OpenVPN TAP - invalid DNS servers order
Posted: Thu Aug 05, 2021 9:53 am
Hello,
I am using the OpenVPN client in TAP mode.
In the app logs I can see that the server pushes the DNS servers config to the client:
192.168.0.10 is my local DNS server. When I connect with my phone to the OpenVPN server, the DNS servers are set in invalid order, that means the first DNS server is set to 208.67.222.222 and 192.168.0.10 is used as second, despite being pushed first as 'dhcp-option' config by the server. Because of that I cant access any machine by its domain name.
When I connect using the OpenVPN client for Windows the DNS servers are set in the correct order, 192.168.0.10 is the first one, 208.67.222.222 is second.
This happens for both OpenVPN version 2.5.3 and 2.4.9 setting in the connection settings. I also have a SSTP server and when connecting to it the DNS servers are in the correct order.
I am attaching the full log and screenshot of DNS servers order.
I am using the OpenVPN client in TAP mode.
In the app logs I can see that the server pushes the DNS servers config to the client:
Code: Select all
PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.10,dhcp-option DNS 208.67.222.222,ping 20,ping-restart 60,route-gateway 192.168.0.1,ifconfig 192.168.0.129 255.255.255.0'
When I connect using the OpenVPN client for Windows the DNS servers are set in the correct order, 192.168.0.10 is the first one, 208.67.222.222 is second.
This happens for both OpenVPN version 2.5.3 and 2.4.9 setting in the connection settings. I also have a SSTP server and when connecting to it the DNS servers are in the correct order.
I am attaching the full log and screenshot of DNS servers order.
Code: Select all
2021-08-05 10:39:40 VpnClientPro-google-api27-release-1.00.87 (23010087)
2021-08-05 10:39:40 Connecting request by user
2021-08-05 10:39:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-08-05 10:39:40 Current Parameter Settings:
2021-08-05 10:39:40 config = '/data/user/0/it.colucciweb.vpnclientpro/files/temp/96937442-f0b1-4b48-97ca-3661209f508b.conf'
2021-08-05 10:39:40 mode = 0
2021-08-05 10:39:40 persist_config = DISABLED
2021-08-05 10:39:40 persist_mode = 1
2021-08-05 10:39:40 show_ciphers = DISABLED
2021-08-05 10:39:40 show_digests = DISABLED
2021-08-05 10:39:40 show_engines = DISABLED
2021-08-05 10:39:40 genkey = DISABLED
2021-08-05 10:39:40 genkey_filename = '[UNDEF]'
2021-08-05 10:39:40 key_pass_file = '[UNDEF]'
2021-08-05 10:39:40 show_tls_ciphers = DISABLED
2021-08-05 10:39:40 connect_retry_max = 0
2021-08-05 10:39:40 Connection profiles [0]:
2021-08-05 10:39:40 proto = tcp-client
2021-08-05 10:39:40 local = '[UNDEF]'
2021-08-05 10:39:40 local_port = '[UNDEF]'
2021-08-05 10:39:40 remote = 'XXX.com'
2021-08-05 10:39:40 remote_port = '1194'
2021-08-05 10:39:40 remote_float = DISABLED
2021-08-05 10:39:40 bind_defined = DISABLED
2021-08-05 10:39:40 bind_local = DISABLED
2021-08-05 10:39:40 bind_ipv6_only = DISABLED
