New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You can check the *.ovpn openvpn config file. You can specify what gets routed locally instead of through the vpn, like this:
route 192.168.1.1 255.255.255.255 net_gateway
Is your router IP or DNS included in that?
Also, somebody else mentioned it already, but you might check for ipv6. Without going through a lot of trouble, openvpn ignores ipv6, so all of that will bypass the vpn.
Unfortunately not - here is my client config in full.
Again, this unfortunately isn't the case; I don't have IPv6 configured on the router at all. Either way, thank you for both suggestions.
are you sure it doesn't have an IPv6 link-local address? ( if I were to design a box that could always be reached at a dns name, I would use IPv6 dns on a link-local address...)
Sure - I'm 100% definite that this isn't the case - I have IPv6 disabled from within the router directly.
can you put in < pre > tags.
hash bolds text.
Sure - apologies, all done.
no need to say sorry, it's just someone thought it'd be smart to do it that way.
Good point. I just checked both ends and in my server.conf I've got
push "dhcp-option DNS 91.239.100.100"
In my client.conf I haveredirect-gateway def1
In any case, I just realized that I made a blunder here - sorry! I had a problem accessing the local machines when I set up this VPN and I guess I'd forgotten how I solved it. I checked it all out just now and see that (despite using the router host file for all other traffic) I actually use a local host file for this machine. So, is it possible that your router somehow writes to your computer and inserts the info there?
In any case, I just realized that I made a blunder here - sorry! I had a problem accessing the local machines when I set up this VPN and I guess I'd forgotten how I solved it. I checked it all out just now and see that (despite using the router host file for all other traffic) I actually use a local host file for this machine. So, is it possible that your router somehow writes to your computer and inserts the info there?
Not a problem. I'd say that this wouldn't be possible - imagine the potential security risks that could emerge as a result of a router having so much control over a local device's hosts file - it would only take a user connecting to an unknown network... and boom! That gateway would have full control over the DNS entries they are taken to.
Well it could happen through using an install disk I suppose. However, all we know so far that in your case is they actually have managed to intercept your DNS. We just don't know how yet.
From what I understand, DNS is not considered secure enough for serious security anyway. Apparently DNSSEC also has problems. According to most experts the Tor protocol is the best available right now. Anyway, how far you go and what particular configuration you use will depend on your threat model.
By the way, have you tried this from another computer yet? That might be instructive.
Is that the client or the server? You still haven't told us whether the open vpn client is a PC or your router. If it's the router the encrypted connection is between the router and the openvpn server. The communication between the LAN PCs connected to the router and the router itself is not encrypted and the router can intercept DNS queries in this scenario. However if the openvpn client is a PC then the router only sees encrypted packets and can't do anything assuming non of A-D in my list above is true in your case.
No this is not entirely accurate. In addition to the server pushing the DNS server addresses the things in my list above A-D have to be looked at too. For example the client actually has to use the nameservers provided by the ovpn server and it has to route those queries through the VPN i.e. the OS routing table has to be correct.
Apologies for not specifying this earlier. I'm connecting via the official OpenVPN Windows-based client directly to my server, so in theory the router should not have access to my DNS traffic. Upon connecting to the VPN, performing an nslookup definitely shows different results (see above for an nslookup of RouterLogin.net specifically).
Post the server config then. Let's see what nameservers its pushing and whether it is pushing the default gateway to you as well. Also run the following command on the ovpn client PC after you've connected to the VPN and post its output here:
route print
I'll get a copy of the routing table for you shortly - in the meantime, however, here's a link to my server config:
http://pastebin.com/YVNBq4mS
Thanks.
Looks ok. You're pushing the opendns servers to the client. You should add this to your client configuration file too:
keepalive 10 120
If the above is not there in the client config the connection can timeout.
In addition to the route print do post an nslookup. This time please put it in on pastebin because its difficult to read the one you've posted above.
This is good to know.
Concerning IPv6... I've now disabled that particular resource from my adaptor (via Network Connections), so in theory this aspect can't be the issue. As suggested I have also tested on multiple machines, all with the same result.
So! Just a very quick update...
In addition to a Netgear router, I also run a Netgear-branded wireless extender. Unlike the router, Netgear have configured "MyWifiExt.com/net" as a hostname that will redirect the client to its local gateway.
