RT-AC68U OpenVPN Server DNS Problem

[searlan]

Hello everyone,

I'm trying to set up a OpenVPN server on my RT-AC68U router with Asus-Merlin firmware 376.48_1. I first tried connecting via ChromeOS and it appeared to connect successfully. The System Logs in the router also mention a successful connection. But I am unable to browse the internet. When I tried to ping 8.8.8.8, it works. But when I tried pinging google.com, it fails. I looked into /etc/resolve.conf on ChromeOS while the VPN is connected and it showed the IP of my router. This looks like a DNS problem, but I'm not sure how to solve it. I also tried connecting with an Android device, and I get a similar problem: was able to see the computers connected to the router, but unable to resolve any hosts.

Here is my configuration for OpenVPN:

VPN Server mode: OpenVPN
Interface Type: TUN
Protocol: UDP
Server Port: 1194
Firewall: Auto
Authorization Mode: TLS
Username/Password Authentication: Yes
Username/Pass Auth Only: Yes
Extra HMAC authorization: Disable
VPN Subnet / Netmask: 10.8.0.0 255.255.255.0

Poll Interval: 0
Push LAN to clients: Yes
Direct clients to redirect traffic: No
Respond to DNS: Yes
Advertise DNS to clients: Yes
Encryption cipher: Default
Compression: Disable
TLS Regeneration Time: -1
Manage client specific options: No

Additional info: I'm connecting to the VPN from an outside connection. I also have the Google DNSs (8.8.8.8 and 8.8.4.4) filled in on the WAN settings tab of the router.

Thanks. Any help would be appreciated.

 

[martinr]

Try changing to YES, Direct clients to redirect internet traffic. I have the same version firmware as you. See my setup attached.

 

[searlan]

Thanks for your suggestion. I changed the settings to look like yours exactly. I also rebooted for safe measure. I'm still able to connect but still can't resolve dns. Is there anything I can check to see if I'm configuring this correctly?

Thanks!

 

[martinr]

Thanks for your suggestion. I changed the settings to look like yours exactly. I also rebooted for safe measure. I'm still able to connect but still can't resolve dns. Is there anything I can check to see if I'm configuring this correctly?

Thanks!

As to "I looked into /etc/resolve.conf on ChromeOS while the VPN is connected and it showed the IP of my router. This looks like a DNS problem,"

I don't know if this answers part of your query: see Merlin's comments at

http://forums.smallnetbuilder.com/showthread.php?t=21547

i.e. "Because the router is acting as a DNS proxy, allowing it to cache queries, and also to handle local LAN name resolution. This is perfectly normal, and actually desirable. The router forwards those queries to the DNS servers configured on the WAN page."

And, indeed, my DNS server always shows up as 192.168.1.1 in my network apps and ipconfig in Windows independent of vpn use.

Just as a check, I attach a screenshot of my DNS settings, though I doubt that helps you. I should add that my Openvpn client is on an iPhone, not Android or Chrome, but I don't expect any of this helps you.

Martin

 

[searlan]

Hi Martin, thanks for the explanation about the DNS proxy. Looks like that's not a problem then.

Most of my WAN settings are similar to yours, except I have UPnP enabled and I have to set a Static IP since I'm behind a firewall in my apartment building. I have to set the IP Address to the firewall's DMZ IP so I can manage port forwarding using my own router. Could that be a problem?

I've also attached a snippet of the system log when I try connecting to OpenVPN. I redacted my external IP, I don't seem to see any outstanding errors.

Thanks!

 

[martinr]

....... and I have to set a Static IP since I'm behind a firewall in my apartment building. I have to set the IP Address to the firewall's DMZ IP so I can manage port forwarding using my own router. .......

DMZs etc is straying beyond my comfort zone; however, there are a couple of questions I have that might either give you food for thought or prompt an idea from someone looking in.

If I've got the picture, you don't have your own public IP address; there's a public, static, IP address coming into the block's gateway router and you are part of the internal network with a static address on the 192.168.1.0 network and have your devices behind your own router, correct?