2021-08-05 10:39:40 connect_retry_seconds = 5
2021-08-05 10:39:40 connect_timeout = 10
2021-08-05 10:39:40 xormethod = 0
2021-08-05 10:39:40 xormask = ''
2021-08-05 10:39:40 xormasklen = 0
2021-08-05 10:39:40 socks_proxy_server = '[UNDEF]'
2021-08-05 10:39:40 socks_proxy_port = '[UNDEF]'
2021-08-05 10:39:40 tun_mtu = 1500
2021-08-05 10:39:40 tun_mtu_defined = ENABLED
2021-08-05 10:39:40 link_mtu = 1500
2021-08-05 10:39:40 link_mtu_defined = DISABLED
2021-08-05 10:39:40 tun_mtu_extra = 32
2021-08-05 10:39:40 tun_mtu_extra_defined = ENABLED
2021-08-05 10:39:40 mtu_discover_type = -1
2021-08-05 10:39:40 fragment = 0
2021-08-05 10:39:40 mssfix = 1450
2021-08-05 10:39:40 explicit_exit_notification = 0
2021-08-05 10:39:40 tls_auth_file = '[UNDEF]'
2021-08-05 10:39:40 key_direction = not set
2021-08-05 10:39:40 tls_crypt_file = '[UNDEF]'
2021-08-05 10:39:40 tls_crypt_v2_file = '[UNDEF]'
2021-08-05 10:39:40 Connection profiles END
2021-08-05 10:39:40 remote_random = DISABLED
2021-08-05 10:39:40 ipchange = '[UNDEF]'
2021-08-05 10:39:40 dev = 'tap'
2021-08-05 10:39:40 dev_type = '[UNDEF]'
2021-08-05 10:39:40 dev_node = '[UNDEF]'
2021-08-05 10:39:40 lladdr = '[UNDEF]'
2021-08-05 10:39:40 topology = 1
2021-08-05 10:39:40 ifconfig_local = '[UNDEF]'
2021-08-05 10:39:40 ifconfig_remote_netmask = '[UNDEF]'
2021-08-05 10:39:40 ifconfig_noexec = DISABLED
2021-08-05 10:39:40 ifconfig_nowarn = DISABLED
2021-08-05 10:39:40 ifconfig_ipv6_local = '[UNDEF]'
2021-08-05 10:39:40 ifconfig_ipv6_netbits = 0
2021-08-05 10:39:40 ifconfig_ipv6_remote = '[UNDEF]'
2021-08-05 10:39:40 shaper = 0
2021-08-05 10:39:40 mtu_test = 0
2021-08-05 10:39:40 mlock = DISABLED
2021-08-05 10:39:40 keepalive_ping = 0
2021-08-05 10:39:40 keepalive_timeout = 0
2021-08-05 10:39:40 inactivity_timeout = 0
2021-08-05 10:39:40 ping_send_timeout = 0
2021-08-05 10:39:40 ping_rec_timeout = 0
2021-08-05 10:39:40 ping_rec_timeout_action = 0
2021-08-05 10:39:40 ping_timer_remote = DISABLED
2021-08-05 10:39:40 remap_sigusr1 = 0
2021-08-05 10:39:40 persist_tun = DISABLED
2021-08-05 10:39:40 persist_local_ip = DISABLED
2021-08-05 10:39:40 persist_remote_ip = DISABLED
2021-08-05 10:39:40 persist_key = DISABLED
2021-08-05 10:39:40 passtos = DISABLED
2021-08-05 10:39:40 resolve_retry_seconds = 1000000000
2021-08-05 10:39:40 resolve_in_advance = DISABLED
2021-08-05 10:39:40 username = '[UNDEF]'
2021-08-05 10:39:40 groupname = '[UNDEF]'
2021-08-05 10:39:40 chroot_dir = '[UNDEF]'
2021-08-05 10:39:40 cd_dir = '[UNDEF]'
2021-08-05 10:39:40 writepid = '[UNDEF]'
2021-08-05 10:39:40 up_script = '[UNDEF]'
2021-08-05 10:39:40 down_script = '[UNDEF]'
2021-08-05 10:39:40 down_pre = DISABLED
2021-08-05 10:39:40 up_restart = DISABLED
2021-08-05 10:39:40 up_delay = DISABLED
2021-08-05 10:39:40 daemon = DISABLED
2021-08-05 10:39:40 inetd = 0
2021-08-05 10:39:40 log = DISABLED
2021-08-05 10:39:40 suppress_timestamps = ENABLED
2021-08-05 10:39:40 machine_readable_output = DISABLED
2021-08-05 10:39:40 nice = 0
