How to solve DNS issue when connecting OpenVPN in Fedora 21?

C

Cuder2015-06-06 16:57:16

linux

Cuder, 2015-06-06 16:57:16

Having migrated from Ubuntu to Fedora, I ran into a problem with remote connection to my corporate network. After installing Fedora, NetworkManager created a new OpenVPN connection based on the preconfigured configuration file. I did everything the same as in Ubuntu, where everything worked successfully. The VPN connection has been established. But with the resolution of domain names, some incomprehensible miracles occur. Obviously, I can reach remote office servers (including the DNS service itself, which is listed in the IPv4 tab of the OpenVPN connection settings): ping goes through IP addresses. But it is no longer possible to access private sites: the browser displays DNS_PROBE_FINISHED_NXDOMAIN, the ping command says "unknown host", and the nslookup command displays the IP address (although I'm not sure if it's always correct). If you access the site through its IP, the browser will change this IP to the domain in the address bar and output DNS_PROBE_FINISHED_NXDOMAIN again. Successfully transition is carried out only to those sites to which domain names or some services with addresses of the formhttps://service/.
After the VPN is connected, the following note is added to the /etc/resolv.conf file:
NOTE: The glibc name resolver does not support more than three nameservers. The nameservers listed below may not be recognized... (NOTE: the glibc resolver does not support more than 3 nameservers. The nameservers listed below may not be recognized...)
Searched the net for solutions, but they did not help. For example, this .

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

mureevms, 2015-06-06
@Cuder

If the ping passes, then you can still reach.
Why do you specify DNS with your hands, don't they come from the server?
Are you passing parameters from the OVPN server about the domain name?
push "dhcp-option DOMAIN domain.local"

Y

younghacker, 2015-06-08
@younghacker

To find the problem, I would do the following:
Look at the client side where DNS requests go
In one terminal window (on the OpenVPN client side), run:
# tcpdump -i any port 53
In another terminal window (on the OpenVPN client side), run two queries :
the first request with auto-selection of the NS server
$ nslookup domain the
second request is addressed directly to the server
$ nslookup domain XXX.XXX.XXX.XXX
where XXX.XXX.XXX.XXX is the address of the NS server that is through the VPN.
Look at which servers the first request
goes through and through which interface and where the second flies.
And if there is patency (routing works correctly, firewall passes, dns server responds), then for the second request you should get the correct answer: IP address.
If there is no answer, then check if the Firewall is closed both on the client and on the server
# iptables -nvL
Enable more detailed logs for OpenVPN on the client and on the server and analyze them

log /var/log/openvpn.vpn-client1.log
verb 5
mute 20

There is no need to manually set DNS. You were rightly told that from the server side it needs to be pushed to the client
But you first decide whether you will resolve all the names from the server that the VPN gives you or only those that are inside the domain.
Check if dnsmasq is running or not from NetworkManager

# cat /etc/NetworkManager/NetworkManager.conf 
[main]
plugins=ifcfg-rh
#dns=dnsmasq
dns=none

Don't forget about SELinux. Temporarily disable:
# setenforce 0
In my experience, on the Fedora20 I'm currently on, I've stopped using OpenVPN, iptables, and dnsmasq via Network Manager due to inappropriate behavior. My "VPN zoo" turned out to be easier to set up the old fashioned way.