DNS routing with VPN

[ronnylov]

Trying to figure out how to get localhost DNS server on exit node to be forwarded to OpenVPN clients with DHCP. Could be firewall rules or something but I can't get it to work. My wish is having one service using 127.0.0.1 nameserver, another one using 127.0.0.6 and the third one 127.0.0.8.

[ronnylov]

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-9
In step 4 there is a header "(Optional) Push DNS Changes to Redirect All Traffic Through the VPN"

It talks about editing /etc/openvpn/server.conf but is this the right way to do it with lethean-vpn?
If I can make that happen I Think the DNS leak is possible to avoid. However my DNS servers are only accessible locally on exit node (I have blocked port 53 out to internet network interface and using DNS over TLS only on the exit node). So DNS on exit node is either on localhost or on a dedicated docker bridge network. I Think I need to add routing rules to make DNS servers available for users on VPN.

My guess is that I can add some rules for ufw firewall in /etc/ufw/before.rules to make the DNS stuff work as I want. I am not very skilled how iptables and stuff works...

Hmmm, a workaround could be making the DNS servers accessible from internet? Nah, it does not feel like the right way to do it and I want them dedicated for VPN users. It also opens up for the DNS man in the middle attacks I wanted to prevent by using DNS over TLS.

It may also need client configuration. Reading the guide on the link above steps 8 - 10 it is possible to create client configuration files. Is there an option to transfer a client config from exit node to the VPN user? How does that work?

[vjirasek]

Hi. Yes the redirect traffic is of course the key to the VPN. Then the push of DNS servers via DHCP options is also needed. But remember that you need to push an IP address of a DNS server that is routable from the VPN client. Anything 127/8 won’t be. Vladimir Jirasek Time zone: London/GMT

…

________________________________ From: ronnylov <notifications@github.com> Sent: Tuesday, March 26, 2019 09:34 To: LetheanMovement/lethean-vpn Cc: Subscribed Subject: Re: [LetheanMovement/lethean-vpn] DNS routing with VPN (#77) https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-9 In step 4 there is a header "(Optional) Push DNS Changes to Redirect All Traffic Through the VPN" It talks about editing /etc/openvpn/server.conf but is this the right way to do it with lethean-vpn? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#77 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AEakPHSl2Wfqqaau03a6yxdDmEYGEsJxks5vaemhgaJpZM4cJd0A>.

[ronnylov]

Thanks Vlad!
I have the DNS servers in docker containers so I might route to them directly then. lethean-vpn is not in docker now but anyway. I found an example here:
https://serverfault.com/questions/802458/allow-docker-containers-to-connect-to-openvpn-clients-on-the-host-tunnel-interfa

So add the route, add it in firewall and push DNS over dhcp. That's a plan! Need to figure out how to do it but getting closer now.

My "FREEDOM" DNS server is at ip 172.28.0.11 (dedicated ip on a docker bridge network for DNS). Is that routable to VPN clients? I can push that ip address as DNS nameserver to the VPN clients on the "FREEDOM VPN"? When logged in to server via SSH I get response if I do "dig @172.28.0.11 google.com".

[vjirasek]

Hi. This is actually about reachability by vpn Client’s. They would not know about your Dockers :) Vladimir Jirasek Time zone: London/GMT

…

________________________________ From: ronnylov <notifications@github.com> Sent: Tuesday, March 26, 2019 10:51 To: LetheanMovement/lethean-vpn Cc: Vladimir Jirasek; Comment Subject: Re: [LetheanMovement/lethean-vpn] DNS routing with VPN (#77) Thanks Vlad! I have the DNS servers in docker containers so I might route to them directly then. lethean-vpn is not in docker now but anyway. I found an example here: https://serverfault.com/questions/802458/allow-docker-containers-to-connect-to-openvpn-clients-on-the-host-tunnel-interfa So add the route, add it in firewall and push DNS over dhcp. That's a plan! Need to figure out how to do it but getting closer now. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#77 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AEakPMMwSU6SNJd1sWhWB9rmcFpaET-hks5vafu9gaJpZM4cJd0A>.

