Forums

Derek
Derek
Offline
Resolved
0 votes
Hi ClearOS community,

I am trying to connect a remote ClearOS Community edition network to my ClearOS Home network using openvpn. I am following the instructions found on clearos.com here.

I am able to use an openvpv client on a Windows 10 computer to connect to the ClearOS Home network and resolve DNS entries both on the lan and the internet. I am attempting to connect the remote network to the ClearOS Home network, and I am able to establish a connection and connect via IP addresses to local endpoints, but no DNS resolution succeeds after a few minutes have past. Upon initial connection, usually DNS works for a short period of time, but I have a feeling that maybe there is a local caching of DNS entries being used instead (either on the windows PC or ClearOS, I don't know which), but after a very short period of time (only a few minutes at most), DNS resolution stops working from the remote network.

I am attempting to push all traffic through the ClearOS Home server as I also use Gateway Management (Home edition).

I use 192.168.1.0/24 on my ClearOS Home server
I use 192.168.2.0/24 on my ClearOS Community remote server.

This is my /etc/openvpn/connect_to_fwhome config file on the remote ClearOS Community server:


dev tun
port 1195
ifconfig 10.8.222.40 10.8.222.41
route 192.168.2.0 255.255.255.0
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret static.key
cipher AES-256-CBC
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "dhcp-option DOMAIN example.lan"


I added the push statements after some internet searching when I was first trying to work through the problem; initially I did not have those 3 statements. Those statements aren't part of the how-to linked above.

/etc/openvpn/connect_to_fwrv on remote ClearOS Community


dev tun
port 1195
remote example.com
ifconfig 10.8.222.41 10.8.222.40
redirect-gateway def1
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret static.key
cipher AES-256-CBC


On the remote server, the /etc/resolv-peerdns.conf has this (I don't use automatic dns servers as the ISP DNS servers are consistently awful):

[code="markup"]
; generated by /usr/sbin/dhclient-script
search example.lan
nameserver 8.8.8.8
nameserver 9.9.9.9
nameserver 1.1.1.1
[/code]

And /etc/resolv.conf has this:

[code="markup"]
# Please do not edit this file.
# See http://www.clearcenter.com/support/documentation/clearos_guides/dns_and_resolver
domain example.lan
nameserver 127.0.0.1
[/code]


I start the service on the ClearOS Home using systemctl start openvpn@connect_to_fwrv
I start the service on the ClearOS Community using systemctl start openvpn@connect_to_fwhome

Startup logs when started on ClearOS Home:


Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 9 2020
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 TUN/TAP device tun3 opened
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 /sbin/ip link set dev tun3 up mtu 1500
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 /sbin/ip addr add dev tun3 local 10.8.222.40 peer 10.8.222.41
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 UDPv4 link local (bound): [AF_INET][undef]:1195
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 UDPv4 link remote: [AF_UNSPEC]
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 GID set to nobody
Aug 3 19:00:41 fwhome openvpn: Tue Aug 3 19:00:41 2021 UID set to nobody


Startup logs when started on ClearOS remote server:


Aug 3 20:02:55 fwrv openvpn: Tue Aug 3 20:02:55 2021 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Aug 3 20:02:55 fwrv openvpn: Tue Aug 3 20:02:55 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 9 2020
Aug 3 20:02:55 fwrv openvpn: Tue Aug 3 20:02:55 2021 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 TUN/TAP device tun1 opened
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 /sbin/ip link set dev tun1 up mtu 1500
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 /sbin/ip addr add dev tun1 local 10.8.222.41 peer 10.8.222.40
Aug 3 20:02:56 fwrv openvpn: RTNETLINK answers: File exists
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 ERROR: Linux route add command failed: external program exited with error status: 2
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]104.56.17.5:1195
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 UDP link local (bound): [AF_INET][undef]:1195
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 UDP link remote: [AF_INET]104.56.17.5:1195
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 GID set to nobody
Aug 3 20:02:56 fwrv openvpn: Tue Aug 3 20:02:56 2021 UID set to nobody
Aug 3 20:02:57 fwrv openvpn: Tue Aug 3 20:02:57 2021 Peer Connection Initiated with [AF_INET]104.56.17.5:1195
Aug 3 20:02:57 fwrv openvpn: Tue Aug 3 20:02:57 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 3 20:02:57 fwrv openvpn: Tue Aug 3 20:02:57 2021 Initialization Sequence Completed
Aug 3 20:02:57 fwrv ntpd[3162]: Listen normally on 79 tun1 10.8.222.41 UDP 123
Aug 3 20:02:57 fwrv ntpd[3162]: Listen normally on 80 tun1 fe80::63b3:8c48:b860:d6a9 UDP 123
Aug 3 20:02:57 fwrv ntpd[3162]: 34.217.162.48 interface 10.244.185.57 -> 10.8.222.41
Aug 3 20:02:57 fwrv ntpd[3162]: 23.21.90.219 interface 10.244.185.57 -> 10.8.222.41
Aug 3 20:02:57 fwrv ntpd[3162]: 159.203.0.60 interface 10.244.185.57 -> 10.8.222.41
Aug 3 20:02:57 fwrv ntpd[3162]: 35.159.5.1 interface 10.244.185.57 -> 10.8.222.41
Aug 3 20:02:59 fwrv ntpd[3162]: 0.0.0.0 0668 08 no_sys_peer


Of possible interest is the error in the above logs:

[code="markup"]
ERROR: Linux route add command failed: external program exited with error status: 2
[/code]

On the remote server, the following appears fairly quickly after startup:

[code="markup"]
Aug 3 16:46:27 fwrv openvpn: Tue Aug 3 16:46:27 2021 RESOLVE: Cannot resolve host address: example.com:1195 (Name or service not known)
[/code]

In my gateway management account, I have added a Forwarding rule to forward all requests to example.lan to IP 192.168.1.1. I have applied this rule to all of my policies.

Once the above starts happening, no DNS resolution occurs for computers on the remote network. IP based connections still work.

Any help would be appreciated!

Edit: added resolv.conf and resolv-peerdns.conf files
In OpenVPN
Wednesday, August 04 2021, 12:11 AM
Share this post:
Responses (1)
  • Accepted Answer

    Wednesday, August 04 2021, 07:52 AM - #Permalink
    Resolved
    0 votes
    To cut a long story short, I don't know how you force DNS through the VPN. You can try adding a firewall script to /etc/clearos/firewall.d which detects when the servers connect then add a couple of PREROUTING DNAT rules to redirect the DNS to the remote server, but this won't redirect DNS from the server itself. For that you will really need to change /etc/resolv-peerdns.conf.

    Really the solution is to set up GM on the other server as well.
    The reply is currently minimized Show
Your Reply