openresolv-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

Re: VPN within VPN, resolv.conf nameserver order

Roy Marples

Mon Mar 04 09:39:56 2013
Hi

On 02/03/2013 0:01, ncalsmitty1369 wrote:

I have an openvpn client that tunnels to a openvpn server within a
vpnc tunnel connecting to a cisco vpn device. Connection through both
vpn tunnels works and I have network connectivity, but my dns is not
working correctly.

I am using debian squeeze as the client os and I have installed
openresolv in place of the debian resolconf package.

Before I connect to the first vpn tunnel my resolv.conf has an entry
for my local dns server, as given by the dhcp service of my home
router (or cell phone if mobile).

192.168.1.xxx  (example 192 IP subent)

After connecting my first vpn tunnel, a cisco device on tun0, my
resolv.conf has the following entries:

domain blah.org
172.xxx.xxx.xxx
172.xxx.xxx.xxx
192.168.1.xxx

When I connect the second vpn tunnel, openvpn server on tun1, my
resolv.conf has the following entries:

domain blah.org
172.xxx.xxx.xxx
172.xxx.xxx.xxx
192.168.2.xxx (example 192 IP subnet, notice its placement in list)
192.168.1.xxx

I am using openvpn's update-resolv-conf script to add "pushed" dchp
options, "DNS 192.168.2.xxx". I am guessing that tun1's dns update is
third in the list because openresolv is reading the tun devices in
order starting with tun0, and then adding tun1?


Yes.
The ordering is described in resolvconf.conf(5)
Name resolution for hosts reachable on tun1 fail unless I us the IP of 
the host that I am trying to connect to, meaning routing is working.
If I manually edit the resolv.conf file and put the 192.168.2.xxx
entry above the 172.xxx.xxx.xxx entries then name resolution for tun1
hosts work.
Question: How can I configure resolvconf.conf so that updates from the 
openvpn server on tun1 automatically prepend to the resolv.conf file?
If you are connecting to two VPN's then you can't actually use DNS from them both using just libc AFAIK. 
libc only allows for 3 nameservers and uses the first working one.
For a VPN to really work well, you need a more powerful local resolver, like say unbound(8). Then, openresolv can configure unbound about the VPN nameservers and optionally mark them as private. 

See here for a small example:
http://roy.marples.name/projects/openresolv/wiki/OpenResolvReasons
And here for sample configuration, but is also explained in resolvconf.conf(5) 
http://roy.marples.name/projects/openresolv/wiki/OpenResolvConfig

Thanks

Roy
References:
VPN within VPN, resolv.conf nameserver orderncalsmitty1369
Archive administrator: postmaster@marples.name