Split DNS issues with new OpenVPN version

Got a problem with Viscosity or need help? Ask here!

jws305

Posts: 1
Joined: Sat Jan 05, 2019 9:18 am

Post by jws305 » Tue Jan 08, 2019 2:35 am
I have a split DNS setup working with OpenVPN Access Server 2.1.9 where everything is working as expected.
  • VPN only handles internal traffic
  • Internal DNS is resolved through the VPN server
I set up a new VPN server with the exact same configuration (OpenVPN Access Server 2.6.1-fe8020db-5343-4c43-9e65-5ed4a825c931-ami-09ced24e249f6121a.4 (ami-0e9caf300720611ef)) but when I connect to this server I am unable to resolve any DNS records, external or internal.

I am running Viscosity 1.7.12 (1581).

Log from working connection
Code: Select all
Jan 04 4:33:00 PM: State changed to Connecting
Jan 04 4:33:00 PM: Viscosity Windows 1.7.12 (1581)
Jan 04 4:33:00 PM: Running on Microsoft Windows 10 Pro
Jan 04 4:33:00 PM: Running on .NET Framework Version 4.7.03190.461814
Jan 04 4:33:00 PM: Bringing up interface...
Jan 04 4:33:00 PM: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2018
Jan 04 4:33:00 PM: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.09
Jan 04 4:33:01 PM: Checking remote host "34.206.53.180" is reachable...
Jan 04 4:33:01 PM: Server reachable. Connecting to 34.206.53.180.
Jan 04 4:33:02 PM: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Jan 04 4:33:02 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]34.206.53.180:1194
Jan 04 4:33:02 PM: UDP link local: (not bound)
Jan 04 4:33:02 PM: UDP link remote: [AF_INET]34.206.53.180:1194
Jan 04 4:33:02 PM: State changed to Authenticating
Jan 04 4:33:02 PM: [OpenVPN Server] Peer Connection Initiated with [AF_INET]34.206.53.180:1194
Jan 04 4:33:03 PM: State changed to Connecting
Jan 04 4:33:03 PM: Obsolete option --dhcp-release detected. This is now on by default
Jan 04 4:33:03 PM: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:20: block-ipv6 (2.4.6)
Jan 04 4:33:03 PM: open_tun
Jan 04 4:33:03 PM: TAP-WIN32 device [Staging] opened: \\.\Global\{900C2284-6991-4058-A1CB-454E6D77EDDF}.tap
Jan 04 4:33:03 PM: Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.240.0/172.27.240.27/255.255.240.0 [SUCCEEDED]
Jan 04 4:33:03 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 172.27.240.27/255.255.240.0 on interface {900C2284-6991-4058-A1CB-454E6D77EDDF} [DHCP-serv: 172.27.255.254, lease-time: 31536000]
Jan 04 4:33:03 PM: Successful ARP Flush on interface [13] {900C2284-6991-4058-A1CB-454E6D77EDDF}
Jan 04 4:33:03 PM: NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: The system cannot find the file specified.   (code=2)
Jan 04 4:33:03 PM: WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: The system cannot find the file specified.   (code=2)
Jan 04 4:33:03 PM: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 04 4:33:08 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 04 4:33:08 PM: Initialization Sequence Completed
Jan 04 4:33:12 PM: DNS set to Split, report follows:
Server - 172.16.4.17:53; Lookup Type - Any; Domains - mycompany.com.
Server - 172.16.4.13:53; Lookup Type - Any; Domains - mycompany.com.
Server - 172.16.4.11:53; Lookup Type - Any; Domains - mycompany.com.
Server - 192.168.128.2:53; Lookup Type - Split; Domains - stage.myproject.internal.

Jan 04 4:33:12 PM: State changed to Connected
Log from non-working connection.
Code: Select all
Jan 04 4:35:10 PM: State changed to Connecting
Jan 04 4:35:10 PM: Viscosity Windows 1.7.12 (1581)
Jan 04 4:35:10 PM: Running on Microsoft Windows 10 Pro
Jan 04 4:35:10 PM: Running on .NET Framework Version 4.7.03190.461814
Jan 04 4:35:10 PM: Bringing up interface...
Jan 04 4:35:11 PM: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2018
Jan 04 4:35:11 PM: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.09
Jan 04 4:35:11 PM: Checking remote host "openvpn.myproject.com" is reachable...
Jan 04 4:35:12 PM: Server reachable. Connecting to 100.24.189.242.
Jan 04 4:35:12 PM: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Jan 04 4:35:12 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]100.24.189.242:1194
Jan 04 4:35:12 PM: UDP link local: (not bound)
Jan 04 4:35:12 PM: UDP link remote: [AF_INET]100.24.189.242:1194
Jan 04 4:35:12 PM: State changed to Authenticating
Jan 04 4:35:12 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 04 4:35:12 PM: [OpenVPN Server] Peer Connection Initiated with [AF_INET]100.24.189.242:1194
Jan 04 4:35:13 PM: State changed to Connecting
Jan 04 4:35:16 PM: Obsolete option --dhcp-release detected. This is now on by default
Jan 04 4:35:16 PM: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:22: block-ipv6 (2.4.6)
Jan 04 4:35:16 PM: open_tun
Jan 04 4:35:16 PM: TAP-WIN32 device [[email protected]] opened: \\.\Global\{9A438DC0-0275-4A96-B5C0-30861C95031D}.tap
Jan 04 4:35:16 PM: Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.240.0/172.27.240.16/255.255.240.0 [SUCCEEDED]
Jan 04 4:35:16 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 172.27.240.16/255.255.240.0 on interface {9A438DC0-0275-4A96-B5C0-30861C95031D} [DHCP-serv: 172.27.255.254, lease-time: 31536000]
Jan 04 4:35:16 PM: Successful ARP Flush on interface [16] {9A438DC0-0275-4A96-B5C0-30861C95031D}
Jan 04 4:35:16 PM: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 04 4:35:21 PM: Initialization Sequence Completed
Jan 04 4:35:25 PM: DNS set to Split, report follows:
Server - 172.16.4.17:53; Lookup Type - Any; Domains - mycompany.com.
Server - 172.16.4.13:53; Lookup Type - Any; Domains - mycompany.com.
Server - 172.16.4.11:53; Lookup Type - Any; Domains - mycompany.com.
Server - 127.0.0.53:53; Lookup Type - Split; Domains - stage.myproject.internal.

Jan 04 4:35:25 PM: State changed to Connected

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Jan 08, 2019 8:27 am
Hi jws305,

127.0.0.53 is a reserved address and means basically means your DNS requests aren't making it out of you PC. You will need to change the DNS address your server is pushing out.

With this said, your regular DNS looks ups should be working fine, we'll investigate if having 127.0.0.53 in the stack is causing any other issues.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
2 posts Page 1 of 1