And, just to refresh the picture, your problem is that you can access your router (and the devices behind it) from a remote location through the Openvpn tunnel but you can't bounce back out and browse the Internet.

Forgive me for asking but when you test the vpn connection you are genuinely remote and there's no other connection (eg wireless) to your internal network i.e. you are coming in from another physical location or via cellular with the wireless connection on your client device switched off?

Martin

 

[searlan]

Hi martin, thanks for your help so far.

If I've got the picture, you don't have your own public IP address; there's a public, static, IP address coming into the block's gateway router and you are part of the internal network with a static address on the 192.168.1.0 network and have your devices behind your own router, correct?

Yeah, I think you're correct. I can leave the router to configure WAN information automatically, but I would no longer be able to control port forwarding. The ISP's firewall between the outside and me blocks most ports.

And, just to refresh the picture, your problem is that you can access your router (and the devices behind it) from a remote location through the Openvpn tunnel but you can't bounce back out and browse the Internet.

Yeah that's right. If I ping using a direct IP, I get responses. But if I try a domain, I get timeouts. That's what originally led me to believe it was a DNS problem.

Forgive me for asking but when you test the vpn connection you are genuinely remote and there's no other connection (eg wireless) to your internal network i.e. you are coming in from another physical location or via cellular with the wireless connection on your client device switched off?

Yeah I'm sure. I was actually in another city about 150 miles (240 km) away last week when I was using my devices to test out the VPN. Currently, I'm using my phone's mobile internet for testing. I'm sure I disabled the wifi on the device completely before testing, but sadly there's still the problem.

Thanks

 

[martinr]

I have to tell you, I'm a bit out of my depth here, but I have one more thought that might, possibly, give a little more information, having used this myself in the last couple of days to successfully troubleshoot a problem of my own. I guess it's basically a traceroute to troubleshoot the bpockage.

Can you, whilst at home, use Openvpn on your phone to try and browse the Internet (as if physically remote) via your vpn tunnel but at the same time be logged into your router on your home pc and - assuming your router has this function - do a netstat check and see if it tells you anything about the (attempted) connection to the DNS server on port 53 eg Unestablihed. I have the Asus RT-AC68U; I log in and go to Network Tools then the Netstat tab and Netstat-NAT - please see attachment.

You would attempt to access a new website/domain on your phone and, whilst it's thinking about it, you'd press the button marked Netstat on the Network Tools page to refresh the connection status list. When I had my DNS problem it showed several port 80 on 443 established connections, and one unestablished connection, at the bottom (not shown in the screenshot) to the my DNS provider (OpenDNS) on port 53. It was this failed connection that pointed me to where my problem lay. This could be a bit of a wild-goose chase, though.

Martin

 

[martinr]

By the way, did you set up the PPTP vpn on your client devices and, if so, have you tried tunnelling back home via the PPTP vpn and back out onto the Internet? I wonder if you run into the same problem using PPTP? I've just double-checked my PPTP by turning off the wi-fi on my iPhone and coming in via cellular through the PPTP tunnel and then back out to whatsmyip.org, and it shows my network's public IP address as expected.

I'm not sure exactly what this would tell you - either way - but it'd be another piece of the diagnostic jigsaw to put in place.

And, to confirm, the DNS setting on your LAN page is blank (that's why your DNS server shows up as 192.168.1.1)? And you don't have any DNS filtering under Parental Controls do you? That's what messed me up.

Martin

 

[searlan]

Hey Martin,

I just tried to connect through PPTP. My device and the router says a connection has successfully been established. But still the same problem .

And, to confirm, the DNS setting on your LAN page is blank (that's why your DNS server shows up as 192.168.1.1)? And you don't have any DNS filtering under Parental Controls do you? That's what messed me up.

Yeah, under LAN > DHCP Server > DNS and WINS Server Setting, I have the DNS Server field blank. In regards to Parental Controls, I have Parental Controls and DNS Filtering OFF.

In your previous post you mentioned something about port 53. I tried to run a traceroute app to a domain and there indeed seems to be a problem with Port 53 when connected to the vpn. I've attached a working and non-working log. The problem seems to occur near the last few steps of the trace.

