OpenVPN stops DNS on W10 client

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OpenVPN stops DNS on W10 client

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OpenVPN stops DNS on W10 client
OpenVPN stops DNS on W10 client
2023-09-27 20:31:04 - last edited 2023-10-07 18:10:10
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.3.0

I successfully established OpenVPN setup on my router and generally it works fine. Here is a config on the router:
 

 

On client I can enable this VPN, have a connection but when it is enabled, there is no possibility to browse internet on this PC. As I found reason is connected to non-working DNS. It is configured correctly, DNS servers are available, but it doesn't work. Why?

 

C:\Users\job>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-A4T8U8K
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Unknown adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
   Physical Address. . . . . . . . . : 00-FF-A0-8C-DA-E7
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b80e:8203:7f3d:2482%26(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.5.6.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 436273056
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-89-B4-1B-00-24-E8-05-47-19
   DNS Servers . . . . . . . . . . . : 1.1.1.1
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82567LM-3 Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-24-E8-05-47-19
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.34.1.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.34.1.254
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Unknown adapter OpenVPN Connect DCO Adapter:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : OpenVPN Data Channel Offload
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

 

C:\Users\job>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  1.1.1.1

> google.com
Server:  UnKnown
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
^C
C:\Users\job>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=18ms TTL=54
Reply from 1.1.1.1: bytes=32 time=17ms TTL=54
Reply from 1.1.1.1: bytes=32 time=17ms TTL=54

 

Generally, I need this VPN only for have a connection to other office, there is no need to put these DNSes through the tunnel at all, is possible to reconfigure it for that way?

And one remark more: described problem occurs only on PC clients (win10), I tested connection also with android mobile and here all works fine.

  0      
  0      
#1
Options
1 Accepted Solution
Re:OpenVPN stops DNS on W10 client-Solution
2023-09-28 16:28:10 - last edited 2023-10-07 18:10:10

Problem solved! My colleague had a right, older client version was needed, for my router it was Client 2.5.9. With this client all works fine.
Anyway, I think it should be more clearly described in the tutorial, that important is to use correct version of client depending on version of router.

Recommended Solution
  2  
  2  
#8
Options
7 Reply
Re:OpenVPN stops DNS on W10 client
2023-09-28 03:20:36

  @JarekPrzybyl Maybe you can export the connection log from your OpenVPN Application to have a check. 

  0  
  0  
#2
Options
Re:OpenVPN stops DNS on W10 client
2023-09-28 06:09:28

  @Dahliana here it is:



[Sep 28, 2023, 08:04:12] OpenVPN core 3.8.2connect1 win x86_64 64-bit OVPN-DCO built on Aug 21 2023 16:29:24
⏎[Sep 28, 2023, 08:04:12] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Sep 28, 2023, 08:04:12] NOTE: This configuration contains options that were not used:
⏎[Sep 28, 2023, 08:04:12] Unsupported option (ignored)
⏎[Sep 28, 2023, 08:04:12] 7 [resolv-retry] [infinite]
⏎[Sep 28, 2023, 08:04:12] 9 [persist-key]
⏎[Sep 28, 2023, 08:04:12] EVENT: RESOLVE ⏎[Sep 28, 2023, 08:04:12] Contacting [myPublicIP]:1194 via UDP
⏎[Sep 28, 2023, 08:04:12] EVENT: WAIT ⏎[Sep 28, 2023, 08:04:12] WinCommandAgent: transmitting bypass route to [myPublicIP]
{
    "host" : "[myPublicIP]",
    "ipv6" : false
}

⏎[Sep 28, 2023, 08:04:12] Connecting to [[myPublicIP]]:1194 ([myPublicIP]) via UDP
⏎[Sep 28, 2023, 08:04:12] EVENT: CONNECTING ⏎[Sep 28, 2023, 08:04:12] Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Sep 28, 2023, 08:04:12] Creds: Username/Password
⏎[Sep 28, 2023, 08:04:12] Peer Info:
IV_VER=3.8.2connect1
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_LZ4v2=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.4.2-3160
IV_SSO=webauth,openurl,crtext

⏎[Sep 28, 2023, 08:04:12] SSL Handshake: peer certificate: CN=server_server0, 1024 bit RSA, cipher: DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(256)            Mac=AEAD

⏎[Sep 28, 2023, 08:04:12] Session is ACTIVE
⏎[Sep 28, 2023, 08:04:12] EVENT: GET_CONFIG ⏎[Sep 28, 2023, 08:04:12] Sending PUSH_REQUEST to server...
⏎[Sep 28, 2023, 08:04:13] OPTIONS:
0 [route] [10.7.0.0] [255.255.0.0]
1 [route] [10.5.6.0] [255.255.255.0]
2 [dhcp-option] [DNS] [1.1.1.1]
3 [dhcp-option] [DNS] [8.8.8.8]
4 [route] [10.5.6.0] [255.255.255.0]
5 [topology] [net30]
6 [ping] [10]
7 [ping-restart] [120]
8 [ifconfig] [10.5.6.6] [10.5.6.5]

