Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No DNS Suffix with DCO if connection initiated by OpenVPNService #306

Closed
TitovLab opened this issue Apr 2, 2023 · 4 comments
Closed

No DNS Suffix with DCO if connection initiated by OpenVPNService #306

TitovLab opened this issue Apr 2, 2023 · 4 comments

Comments

@TitovLab
Copy link

TitovLab commented Apr 2, 2023

Tested OpenVPN-2.6.2-I001-amd64 on two clean Windows 10 64bit virtual machines: 21H2 and 22H2.
If connection initiated by OpenVPNService (local system account) then options dhcp-option DOMAIN and dns search-domains have no impact (DNS Suffix empty):

C:\Users\admin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-9FV6QMS
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-3A-8F-26
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::79d5:d1ff:8cee:51f1%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.188.52(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, April 2, 2023 1:39:51 PM
   Lease Expires . . . . . . . . . . : Monday, April 3, 2023 12:39:51 PM
   Default Gateway . . . . . . . . . : 192.168.188.1
   DHCP Server . . . . . . . . . . . : 192.168.188.4
   DHCPv6 IAID . . . . . . . . . . . : 100668765
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-BB-7E-26-00-15-5D-3A-8F-26
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       77.88.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Unknown adapter OpenVPN Data Channel Offload:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : OpenVPN Data Channel Offload
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e889:c6a8:3d77:6ca7%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.125.0.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 167777629
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-BB-7E-26-00-15-5D-3A-8F-26
   DNS Servers . . . . . . . . . . . : 192.168.125.2
                                       192.168.225.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\admin>ping srv1
Ping request could not find host srv1. Please check the name and try again.

Log:

2023-04-02 13:49:17 OpenVPN 2.6.2 [git:v2.6.2/3577442530eb7830] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 24 2023
2023-04-02 13:49:17 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-04-02 13:49:17 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-02 13:49:17 DCO version: v0
2023-04-02 13:49:17 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
2023-04-02 13:49:17 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-04-02 13:49:17 TCP_CLIENT link local: (not bound)
2023-04-02 13:49:17 TCP_CLIENT link remote: [AF_INET]111.111.111.111:1194
2023-04-02 13:49:17 TLS: Initial packet from [AF_INET]111.111.111.111:1194, sid=86699db6 8abd0b3a
2023-04-02 13:49:17 VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX CA, name=EasyRSA, [email protected]
2023-04-02 13:49:17 VERIFY KU OK
2023-04-02 13:49:17 Validating certificate extended key usage
2023-04-02 13:49:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-02 13:49:17 VERIFY EKU OK
2023-04-02 13:49:17 NOTE: --mute triggered...
2023-04-02 13:49:17 2 variation(s) on previous 20 message(s) suppressed by --mute
2023-04-02 13:49:17 [lin2.domain.local] Peer Connection Initiated with [AF_INET]111.111.111.111:1194
2023-04-02 13:49:17 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-04-02 13:49:17 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-04-02 13:49:18 SENT CONTROL [lin2.domain.local]: 'PUSH_REQUEST' (status=1)
2023-04-02 13:49:18 PUSH: Received control message: 'PUSH_REPLY,persist-key,topology subnet,route 192.168.125.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 192.168.225.0 255.255.255.0,route-gateway 10.125.0.1,route-metric 400,dhcp-option DNS 192.168.125.2,dhcp-option DNS 192.168.225.3,dhcp-option DOMAIN domain.local,ping 10,ping-restart 120,ifconfig 10.125.0.103 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-04-02 13:49:18 OPTIONS IMPORT: --persist options modified
2023-04-02 13:49:18 OPTIONS IMPORT: --ifconfig/up options modified
2023-04-02 13:49:18 OPTIONS IMPORT: route options modified
2023-04-02 13:49:18 OPTIONS IMPORT: route-related options modified
2023-04-02 13:49:18 NOTE: --mute triggered...
2023-04-02 13:49:18 1 variation(s) on previous 20 message(s) suppressed by --mute
2023-04-02 13:49:18 interactive service msg_channel=0
2023-04-02 13:49:18 NETSH: C:\Windows\system32\netsh.exe interface ip set address 10 static 10.125.0.103 255.255.255.0
2023-04-02 13:49:18 NETSH: C:\Windows\system32\netsh.exe interface ip delete dns 10 all
2023-04-02 13:49:18 NETSH: C:\Windows\system32\netsh.exe interface ip set dns 10 static 192.168.125.2 validate=no
2023-04-02 13:49:18 NETSH: C:\Windows\system32\netsh.exe interface ip add dns 10 192.168.225.3 validate=no
2023-04-02 13:49:19 NETSH: C:\Windows\system32\netsh.exe interface ip delete wins 10 all
2023-04-02 13:49:19 IPv4 MTU set to 1500 on interface 10 using SetIpInterfaceEntry()
2023-04-02 13:49:19 C:\Windows\system32\route.exe ADD 192.168.125.0 MASK 255.255.255.0 10.125.0.1 METRIC 400
2023-04-02 13:49:19 Route addition via ipapi [adaptive] succeeded
2023-04-02 13:49:19 C:\Windows\system32\route.exe ADD 192.168.25.0 MASK 255.255.255.0 10.125.0.1 METRIC 400
2023-04-02 13:49:19 Route addition via ipapi [adaptive] succeeded
2023-04-02 13:49:19 C:\Windows\system32\route.exe ADD 192.168.225.0 MASK 255.255.255.0 10.125.0.1 METRIC 400
2023-04-02 13:49:19 Route addition via ipapi [adaptive] succeeded
2023-04-02 13:49:19 Initialization Sequence Completed
2023-04-02 13:49:19 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-04-02 13:49:19 Timers: ping 10, ping-restart 120

