[RndTbl] forcing dns over vpn
Trevor Cordes
trevor at tecnopolis.ca
Mon Nov 2 02:06:47 CST 2015
I've setup a linux server with a strongswan VPN server. I have a Win7
(also, separately, Android) client (builtin IKEv2) connecting ok to the
linux server. Things seemed to be VPN'ing nicely. I can get to internal
hosts on other subnets I wouldn't be able to see without the VPN. I can
watch the ESP traffic to/from the client with tcpdump.
(For these tests the clients are on a separate locked-down subnet for my
wifi.)
But I noticed some traffic isn't using the VPN. It's just coming in on
the normal wifi connection/subnet. In particular, I'm looking at DNS udp
port 53. If I ping from Windows to wherever, the dns occurs over non-VPN
(I run my own caching name server, so the same linux server is the DNS
server in this case.) I want dns to hit my server over the VPN.
The strongswan is configured on server to provide a DNS server entry to
the client. I can confirm Windows is seeing the proper DNS server on the
VPN with ipconfig /all. I can even try to set those servers manually in
the Win7 VPN properties menus. But the dns query never goes out over the
VPN. For kicks I iptables'd out port 53 from the non-VPN'd IP and then
the client can't resolve anything (ie it doesn't fallback to using the
VPN).
So if I ping from the VPN to anywhere on the net, the DNS is not VPN'd but
the ICMP *is*. Same with web browsing: it seems to do non-VPN DNS and
then VPN the http traffic.
How can I force the Windows client to force *all* traffic over the VPN?
Especially DNS.
After that's fixed, how can I force *all* traffic over the VPN on Android?
I've heard rumours Android screws with VPN and makes some things
impossible.
Thanks!
More information about the Roundtable
mailing list