⏎[Sep 28, 2023, 08:04:13] PROTOCOL OPTIONS:
  cipher: AES-128-CBC
  digest: SHA1
  key-derivation: OpenVPN PRF
  compress: ANY
  peer ID: -1
⏎[Sep 28, 2023, 08:04:13] EVENT: ASSIGN_IP ⏎[Sep 28, 2023, 08:04:13] CAPTURED OPTIONS:
Session Name: [myPublicIP]
Layer: OSI_LAYER_3
Remote Address: [myPublicIP]
Tunnel Addresses:
  10.5.6.6/30 -> 10.5.6.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
  10.7.0.0/16
  10.5.6.0/24
  10.5.6.0/24
Exclude Routes:
DNS Servers:
  1.1.1.1
  8.8.8.8
Search Domains:

⏎[Sep 28, 2023, 08:04:14] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
    "allow_local_dns_resolvers" : true,
    "confirm_event" : "1412000000000000",
    "destroy_event" : "3811000000000000",
    "tun" :
    {
        "adapter_domain_suffix" : "",
        "add_routes" :
        [
            {
                "address" : "10.7.0.0",
                "gateway" : "",
                "ipv6" : false,
                "metric" : -1,
                "net30" : false,
                "prefix_length" : 16
            },
            {
                "address" : "10.5.6.0",
                "gateway" : "",
                "ipv6" : false,
                "metric" : -1,
                "net30" : false,
                "prefix_length" : 24
            },
            {
                "address" : "10.5.6.0",
                "gateway" : "",
                "ipv6" : false,
                "metric" : -1,
                "net30" : false,
                "prefix_length" : 24
            }
        ],
        "block_ipv6" : false,
        "dns_servers" :
        [
            {
                "address" : "1.1.1.1",
                "ipv6" : false
            },
            {
                "address" : "8.8.8.8",
                "ipv6" : false
            }
        ],
        "layer" : 3,
        "mtu" : 0,
        "remote_address" :
        {
            "address" : "[myPublicIP]",
            "ipv6" : false
        },
        "reroute_gw" :
        {
            "flags" : 256,
            "ipv4" : false,
            "ipv6" : false
        },
        "route_metric_default" : -1,
        "session_name" : "[myPublicIP]",
        "tunnel_address_index_ipv4" : 0,
        "tunnel_address_index_ipv6" : -1,
        "tunnel_addresses" :
        [
            {
                "address" : "10.5.6.6",
                "gateway" : "10.5.6.5",
                "ipv6" : false,
                "metric" : -1,
                "net30" : true,
                "prefix_length" : 30
            }
        ]
    },
    "tun_type" : 0
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{A08CDAE7-8B7E-44D3-8009-15CAA7EF526A}' index=26 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{A08CDAE7-8B7E-44D3-8009-15CAA7EF526A}.tap" SUCCEEDED
TAP-Windows Driver Version 9.26
ActionDeleteAllRoutesOnInterface iface_index=26
netsh interface ip set interface 26 metric=1
Ok.
netsh interface ip set address 26 static 10.5.6.6 255.255.255.252 gateway=10.5.6.5 store=active
IPHelper: add route 10.7.0.0/16 26 10.5.6.5 metric=-1
IPHelper: add route 10.5.6.0/24 26 10.5.6.5 metric=-1
IPHelper: add route 10.5.6.0/24 26 10.5.6.5 metric=-1
cannot modify route: error 5010
netsh interface ip set dnsservers 26 static 1.1.1.1 register=primary validate=no
netsh interface ip add dnsservers 26 8.8.8.8 2 validate=no
NRPT::ActionCreate names=[] dns_servers=[1.1.1.1,8.8.8.8]
ActionWFP openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=26 enable=1
permit IPv4 DNS requests to 127.0.0.1
permit IPv6 DNS requests to ::1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: 7015000000000000
⏎[Sep 28, 2023, 08:04:14] TunPersist: saving tun context:
Session Name: [myPublicIP]
Layer: OSI_LAYER_3
Remote Address: [myPublicIP]
Tunnel Addresses:
  10.5.6.6/30 -> 10.5.6.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
  10.7.0.0/16
  10.5.6.0/24
  10.5.6.0/24
Exclude Routes:
DNS Servers:
  1.1.1.1
  8.8.8.8
Search Domains:

⏎[Sep 28, 2023, 08:04:14] Connected via TUN_WIN
⏎[Sep 28, 2023, 08:04:14] LZO-ASYM init swap=0 asym=1
⏎[Sep 28, 2023, 08:04:14] Comp-stub init swap=0
⏎[Sep 28, 2023, 08:04:14] EVENT: CONNECTED AdtranUser@[myPublicIP]:1194 ([myPublicIP]) via /UDP on TUN_WIN/10.5.6.6/ gw=[10.5.6.5/] mtu=(default)⏎[Sep 28, 2023, 08:04:14] EVENT: COMPRESSION_ENABLED Asymmetric compression enabled.  Server may send compressed data.  This may be a potential security issue.⏎
  0  
  0  
#3
Options
Re:OpenVPN stops DNS on W10 client
2023-09-28 07:36:30

  @JarekPrzybyl It seems that the VPN connection is fine. Have you ever tried tracerouting DNS Server 1.1.1.1 to check if the access path includes the remote gateway? You can give it a try. 

