conf I've got push "dhcp-option DNS 91.239.100.100" In my client.conf I have redirect-gateway def1

In any case, I just realized that I made a blunder here - sorry! I had a problem accessing the local machines when I set up this VPN and I guess I'd forgotten how I solved it. I checked it all out just now and see that (despite using the router host file for all other traffic) I actually use a local host file for this machine. So, is it possible that your router somehow writes to your computer and inserts the info there?

vpnuser

@Ole_Juul said:
Good point. I just checked both ends and in my server.conf I've got push "dhcp-option DNS 91.239.100.100" In my client.conf I have redirect-gateway def1

In any case, I just realized that I made a blunder here - sorry! I had a problem accessing the local machines when I set up this VPN and I guess I'd forgotten how I solved it. I checked it all out just now and see that (despite using the router host file for all other traffic) I actually use a local host file for this machine. So, is it possible that your router somehow writes to your computer and inserts the info there?

Not a problem. I'd say that this wouldn't be possible - imagine the potential security risks that could emerge as a result of a router having so much control over a local device's hosts file - it would only take a user connecting to an unknown network... and boom! That gateway would have full control over the DNS entries they are taken to.

Ole_Juul

vpnuser said: Not a problem. I'd say that this wouldn't be possible - imagine the potential security risks that could emerge as a result of a router having so much control over a local device's hosts file - it would only take a user connecting to an unknown network... and boom! That gateway would have full control over the DNS entries they are taken to.

Well it could happen through using an install disk I suppose. However, all we know so far that in your case is they actually have managed to intercept your DNS. We just don't know how yet.

From what I understand, DNS is not considered secure enough for serious security anyway. Apparently DNSSEC also has problems. According to most experts the Tor protocol is the best available right now. Anyway, how far you go and what particular configuration you use will depend on your threat model.

By the way, have you tried this from another computer yet? That might be instructive.

Abdussamad

vpnuser said: I'm running my OpenVPN daemon on a Ubuntu-based machine that's not connected to my LAN (I'm connecting directly to its IP). I have no entries in either my local hosts file, and nothing whatsoever in my router.

Is that the client or the server? You still haven't told us whether the open vpn client is a PC or your router. If it's the router the encrypted connection is between the router and the openvpn server. The communication between the LAN PCs connected to the router and the router itself is not encrypted and the router can intercept DNS queries in this scenario. However if the openvpn client is a PC then the router only sees encrypted packets and can't do anything assuming non of A-D in my list above is true in your case.

As @Abdussamad rightly pointed out, my current understanding is that if a set of resolvers is explicitly pushed to the client via OpenVPN's server config the router should not be able to see any traffic that passes through it. @Ole_Juul - do you perhaps have your current config set to not push any DNS to the client?

No this is not entirely accurate. In addition to the server pushing the DNS server addresses the things in my list above A-D have to be looked at too. For example the client actually has to use the nameservers provided by the ovpn server and it has to route those queries through the VPN i.e. the OS routing table has to be correct.

vpnuser

@Abdussamad said:
You still haven't told us whether the open vpn client is a PC or your router. If it's the router the encrypted connection is between the router and the openvpn server. The communication between the LAN PCs connected to the router and the router itself is not encrypted and the router can intercept DNS queries in this scenario. However if the openvpn client is a PC then the router only sees encrypted packets and can't do anything assuming non of A-D in my list above is true in your case.

Apologies for not specifying this earlier. I'm connecting via the official OpenVPN Windows-based client directly to my server, so in theory the router should not have access to my DNS traffic. Upon connecting to the VPN, performing an nslookup definitely shows different results (see above for an nslookup of RouterLogin.net specifically).

Abdussamad

Post the server config then. Let's see what nameservers its pushing and whether it is pushing the default gateway to you as well. Also run the following command on the ovpn client PC after you've connected to the VPN and post its output here:

route print

vpnuser

@Abdussamad said:
Post the server config then. Let's see what nameservers its pushing and whether it is pushing the default gateway to you as well. Also run the following command on the ovpn client PC after you've connected to the VPN and post its output here:

route print

I'll get a copy of the routing table for you shortly - in the meantime, however, here's a link to my server config:

http://pastebin.com/YVNBq4mS

Thanks.

Abdussamad

Looks ok. You're pushing the opendns servers to the client. You should add this to your client configuration file too:

keepalive 10 120

If the above is not there in the client config the connection can timeout.

In addition to the route print do post an nslookup. This time please put it in on pastebin because its difficult to read the one you've posted above.

vpnuser

@Abdussamad said:
Looks ok. You should add this to your client configuration file too:

keepalive 10 120

If the above is not there in the client config the connection can timeout.

This is good to know.

Concerning IPv6... I've now disabled that particular resource from my adaptor (via Network Connections), so in theory this aspect can't be the issue. As suggested I have also tested on multiple machines, all with the same result.

vpnuser

So! Just a very quick update...

In addition to a Netgear router, I also run a Netgear-branded wireless extender. Unlike the router, Netgear have configured "MyWifiExt.com/net" as a hostname that will redirect the client to its local gateway.

When connected to the extender, accessing the MyWifiExt.net URL via the VPN tunnel takes me to the login page - this mirrors the behavior of my router. However, these extenders don't support IPv6 at all.

I've also tested with the script that @nur developed, which produces the same result. I have a feeling that this one may unfortunately not be resolved...