2021-08-05 10:39:40 verbosity = 4
2021-08-05 10:39:40 mute = 0
2021-08-05 10:39:40 gremlin = 0
2021-08-05 10:39:40 status_file = '[UNDEF]'
2021-08-05 10:39:40 status_file_version = 1
2021-08-05 10:39:40 status_file_update_freq = 60
2021-08-05 10:39:40 occ = ENABLED
2021-08-05 10:39:40 rcvbuf = 0
2021-08-05 10:39:40 sndbuf = 0
2021-08-05 10:39:40 sockflags = 0
2021-08-05 10:39:40 fast_io = DISABLED
2021-08-05 10:39:40 comp.alg = 0
2021-08-05 10:39:40 comp.flags = 0
2021-08-05 10:39:40 route_script = '[UNDEF]'
2021-08-05 10:39:40 route_default_gateway = '[UNDEF]'
2021-08-05 10:39:40 route_default_metric = 0
2021-08-05 10:39:40 route_noexec = DISABLED
2021-08-05 10:39:40 route_delay = 0
2021-08-05 10:39:40 route_delay_window = 30
2021-08-05 10:39:40 route_delay_defined = DISABLED
2021-08-05 10:39:40 route_nopull = DISABLED
2021-08-05 10:39:40 route_gateway_via_dhcp = DISABLED
2021-08-05 10:39:40 allow_pull_fqdn = DISABLED
2021-08-05 10:39:40 [redirect_default_gateway local=0]
2021-08-05 10:39:40 shared_secret_file = '[UNDEF]'
2021-08-05 10:39:40 key_direction = not set
2021-08-05 10:39:40 ciphername = 'AES-256-CBC'
2021-08-05 10:39:40 ncp_enabled = ENABLED
2021-08-05 10:39:40 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2021-08-05 10:39:40 authname = 'SHA1'
2021-08-05 10:39:40 prng_hash = 'SHA1'
2021-08-05 10:39:40 prng_nonce_secret_len = 16
2021-08-05 10:39:40 keysize = 0
2021-08-05 10:39:40 engine = DISABLED
2021-08-05 10:39:40 replay = ENABLED
2021-08-05 10:39:40 mute_replay_warnings = DISABLED
2021-08-05 10:39:40 replay_window = 64
2021-08-05 10:39:40 replay_time = 15
2021-08-05 10:39:40 packet_id_file = '[UNDEF]'
2021-08-05 10:39:40 test_crypto = DISABLED
2021-08-05 10:39:40 tls_server = DISABLED
2021-08-05 10:39:40 tls_client = ENABLED
2021-08-05 10:39:40 ca_file = '[INLINE]'
2021-08-05 10:39:40 ca_path = '[UNDEF]'
2021-08-05 10:39:40 dh_file = '[UNDEF]'
2021-08-05 10:39:40 cert_file = '[INLINE]'
2021-08-05 10:39:40 extra_certs_file = '[UNDEF]'
2021-08-05 10:39:40 priv_key_file = '[INLINE]'
2021-08-05 10:39:40 pkcs12_file = '[UNDEF]'
2021-08-05 10:39:40 cipher_list = '[UNDEF]'
2021-08-05 10:39:40 cipher_list_tls13 = '[UNDEF]'
2021-08-05 10:39:40 tls_cert_profile = '[UNDEF]'
2021-08-05 10:39:40 tls_verify = '[UNDEF]'
2021-08-05 10:39:40 tls_export_cert = '[UNDEF]'
2021-08-05 10:39:40 verify_x509_type = 0
2021-08-05 10:39:40 verify_x509_name = '[UNDEF]'
2021-08-05 10:39:40 crl_file = '[UNDEF]'
2021-08-05 10:39:40 ns_cert_type = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 65535
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_ku[i] = 0
2021-08-05 10:39:40 remote_cert_eku = 'TLS Web Server Authentication'
2021-08-05 10:39:40 ssl_flags = 192
2021-08-05 10:39:40 tls_timeout = 2
2021-08-05 10:39:40 renegotiate_bytes = -1
2021-08-05 10:39:40 renegotiate_packets = 0
2021-08-05 10:39:40 renegotiate_seconds = 3600
2021-08-05 10:39:40 handshake_window = 60
2021-08-05 10:39:40 transition_window = 3600
