OpenVPN tunnel won't return internet pages, but all internal DNS connections work

Topics related to VPN's
Forum rules
Use the SEARCH function for related issues PRIOR to posting for assistance.
Post Reply
DadsHockeyLife
Posts: 4
Joined: Sun Jul 18, 2021 1:59 am
Has thanked: 0
Been thanked: 0

OpenVPN tunnel won't return internet pages, but all internal DNS connections work

Post by DadsHockeyLife »

Ok, first, I'm VERY new to OpenWRT and the use of the The Wireless Haven routers. I'm not new to networking, Linux, Windows, Chrome OS, Android, and other platforms. I am well versed in Servers and currently use 3 Synology boxes (highly customized) and have started messing with a Pi 4 cluster using K8s.

However, until now, I've never needed an LTE capable router nor had a need to do this much customizing, so this side of things is very new to me.

So, basically, I will be using this router (WG3526) in my 5th wheel when we travel. The primary purpose was to VPN back to our home using OpenVPN (the OpenVPN is hosted on my router - another Synology product) so I have a secure connection to our home's resources, but also to use Hulu on the road (they won't allow one to use it away from your home area more than 4 times in a year).

So, I've setup OpenVPN on the router and it appears to run swimmingly. I set it up to be a full tunnel so ALL traffic goes through the VPN and Internet traffic is handled by my home router and our home DNS server. I have both the WG3526 router and my home router running separate subnets on their respective LANs. Everything on the internal LAN (home side) is completely functional and accessible from the LAN on the 3526, including browsing the servers by name instead of IP. This tells me internally, the DNS names are resolving.

However, I can't seem to get any internet addresses to resolve. Primarily I'm using google.com to test.

When I disconnect the VPN on the 3526, internet addresses instantly become available...so it has something to do with the DNS between the VPN server (home router) and the VPN client on the 3526, I think. I just can't seem to figure it out.

Here's a copy of my OpenVPN config file....

dev tun
tls-client

remote host.mydomain.com 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS XX.XX.XX.1 -home DNS server
dhcp-option DNS X.X.X.2 -IP of LAN interface on 3526 router


pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode ****I took proto udp6 out because my home IP scheme doesn't use IPv6****

script-security 2


reneg-sec 0

auth SHA512

cipher AES-256-CBC

auth-user-pass /etc/openvpn/HOME.auth


key-direction 1

comp-lzo
explicit-exit-notify
<ca>
client-cert-not-required

-----BEGIN CERTIFICATE-----
DELETED FOR SECURITY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
DELETED FOR SECURITY
-----END CERTIFICATE-----
</ca>

<tls-auth>

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
DELETED FOR SECURITY
-----END OpenVPN Static key V1-----
</tls-auth>

And here's a couple pics of the options I set in OpenVPN Extras -
CaptureVPN DNS1.JPG
CaptureVPN DNS2.JPG
If anyone can spot my error, please let me know...I'm out of ideas even after googling and searching this forum. Thanks!
You do not have the required permissions to view the files attached to this post.
DadsHockeyLife
Posts: 4
Joined: Sun Jul 18, 2021 1:59 am
Has thanked: 0
Been thanked: 0

Re: OpenVPN tunnel won't return internet pages, but all internal DNS connections work

Post by DadsHockeyLife »

Ok, folks....I still have NO idea what specifically I did to fix this, but I fixed it.

Here's a list of things I did that ultimately fixed the issue and got everything running.

1) I factory reset my WG3526, using the recovery process on these two pages (mine ended up having the Chinese menu, so the second page explained/translated them for me)
https://wirelessjoint.com/viewtopic.php?f=21&t=2051
https://wirelessjoint.com/viewtopic.php?f=8&t=68

2) starting from scratch, I setup my router again, making sure to change the LAN IP so it was on a different subnet than the VPN network to which I was connecting, setup my WiFi SSID's and WPA2 security measures, changed the admin password, made sure the T-Mobile connection was still working correctly, and (because I like it's simplicity) changed the theme to Bootstrap.

3) Followed the following link's tutorial to a "T". It's generic enough to apply to any OpenVPN install despite the fact it's for a HH5a and a specific VPN service.
https://www.dropbox.com/sh/c8cqmpc6cacs ... 2.pdf?dl=0
A) I made sure in each example, if there was ANYTHING extra in my router that didn't show in their example it was deleted...e.g. my LAN interface showed 3 additional destination forwarders linked, I removed all but the VPN interface I created.
B) instead of creating a separate interface called NAME_VPN and a separate TUN Interface as they suggested, I just modified the existing VPN and TUN0 interfaces to match settings with their created interfaces.
C) I had to make BOTH DNS changes it suggests in section 2.3 (I used ONLY my LAN DNS server's address in the network to which I was connecting as it also has forwarding rules already setup to use a secure DNS for Internet Traffic).

4) I made sure my DNS server was allowing both the IP subnet from my WG3526 AND the IP subnet OpenVPN was using.

This completely resolved the issue I was having. I'm not sure if it was my initial setup attempt, where I missed something, the changes I made to my DNS server to include allowed addresses coming from either the WG3526 LAN IP's or those I made allowing for DNS to accept from the VPN IP's, because I made the DNS changes before testing the new OpenVPN setup. But ultimately it's working beautifully and the speed is amazingly strong.

I hope this helps someone else if they run into the issues I was having. Cheers all and happy tinkering....

Learn Lots, Live Long, Love Well!
Post Reply

Return to “VPN”