[ronnylov]

OK I have done following as first step to make OpenVPN clients able to make DNS requests to address 10.11.0.1 assuming OpenVPN clients get addresses in the range 10.11.0.0 - 10.11.255.255

sudo ufw allow proto udp from 10.11.0.0/16 to 10.11.0.1 port 53
sudo ufw allow proto tcp from 10.11.0.0/16 to 10.11.0.1 port 53

Checking these rules gave me:

To                         Action      From
--                         ------      ----
10.11.0.1 53/tcp           ALLOW       10.11.0.0/16
10.11.0.1 53/udp           ALLOW       10.11.0.0/16

Next step would be port forwarding to make 10.11.0.1 do NAT to 172.28.0.11 and finally push 10.11.0.1 as DNS server on DHCP. Is this right way to do it? Thinking clients may have their own private network on 172.28.0.11 so better not cause confusion.

[limosek]

I think this is too much complicated aproach.
Just use standard routing and standard DNS settings.
Clients will have all traffic redirected by default to your node so it will reach your DNS servers in docker.
Of course you must allow this traffic by ufw but you do not need any NAT.

Just point clients to correct DNS server in your infra by parameter in dispatcher. Will make change to allow different DNS servers for different VPNs

[ronnylov]

I have to learn standard routing. I need to push routes to clients to get them able to reach DNS on 172.28.0.11 on docker? I am using https://github.com/chaifeng/ufw-docker ti fix ufw and docker problems. Not sure if that change anything. Have to learn this stuff but it feels over my head right now...

[limosek]

Routes are already pushed by default. You just need to make sure that firewall is configured well and they can reach these servers from their VPN networks.

[ronnylov]

So I changed it to follwing using ufw firewall

To                         Action      From
--                         ------      ----
172.28.0.11 53/udp         ALLOW       10.11.0.0/16
172.28.0.11 53/tcp         ALLOW       10.11.0.0/16

And then I add this dns address to dispatcher.ini for this service. See if it will change anything.

[ronnylov]

Should be running now but I can't test it. Is the DNS address pushed over DHCP to OpenVPN users? Lethernet FR VPN Test.

[ronnylov]

It does not get my DNS-server address over VPN

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-87-B2-0B-90
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::88ff:c15a:ef22:e609%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.11.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : den 28 mars 2019 17:09:22
   Lease Expires . . . . . . . . . . : den 27 mars 2020 17:09:22
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.11.0.5
   DHCPv6 IAID . . . . . . . . . . . : 553713543
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-5A-DB-F9-88-AE-1D-AB-21-EB
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

However I can ping this address

C:\Users\ronny>ping 172.28.0.11

Pinging 172.28.0.11 with 32 bytes of data:
Reply from 172.28.0.11: bytes=32 time=36ms TTL=63
Reply from 172.28.0.11: bytes=32 time=37ms TTL=63
Reply from 172.28.0.11: bytes=32 time=35ms TTL=63
Reply from 172.28.0.11: bytes=32 time=38ms TTL=63

Ping statistics for 172.28.0.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 38ms, Average = 36ms

[ronnylov]

Figured out how to do nslookup on Windows. Seems that the DNS server is accessible over VPN. So only problem is how to push it to DHCP server and then make sure client use it.

C:\Users\ronny>nslookup google.com 172.28.0.11
Server:  UnKnown
Address:  172.28.0.11

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4007:811::200e
          216.58.201.238

[limosek]

I need to see full debug log here.. Especially things about PUSH messages.

[ronnylov]

lthnvpnc_dns_push_debug.txt

lthnvpnd_dns_push_debug.txt

I wonder if it should be "dhcp-option DNS 172.28.0.11" instead of "dhcp-option dns 172.28.0.11"?

[ronnylov]

To prevent DNS leak: https://dnsleaktest.com/how-to-fix-a-dns-leak.html
OpenVPN v2.3.9+ can use "block-outside-dns" on client configuration.
Can this option be pushed to the clients?
Doing that combined with pushing the DNS address over dhcp and telling clients to use OpenVPN version higher than v2.3.9 may solve this issue.

push "dhcp-option DNS x.x.x.x"
push "block-outside-dns"

[limosek]

Thank you, you probably found he issue!
Will create PR to fix this. But as I mentioned, result of openvpn is combination of server and client options. Client can ignore some of them. We need better aproach to future. See #76

[limosek]

Just commited new branch bug/limosek/dnsrouting. Please test.
You can use dns option per service
dns=ip
to change and push DNS servers per VPN server.
block-outside-dns is more problematic, it works only on windows.

[valiant1x]

#85