[RndTbl] forcing dns over vpn

Adam Thompson athompso at athompso.net
Mon Nov 2 07:05:23 CST 2015


Take a look at the OpenVPN docs to see how they manage this; it's a Windows thing where it latches on to a working DNS server and never lets go.
IIRC it's a series of ipconfig /flushdns or something similar that's required.
-Adam

On November 2, 2015 2:06:47 AM CST, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>I've setup a linux server with a strongswan VPN server.  I have a Win7 
>(also, separately, Android) client (builtin IKEv2) connecting ok to the
>
>linux server.  Things seemed to be VPN'ing nicely.  I can get to
>internal 
>hosts on other subnets I wouldn't be able to see without the VPN.  I
>can 
>watch the ESP traffic to/from the client with tcpdump.
>
>(For these tests the clients are on a separate locked-down subnet for
>my 
>wifi.)
>
>But I noticed some traffic isn't using the VPN.  It's just coming in on
>
>the normal wifi connection/subnet.  In particular, I'm looking at DNS
>udp 
>port 53.  If I ping from Windows to wherever, the dns occurs over
>non-VPN 
>(I run my own caching name server, so the same linux server is the DNS 
>server in this case.)  I want dns to hit my server over the VPN.
>
>The strongswan is configured on server to provide a DNS server entry to
>
>the client.  I can confirm Windows is seeing the proper DNS server on
>the 
>VPN with ipconfig /all.  I can even try to set those servers manually
>in 
>the Win7 VPN properties menus.  But the dns query never goes out over
>the 
>VPN.  For kicks I iptables'd out port 53 from the non-VPN'd IP and then
>
>the client can't resolve anything (ie it doesn't fallback to using the 
>VPN).
>
>So if I ping from the VPN to anywhere on the net, the DNS is not VPN'd
>but 
>the ICMP *is*.  Same with web browsing: it seems to do non-VPN DNS and 
>then VPN the http traffic.
>
>How can I force the Windows client to force *all* traffic over the VPN?
> 
>Especially DNS.
>
>After that's fixed, how can I force *all* traffic over the VPN on
>Android?
>I've heard rumours Android screws with VPN and makes some things 
>impossible.
>
>Thanks!
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.mb.ca
>http://www.muug.mb.ca/mailman/listinfo/roundtable

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20151102/495bd6ba/attachment.html>


More information about the Roundtable mailing list