Config:

dev tun
client
proto tcp-client
remote 111.111.111.111 1194
resolv-retry infinite
nobind
ca ca.crt
cert XX.crt
key XX.key
remote-cert-tls server
tls-client
cipher AES-256-GCM
verb 3
mute 20
pull
allow-pull-fqdn

If same config moved from config-auto to config folder and initiated via OpenVPN GUI then all works fine:

C:\Users\admin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-9FV6QMS
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-3A-8F-26
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::79d5:d1ff:8cee:51f1%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.188.52(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, April 2, 2023 1:39:51 PM
   Lease Expires . . . . . . . . . . : Monday, April 3, 2023 12:39:51 PM
   Default Gateway . . . . . . . . . : 192.168.188.1
   DHCP Server . . . . . . . . . . . : 192.168.188.4
   DHCPv6 IAID . . . . . . . . . . . : 100668765
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-BB-7E-26-00-15-5D-3A-8F-26
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       77.88.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Unknown adapter OpenVPN Data Channel Offload:

   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : OpenVPN Data Channel Offload
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e889:c6a8:3d77:6ca7%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.125.0.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 167777629
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-BB-7E-26-00-15-5D-3A-8F-26
   DNS Servers . . . . . . . . . . . : 192.168.125.2
                                       192.168.225.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\admin>ping srv1

Pinging srv1.domain.local [192.168.225.3] with 32 bytes of data:
Reply from 192.168.225.3: bytes=32 time=7ms TTL=127

Also all works fine if using TAP adapter (no matter connection started by GUI or OpenVPNService). Parameters don't work only with DCO adapter and if connection started by OpenVPNService.
@lstipakov
Copy link
Member

Thanks for the report, this is indeed a missing feature. We set DNS domain suffix either via interactive service (which is used when connections are started by GUI) or by sending DHCP options to the driver (which is used when interactive service is not available, like in the case when connection is started by OpenVPNService). Since DCO driver doesn't support DHCP, this feature is not implemented in this particular case.

I'll try to get it into 2.6.3.