2021-08-05 10:39:40 single_session = DISABLED
2021-08-05 10:39:40 push_peer_info = DISABLED
2021-08-05 10:39:40 tls_exit = DISABLED
2021-08-05 10:39:40 tls_crypt_v2_metadata = '[UNDEF]'
2021-08-05 10:39:40 server_network = 0.0.0.0
2021-08-05 10:39:40 server_netmask = 0.0.0.0
2021-08-05 10:39:40 server_network_ipv6 = ::
2021-08-05 10:39:40 server_netbits_ipv6 = 0
2021-08-05 10:39:40 server_bridge_ip = 0.0.0.0
2021-08-05 10:39:40 server_bridge_netmask = 0.0.0.0
2021-08-05 10:39:40 server_bridge_pool_start = 0.0.0.0
2021-08-05 10:39:40 server_bridge_pool_end = 0.0.0.0
2021-08-05 10:39:40 ifconfig_pool_defined = DISABLED
2021-08-05 10:39:40 ifconfig_pool_start = 0.0.0.0
2021-08-05 10:39:40 ifconfig_pool_end = 0.0.0.0
2021-08-05 10:39:40 ifconfig_pool_netmask = 0.0.0.0
2021-08-05 10:39:40 ifconfig_pool_persist_filename = '[UNDEF]'
2021-08-05 10:39:40 ifconfig_pool_persist_refresh_freq = 600
2021-08-05 10:39:40 ifconfig_ipv6_pool_defined = DISABLED
2021-08-05 10:39:40 ifconfig_ipv6_pool_base = ::
2021-08-05 10:39:40 ifconfig_ipv6_pool_netbits = 0
2021-08-05 10:39:40 n_bcast_buf = 256
2021-08-05 10:39:40 tcp_queue_limit = 64
2021-08-05 10:39:40 real_hash_size = 256
2021-08-05 10:39:40 virtual_hash_size = 256
2021-08-05 10:39:40 client_connect_script = '[UNDEF]'
2021-08-05 10:39:40 learn_address_script = '[UNDEF]'
2021-08-05 10:39:40 client_disconnect_script = '[UNDEF]'
2021-08-05 10:39:40 client_config_dir = '[UNDEF]'
2021-08-05 10:39:40 ccd_exclusive = DISABLED
2021-08-05 10:39:40 tmp_dir = '/data/user/0/it.colucciweb.vpnclientpro/files/temp'
2021-08-05 10:39:40 push_ifconfig_defined = DISABLED
2021-08-05 10:39:40 push_ifconfig_local = 0.0.0.0
2021-08-05 10:39:40 push_ifconfig_remote_netmask = 0.0.0.0
2021-08-05 10:39:40 push_ifconfig_ipv6_defined = DISABLED
2021-08-05 10:39:40 push_ifconfig_ipv6_local = ::/0
2021-08-05 10:39:40 push_ifconfig_ipv6_remote = ::
2021-08-05 10:39:40 enable_c2c = DISABLED
2021-08-05 10:39:40 duplicate_cn = DISABLED
2021-08-05 10:39:40 cf_max = 0
2021-08-05 10:39:40 cf_per = 0
2021-08-05 10:39:40 max_clients = 1024
2021-08-05 10:39:40 max_routes_per_client = 256
2021-08-05 10:39:40 auth_user_pass_verify_script = '[UNDEF]'
2021-08-05 10:39:40 auth_user_pass_verify_script_via_file = DISABLED
2021-08-05 10:39:40 auth_token_generate = DISABLED
2021-08-05 10:39:40 auth_token_lifetime = 0
2021-08-05 10:39:40 auth_token_secret_file = '[UNDEF]'
2021-08-05 10:39:40 port_share_host = '[UNDEF]'
2021-08-05 10:39:40 port_share_port = '[UNDEF]'
2021-08-05 10:39:40 vlan_tagging = DISABLED
2021-08-05 10:39:40 vlan_accept = all
2021-08-05 10:39:40 vlan_pvid = 1
2021-08-05 10:39:40 client = ENABLED
2021-08-05 10:39:40 pull = ENABLED
2021-08-05 10:39:40 auth_user_pass_file = 'stdin'
2021-08-05 10:39:40 OpenVPN 2.5.3 android-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 11 2021