Ole_Juul

I'm not going to re-read the thread now, so may have missed it, but are you absolutely certain that the hosts file on your computer does not contain anything relating to this? This whole thing just smells to me like you put one of those marketing CDs that come with products these days into your machine. (Sorry, I don't do Windows, so am probably over suspicious.)

vpnuser

@Ole_Juul said:
I'm not going to re-read the thread now, so may have missed it, but are you absolutely certain that the hosts file on your computer does not contain anything relating to this? This whole thing just smells to me like you put one of those marketing CDs that come with products these days into your machine. (Sorry, I don't do Windows, so am probably over suspicious.)

I am 100% sure that the hosts file isn't the issue here - I've searched for any references to "routerlogin", which returns nothing. BTW, I refuse to use software setup CDs and always manually configure settings whenever possible - also, even if I did have to use the auto configuration approach I'd use a VM (I refuse to let any unknown software on my machine).

@Abdussamad said:

In addition to the route print do post an nslookup. This time please put it in on pastebin because its difficult to read the one you've posted above.

Apologies - I missed this.

First... an nslookup performed on routerlogin.net when disconnected from the VPN:

http://pastebin.com/YRMfhPdi

And secondly... an nslookup performed whilst the VPN tunnel is active:

http://pastebin.com/LnDBs0T8

I hope that's useful

Ole_Juul

vpnuser said: BTW, I refuse to use software setup CDs and always manually configure settings whenever possible - also, even if I did have to use the auto configuration approach I'd use a VM (I refuse to let any unknown software on my machine).

That deserves a mark of respect from me.

vpnuser

@Abdussamad said:
Post the server config then. Let's see what nameservers its pushing and whether it is pushing the default gateway to you as well. Also run the following command on the ovpn client PC after you've connected to the VPN and post its output here:

route print

Apologies for the delay on this.

You can find my route IPv4 table here:

http://pastebin.com/5Bvf2aba

And IPv6 here:

http://pastebin.com/TH4iSr4w

I hope that helps - hopefully we're almost there!

vpnuser

Ok... this is the last time I'm going to bump this.

I've posted both my IPv4 and v6 routing tables (see above). I'm now wondering if my question should be more broad and focus specifically on accessing local resources when connected to the VPN.

Any ideas, people?

Thanks.

Abdussamad

As far as I can tell there is nothing wrong with your routing table. I think the problem is either A or D from my list before. Most likely you have the old DNS records cached somewhere. So I suggest flushing your OS and browser level DNS caches.

Os level cache:

ipconfig /flushdns

Browser level will depend on the browser. Google for it.

If this doesn't work then check if you have a static mapping setup in the hosts file.

Eobble

Editedit

Ole_Juul

I'm with @Abdussamad. What other possibilities are there?

In checking this, could the OP be making an assumption somewhere?

vpnuser

@Abdussamad said:
As far as I can tell there is nothing wrong with your routing table. I think the problem is either A or D from my list before. Most likely you have the old DNS records cached somewhere. So I suggest flushing your OS and browser level DNS caches.

Os level cache:

ipconfig /flushdns

Browser level will depend on the browser. Google for it.

If this doesn't work then check if you have a static mapping setup in the hosts file.

I'm 100% sure that neither of these are the case - see below for an interesting discovery...

@Ole_Juul said:
I'm with Abdussamad. What other possibilities are there?

In checking this, could the OP be making an assumption somewhere?

So... I've carried out some additional testing, and discovered something interesting.

If I'm connected to my main gateway (with IP 192.168.0.1) and issue the "routerlogin.net" address from within my web browser, the Netgear web interface appears and prompts me for a password. The same applies when I'm connected to my Netgear wireless extension (with IP 192.168.0.16) and access its webserver with "mywifiext.net" - both of these tests were carried out without being connected to my VPN tunnel.

However... if connected to my wireless extension point and then initiate a VPN connection, entering "mywifiext.net" does NOT take me to my extension's webserver, and instead directs me to the Netgear website, explaining that I should first connect to my access point. However, issuing "routerlogin.net" when connected to my wireless extension results in the same behavior as before (i.e. my router presenting its web interface).

So, I admit that I'm now more confused than I was when I first started. It would appear that when connected to my VPN through my wireless access point, all DNS entries are intercepted - this can be seen because entering "mywifiext.net" gets routed onto the Internet. However, it would appear that the "routerlogin.net" URL (i.e. the URL of the main gateway) is always intercepted by the router.

Anybody have any ideas... because I certainly don't!

vpnuser

So... hours (and a long evening) later, I have come up with an answer to my problem. Thank you to everybody that contributed to this thread - you were all of great help.

So, for the answer. My thinking: as @nur rightly pointed out towards the start of this thread, the routerlogin.net domain does not currently resolve to anything... but mywifiext.com/net does. That got me thinking, and carrying out an nslookup on the domain whilst connected through the VPN didn't bring back any useful results.

So, I carried out some researching in the hope of finding a DNS server that upon an NXDOMAIN redirects the request to an ad-serving page. It appears that Level 3 now do this, so as a test I set my OpenVPN config to push me those servers... and upon heading over to routerlogin.net, I was taken to Level 3's ad-serving site. So... although I have no explination other than the above, it would appear that upon a DNS error OpenVPN then serves the request back to the default gateway of the originating connection.

Would this make sense, and has anybody observed anything similar before?

default

@jasonmiller said:
Nice. Also check here