Richard Bucker

ChromeOS Linux Openvpn Split Dns

Posted at — Jul 15, 2021

The OpenVPN documentation is frustrating on the topic of split-dns because the author(s) seem to play both sides. [a] split-dns is not directly supported [b] the docs suggest they are biased against it or it’s not the preferred method [c] and functionality like ‘register-dns’ simply do not work requiring registering up/down scripts and resolvconf. ALL of this is borderline moot because NetworkManager seems to do it right, however, NM is not available in all environments.

I’m looking for a simple solution

I’ve spent a few days on this problem already and everything has failed.

Since it’s been 2 days since my previous attempt I cleared my head and started searching again. One of the COOL things about ChromweOS' Linux is that it’s what “Rancher” calls a “cow” when they talk about “cattle versus pets”. So starting over just takes a few clicks and a few minutes and that’s why dnsmaq is STARRED in the list above.

Now ChromeOS' linux is not exactly a cow.

When I attempted to get dnsmasq installed I had tried a number of other DNS solutions first. That cause two different issues… [1] port 53 was already being used by some process. [2] /etc/resolv.conf was a symlink and so I could not make changes without going deep into the design off ChromeOS' linux cow. So this morning a quick search led me to this article which is recent, simple, but does not talk about ChromeOS at all.

recent and simple!

So step by step let’s try it out without actually adding the VPN part

At this point I tested the DNS by pinging various hosts inside and outside the network. That’s when I found the first problem.

PROBLEM #1: The public and private FQDN were the same. That meant that since dnsmasq was ALWAYS running it was going to resolve the hosts in the wrong direction toward a network that was not attached. Client DNS implementations vary and are quirky. Since dnsmasq was/is running fulltime that means that the split is going the wrong way. To FIX this… I added the public IP and hostname to the /etc/hosts and then tweaked the dnsmasq config to permit hosts.

continuing….

At this point I encountered problems 3 and 4.

PROBLEM #3: I’m getting an error in the log. register-dns blah blah… So I added the pull-filter CLI option (see above)

PROBLEM #4: While I had fixed this once before I’m struggling to remember the exact CLI option… OpenVPN sets the default gateway and so all the traffic is being sent through the VPN, however, I want my local to remain the default and only send the private traffic to the VPN (there are multiple IP networks but the netmask is OK and non-overlapping)

To solve #4 I added the CLI option --pull-filter ignore redirect-gateway and that worked great. Until it didn’t. This option told openvpn not to change the default gateway. And that worked great…

PROBLEM #5: The network admin did not route all of the VPN subdomains in the push. So if the VPN were the default gateway that would have been OK, however, since it was not then I could not locate the target host.

One of the split-dns articles I read suggested that asking the network admin to make certain changes would not work. In his case it was a mega corp so I get it and that’s a cow of a different problem.

UPDATE Alternate solution to PROBLEM #1. Reading the manpage for dnsmasq was interesting. In P1 I had a hostname in my ovpn file in which the subdomain matched the split string. Therefore, wnen ovpn tried to connect it would timeout waiting for all the dns servers to respond so the initial connection could take as long as 60 seconds. Along with OTP (one time passwords) it’s not clear how reliable that would be. Instead of adding the hostname to the hosts file I added server=/HOST_FQDN/# where the # tells dnsmasq to send those requests to the default dns seerver.

server=8.8.8.8
server=/example.com/1.2.3.4
server=/public.example.com/#

I prefer this solution instead of the hosts file because all the cruft is on one place.

In Review:

Finally,

sudo /usr/sbin/openvpn --config vpn/config.ovpn  --pull-filter ignore "register-dns" --pull-filter ignore redirect-gateway --script-security 2 --up $HOME/bin/vpn-up.sh