2021-08-05 10:39:40 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-08-05 10:39:41 Control Channel MTU parms [ L:1655 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2021-08-05 10:39:42 Data Channel MTU parms [ L:1655 D:1450 EF:123 EB:411 ET:32 EL:3 ]
2021-08-05 10:39:42 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-05 10:39:42 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-05 10:39:42 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2021-08-05 10:39:42 Socket Buffers: R=[6291456->6291456] S=[1048576->1048576]
2021-08-05 10:39:42 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
2021-08-05 10:39:42 TCP connection established with [AF_INET]X.X.X.X:1194
2021-08-05 10:39:42 TCPv4_CLIENT link local: (not bound)
2021-08-05 10:39:42 TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
2021-08-05 10:39:42 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=3d0738a7 96a9b3c4
2021-08-05 10:39:42 VERIFY OK: depth=1, DC=com, DC=XXX, CN=XXX-XXX-XXX-CA
2021-08-05 10:39:42 VERIFY KU OK
2021-08-05 10:39:42 Validating certificate extended key usage
2021-08-05 10:39:42 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-08-05 10:39:42 VERIFY EKU OK
2021-08-05 10:39:42 VERIFY OK: depth=0, C=XX, ST=XXX, L=XXX, O=XXX, OU=XXX, CN=xxx.com
2021-08-05 10:39:42 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: ecdsa-with-SHA256
2021-08-05 10:39:42 [xxx.com] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
2021-08-05 10:39:42 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:43 SENT CONTROL [xxx.com]: 'PUSH_REQUEST' (status=1)
2021-08-05 10:39:44 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:44 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:46 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:48 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:48 SENT CONTROL [xxx.com]: 'PUSH_REQUEST' (status=1)
2021-08-05 10:39:50 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:52 Key [AF_INET]X.X.X.X:1194 [0] not initialized (yet), dropping packet.
2021-08-05 10:39:53 SENT CONTROL [xxx.com]: 'PUSH_REQUEST' (status=1)
2021-08-05 10:39:53 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.10,dhcp-option DNS 208.67.222.222,ping 20,ping-restart 60,route-gateway 192.168.0.1,ifconfig 192.168.0.129 255.255.255.0'
2021-08-05 10:39:53 OPTIONS IMPORT: timers and/or timeouts modified
2021-08-05 10:39:53 OPTIONS IMPORT: --ifconfig/up options modified
2021-08-05 10:39:53 OPTIONS IMPORT: route-related options modified
2021-08-05 10:39:53 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-08-05 10:39:53 Using peer cipher 'AES-256-CBC'
2021-08-05 10:39:53 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-08-05 10:39:53 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-08-05 10:39:53 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-08-05 10:39:53 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-08-05 10:39:53 do_ifconfig, ipv4=1, ipv6=0
2021-08-05 10:39:53 TapEmulator started
2021-08-05 10:39:53 TUN/TAP device opened
2021-08-05 10:39:53 Initialization Sequence Completed