I've also attached a log of netstat when I try to visit google.com. That address in the log appears to be a Google IP, so it seems to be resolving something, perhaps?

Thanks for all the help so far! I appreciate it.

 

[martinr]

We seem to generate more questions than answers! But it must be fair to say that your tests - running PPTP and Openvpn and getting identical results - have shown that your problem isn't in the Openvpn settings.

By the way, I can't pretend to fully understand the logs, but I infer that the working log is where your vpn is not connected and you are simply making a normal connection to Reddit.com. And the non-working logfile is where you tried reaching Reddit.com by vpn tunnelling into your router and back out onto the Internet. I tried the same thing without problem and it was useful to compare both traceroutes. But one thing I notice: the DNS failure i.e.

"failed to connect to /fd00:976a::9 (port 53): connect failed: ENETUNREACH (Network is unreachable)"

And your last sentence was "That address in the log appears to be a Google IP, so it seems to be resolving something, perhaps?" However, when I tried to get some info on that IPv6 address, T-Mobile keeps cropping up, not Google:

eg, http://forum.xda-developers.com/tmobile-lg-g3/general/t-mobile-g3-ipv6-t2833087

https://groups.google.com/forum/#!msg/tmoipv6beta/xzkjbOZOa38/BTcsKszNw4AJ

So, what really puzzles me is why your DNS, when you use a vpn, seems to be via T-Mobile; you see, I thought that what happens is exactly what would happen if you were physically behind your router (ie no-vpn), namely, a check to see if the router knows the DNS lookup and, if not, a trip to your DNS server (8.8.8.8) (listed on your WAN page) for an answer. And just to satisfy myself, I removed my 2 Opendns server addresses from my WAN page and left the spaces blank. As expected I could not access any websites on the Internet either normally or via vpn from my iPhone until I reinstated the addresses.

So I don't understand why the DNS servers listed on your WAN page appear to be bypassed and, instead, an attempt is made to contact an IP v6 DNS server address at T-Mobile. (I doubt this has any relevance but my IPv6 page is set to Disable.)

Does any of this make sense to you or trigger any thoughts?

Martin

 

[searlan]

Hey Martin,

I did some quick searches on IPv6, T-Mobile, and VPN and I came across this article that seems to describe my problem:
http://blog.cuanticosecurity.com/2014/04/ipv6-apn-means-no-vpn-for-galaxy-s5-on.html
Someone commented below the article that there will still be problems if the VPN only has IPv4. I also have IPv6 disabled on my router. I also just realized that the internet I was using when I was away last week was using IPv6 as well. (d'oh) So there seems to be a problem with IPv6 and IPv4 conflicting? The network at my workplace should be pure IPv4. I'll do some small tests there and report back tomorrow.

Thanks for your help so far!

 

[searlan]

Update: Looks like there is still a problem with OpenVPN app on Android even on a network with only IPv4 connections. However, I was able to tunnel traffic successfully using the OpenVPN client on Windows and Ubuntu by simply loading the .opvn file. I guess all this time, it was mostly likely an Android issue. Thanks Martin for your help anyways. If I do find a solution down the line I'll post here so other people might benefit.

 

[martinr]

Update: Looks like there is still a problem with OpenVPN app on Android even on a network with only IPv4 connections. However, I was able to tunnel traffic successfully using the OpenVPN client on Windows and Ubuntu by simply loading the .opvn file. I guess all this time, it was mostly likely an Android issue. Thanks Martin for your help anyways. If I do find a solution down the line I'll post here so other people might benefit.

I'm sorry you've still got problems with it. I'm no so sure how much help I was: more a case of two heads being better than one. Not a bad bit of teamwork, though. And I learned a thing or 2 from it.

I don't know how familiar you are with ssh, or if Android has a workaround similar to the Apple one whereby you place a .pac file in a web-accessible place, but you can use ssh like a vpn, tunnelling remotely back to your router and then back out onto the Internet - dynamic port forwarding. Something else you could try if you're looking to while away your life fixing obscure networking snags. Actually, being already familiar with ssh, setting it up on my Asus Merlin firmware was incredibly easy and pIn free.

Good luck

Martin