When connected to the extender, accessing the MyWifiExt.net URL via the VPN tunnel takes me to the login page - this mirrors the behavior of my router. However, these extenders don't support IPv6 at all.
I've also tested with the script that @nur developed, which produces the same result. I have a feeling that this one may unfortunately not be resolved...
I'm not going to re-read the thread now, so may have missed it, but are you absolutely certain that the hosts file on your computer does not contain anything relating to this? This whole thing just smells to me like you put one of those marketing CDs that come with products these days into your machine. (Sorry, I don't do Windows, so am probably over suspicious.)
I am 100% sure that the hosts file isn't the issue here - I've searched for any references to "routerlogin", which returns nothing. BTW, I refuse to use software setup CDs and always manually configure settings whenever possible - also, even if I did have to use the auto configuration approach I'd use a VM (I refuse to let any unknown software on my machine).
Apologies - I missed this.
First... an nslookup performed on routerlogin.net when disconnected from the VPN:
http://pastebin.com/YRMfhPdi
And secondly... an nslookup performed whilst the VPN tunnel is active:
http://pastebin.com/LnDBs0T8
I hope that's useful
That deserves a mark of respect from me.
Apologies for the delay on this.
You can find my route IPv4 table here:
http://pastebin.com/5Bvf2aba
And IPv6 here:
http://pastebin.com/TH4iSr4w
I hope that helps - hopefully we're almost there!
Ok... this is the last time I'm going to bump this.
I've posted both my IPv4 and v6 routing tables (see above). I'm now wondering if my question should be more broad and focus specifically on accessing local resources when connected to the VPN.
Any ideas, people?
Thanks.
As far as I can tell there is nothing wrong with your routing table. I think the problem is either A or D from my list before. Most likely you have the old DNS records cached somewhere. So I suggest flushing your OS and browser level DNS caches.
Os level cache:
ipconfig /flushdns
Browser level will depend on the browser. Google for it.
If this doesn't work then check if you have a static mapping setup in the hosts file.
Editedit
I'm with @Abdussamad. What other possibilities are there?
In checking this, could the OP be making an assumption somewhere?
I'm 100% sure that neither of these are the case - see below for an interesting discovery...
So... I've carried out some additional testing, and discovered something interesting.
If I'm connected to my main gateway (with IP 192.168.0.1) and issue the "routerlogin.net" address from within my web browser, the Netgear web interface appears and prompts me for a password. The same applies when I'm connected to my Netgear wireless extension (with IP 192.168.0.16) and access its webserver with "mywifiext.net" - both of these tests were carried out without being connected to my VPN tunnel.
However... if connected to my wireless extension point and then initiate a VPN connection, entering "mywifiext.net" does NOT take me to my extension's webserver, and instead directs me to the Netgear website, explaining that I should first connect to my access point. However, issuing "routerlogin.net" when connected to my wireless extension results in the same behavior as before (i.e. my router presenting its web interface).
So, I admit that I'm now more confused than I was when I first started. It would appear that when connected to my VPN through my wireless access point, all DNS entries are intercepted - this can be seen because entering "mywifiext.net" gets routed onto the Internet. However, it would appear that the "routerlogin.net" URL (i.e. the URL of the main gateway) is always intercepted by the router.
Anybody have any ideas... because I certainly don't!
So... hours (and a long evening) later, I have come up with an answer to my problem. Thank you to everybody that contributed to this thread - you were all of great help.
So, for the answer. My thinking: as @nur rightly pointed out towards the start of this thread, the routerlogin.net domain does not currently resolve to anything... but mywifiext.com/net does. That got me thinking, and carrying out an nslookup on the domain whilst connected through the VPN didn't bring back any useful results.
So, I carried out some researching in the hope of finding a DNS server that upon an NXDOMAIN redirects the request to an ad-serving page. It appears that Level 3 now do this, so as a test I set my OpenVPN config to push me those servers... and upon heading over to routerlogin.net, I was taken to Level 3's ad-serving site. So... although I have no explination other than the above, it would appear that upon a DNS error OpenVPN then serves the request back to the default gateway of the originating connection.
Would this make sense, and has anybody observed anything similar before?