@ordex ordex transferred this issue from OpenVPN/ovpn-dco-win Apr 3, 2023
lstipakov added a commit to lstipakov/openvpn that referenced this issue Apr 3, 2023
@lstipakov
Support of DNS domain for DHCP-less drivers
7b50c66 
We set DNS domain either via interactve service or DHCP.
When interactive service is not used, for example,
when profiles are started by OpenVPNService, this option
is not working for DCO and wintun.

This implements setting DNS domain via WMIC command,
similar to implementation in interactive service.
This is done when:

 - interactive service is not used
 - ip_win32_type is either METSH or IPAPI, which is
the case for DCO and wintun.

Fixes OpenVPN#306

Change-Id: I9ab51bf1c0774564204c75ecce9ebfb818db2f5b
lstipakov added a commit to lstipakov/openvpn that referenced this issue Apr 6, 2023
@lstipakov
Support of DNS domain for DHCP-less drivers
1d5f0b6 
We set DNS domain either via interactve service or DHCP.
When interactive service is not used, for example,
when profiles are started by OpenVPNService, this option
is not working for DCO and wintun.

This implements setting DNS domain via WMIC command,
similar to implementation in interactive service.
This is done when:

 - interactive service is not used

 - ip-win32 is either METSH or IPAPI, which is
the case for DCO and wintun.

Fixes OpenVPN#306

Change-Id: Ic72a4ecd0414c0d7bf013415f52640fd122cb739
Signed-off-by: Lev Stipakov <[email protected]>
cron2 pushed a commit that referenced this issue Apr 11, 2023
@lstipakov @cron2
Support of DNS domain for DHCP-less drivers
77a7435 
We set DNS domain either via interactve service or DHCP.
When interactive service is not used, for example,
when profiles are started by OpenVPNService, this option
is not working for DCO and wintun.

This implements setting DNS domain via WMIC command,
similar to implementation in interactive service.
This is done when:

 - interactive service is not used

 - DHCP is not used (ip-win32 is either NETSH or IPAPI,
   or IPv4 address is not pushed)

Github: fixes #306

Change-Id: Ic72a4ecd0414c0d7bf013415f52640fd122cb739
Signed-off-by: Lev Stipakov <[email protected]>
Acked-by: Selva Nair <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg26582.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 6cf7ce4)
cron2 pushed a commit that referenced this issue Apr 11, 2023
@lstipakov @cron2
Support of DNS domain for DHCP-less drivers
6cf7ce4 
We set DNS domain either via interactve service or DHCP.
When interactive service is not used, for example,
when profiles are started by OpenVPNService, this option
is not working for DCO and wintun.

This implements setting DNS domain via WMIC command,
similar to implementation in interactive service.
This is done when:

 - interactive service is not used

 - DHCP is not used (ip-win32 is either NETSH or IPAPI,
   or IPv4 address is not pushed)

Github: fixes #306

Change-Id: Ic72a4ecd0414c0d7bf013415f52640fd122cb739
Signed-off-by: Lev Stipakov <[email protected]>
Acked-by: Selva Nair <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg26582.html
Signed-off-by: Gert Doering <[email protected]>
@2ps 2ps mentioned this issue May 5, 2023
Open
@flichtenheld flichtenheld mentioned this issue Jul 10, 2023
Closed
@savely-krasovsky
Copy link

@lstipakov do I understand correctly that this feature is also missing in OpenVPN3 (while using interactive service)?

@lstipakov
Copy link
Member

@lstipakov do I understand correctly that this feature is also missing in OpenVPN3 (while using interactive service)?

@d12fk Do your DNS improvements cover those options?

@savely-krasovsky
Copy link

savely-krasovsky commented Apr 1, 2024
edited
Loading

Just to confirm: I see suffix with Wintun, but not with DCO (in both cases it's OpenVPN3 v3.8.4 + default Windows ovpnagent).

@savely-krasovsky savely-krasovsky mentioned this issue Apr 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lstipakov @savely-krasovsky @TitovLab