[RndTbl] forcing dns over vpn
Adam Thompson
athompso at athompso.net
Mon Nov 2 07:05:23 CST 2015
Take a look at the OpenVPN docs to see how they manage this; it's a Windows thing where it latches on to a working DNS server and never lets go.
IIRC it's a series of ipconfig /flushdns or something similar that's required.
-Adam
On November 2, 2015 2:06:47 AM CST, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>I've setup a linux server with a strongswan VPN server. I have a Win7
>(also, separately, Android) client (builtin IKEv2) connecting ok to the
>
>linux server. Things seemed to be VPN'ing nicely. I can get to
>internal
>hosts on other subnets I wouldn't be able to see without the VPN. I
>can
>watch the ESP traffic to/from the client with tcpdump.
>
>(For these tests the clients are on a separate locked-down subnet for
>my
>wifi.)
>
>But I noticed some traffic isn't using the VPN. It's just coming in on
>
>the normal wifi connection/subnet. In particular, I'm looking at DNS
>udp
>port 53. If I ping from Windows to wherever, the dns occurs over
>non-VPN
>(I run my own caching name server, so the same linux server is the DNS
>server in this case.) I want dns to hit my server over the VPN.
>
>The strongswan is configured on server to provide a DNS server entry to
>
>the client. I can confirm Windows is seeing the proper DNS server on
>the
>VPN with ipconfig /all. I can even try to set those servers manually
>in
>the Win7 VPN properties menus. But the dns query never goes out over
>the
>VPN. For kicks I iptables'd out port 53 from the non-VPN'd IP and then
>
>the client can't resolve anything (ie it doesn't fallback to using the
>VPN).
>
>So if I ping from the VPN to anywhere on the net, the DNS is not VPN'd
>but
>the ICMP *is*. Same with web browsing: it seems to do non-VPN DNS and
>then VPN the http traffic.
>
>How can I force the Windows client to force *all* traffic over the VPN?
>
>Especially DNS.
>
>After that's fixed, how can I force *all* traffic over the VPN on
>Android?
>I've heard rumours Android screws with VPN and makes some things
>impossible.
>
>Thanks!
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.mb.ca
>http://www.muug.mb.ca/mailman/listinfo/roundtable
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20151102/495bd6ba/attachment.html>
More information about the Roundtable
mailing list