Maybe changing the IP address of DNS Server to another one can make an effect.

  0  
  0  
#4
Options
Re:OpenVPN stops DNS on W10 client
2023-09-28 12:36:18

  @Dahliana yes, I already checked it and it is funny, according to tracert, DNS is achieved directly, not via the tunnel (10.34.1.254 is a gw for client, where vpn is tested, 217.153 .x.x is its WAN IP):

 

C:\Users\job>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  1.1.1.1

> ^C

C:\Users\job>tracert 1.1.1.1

Tracing route to 1.1.1.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.34.1.254
  2     1 ms    <1 ms     1 ms  10.34.255.254
  3     2 ms     1 ms     2 ms  217.153.x.x
  4   [...]

 

and the same test when VPN is disabled:

C:\Users\job>nslookup
Default Server:  dns.google
Address:  8.8.8.8

>
C:\Users\job>tracert 1.1.1.1

Tracing route to one.one.one.one [1.1.1.1]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  10.34.1.254
  2     1 ms     1 ms     1 ms  10.34.255.254
^C
C:\Users\job>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1     1 ms     1 ms    <1 ms  10.34.1.254
  2     2 ms    <1 ms     1 ms  10.34.255.254
  3     2 ms     1 ms     1 ms  ^C

 

Other public DNS is working in this case, but it is not a reason, I already tried with both, google in VPN config and cloudflare locally - same story.

And yes, VPN as such is working fine, when it is established, I can reach any needed location from the client. Only destroying of DNS functionality for local client is a problem.

 

 

 

  0  
  0  
#5
Options
Re:OpenVPN stops DNS on W10 client
2023-09-28 12:40:24

  @Dahliana and one thing more: i discussed about this issue with my colleague, who has some experience with OpenVPN and he told me, that I shouldn't use this version of OpenVPN client (3.4.2) because it is only for commercial versions. For TPLink OpenVPN server I should use earlier version of client, e.g. 2.6 or maybe lower - can you confirm? in the meantime I tried to use 2.6 but with this version of client I was not able to establish a tunnel at all.

  0  
  0  
#6
Options
Re:OpenVPN stops DNS on W10 client
2023-09-28 14:49:26

  @Dahliana again, because in the meantime my situation was changed. To worse, but maybe it gives a chance for solution :)

First of all I did some findings what client version should I use. This official tutorial: https://www.tp-link.com/pl/support/faq/3632/ contains a link to recommended client and it is version 2.6.6 as my colleague told me. So I deinstalled my client at all, rebooted PC and installed this recommended version, then put profile into catalog, etc.

Result: VPN tunnel currently is not working art all, here is its log:

 

Thu Sep 28 16:37:27 2023 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
Thu Sep 28 16:37:27 2023 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
Thu Sep 28 16:37:27 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Thu Sep 28 16:37:27 2023 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
Thu Sep 28 16:37:27 2023 DCO version: v0
Thu Sep 28 16:37:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET][myPublicIP]:1194
Thu Sep 28 16:37:39 2023 UDPv4 link local: (not bound)
Thu Sep 28 16:37:39 2023 UDPv4 link remote: [AF_INET][myPublicIP]:1194
Thu Sep 28 16:37:39 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 28 16:37:40 2023 [server_server0] Peer Connection Initiated with [AF_INET][myPublicIP]:1194
Thu Sep 28 16:37:41 2023 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
Thu Sep 28 16:37:41 2023 ERROR: Failed to apply push options
Thu Sep 28 16:37:41 2023 Failed to open tun/tap interface
Thu Sep 28 16:37:41 2023 SIGUSR1[soft,process-push-msg-failed] received, process restarting
Thu Sep 28 16:37:42 2023 TCP/UDP: Preserving recently used remote address: [AF_INET][myPublicIP]:1194
Thu Sep 28 16:37:42 2023 UDPv4 link local: (not bound)
Thu Sep 28 16:37:42 2023 UDPv4 link remote: [AF_INET][myPublicIP]:1194
Thu Sep 28 16:37:42 2023 [server_server0] Peer Connection Initiated with [AF_INET][myPublicIP]:1194
Thu Sep 28 16:37:43 2023 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

 

  0  
  0  
#7
Options
Re:OpenVPN stops DNS on W10 client-Solution
2023-09-28 16:28:10 - last edited 2023-10-07 18:10:10

Problem solved! My colleague had a right, older client version was needed, for my router it was Client 2.5.9. With this client all works fine.
Anyway, I think it should be more clearly described in the tutorial, that important is to use correct version of client depending on version of router.

Recommended Solution
  2  
  2  
#8
Options