Notices

I'm having a problem with openvpn on my N810. I have openvpn running on my firewall at home, and have been able to connect to it for a long time. The N810 can still connect, but once I do, it breaks DNS. I believe I have udhcpd misconfigured, and would appreciate any help anyone could provide.

When the VPN is off, I can surf to sites normally, but I have blocked my internal network to external traffic (except openvpn). DNS resolves as expected.

When I connect to the VPN, I cannot use my internal DNS, although I have a which is the internal DNS. I can still get to sites on the internet, but nothing internal.

I did modify /etc/dnsmasq.conf and added but I do not see this file being created in /tmp. (I was hoping that this directive combined with the dhcp-option on the vpn server would create said file.

Can someone help me figure this out?

Thanks,
--vr

Are you sure it's dns that is a problem?
Could it be that your openvpn network at home is using the same network that you are on when you connect to it?

e.g. if your home network is 192.168.0.0/24 and your office network is 192.168.0.0/24 then you are going to have problems.

If you are using openvpn from multiple locations it is better to have your home network as something more obscure that is less likely to conflict.
e.g. 192.168.232.232/29

Have a look here:
http://blog.andrea.borgia.bo.it/2009...n-on-kamikaze/

I've had similar problems when setting up my firewall: if you explicitly tell the dns server on the firewall which interfaces it should listen on, then the vpn interface must be dealt with manually, i.e. by restarting the dns server with a different commandline once the vpn server has been started.

Have you tried with a different host? (meaning, are you sure the problem is limited to the N810 and its openvpn?)

My internal network is something like 192.168.123.0/24. I am on a different network segment.

Besides, I can get to all of the internal machines using their IP addresses across the VPN.

I've usually seen the resolvconf package used to update /etc/resolv.conf. Do you have client hooks in place for that to happen?

(I assume you connect to your VPN while roaming from your WAN interface instead of from your LAN interface. I also assume you do not change your default route. I also assume you run OpenVPN on default port.)

Yes, OpenVPN's /etc/openvpn/update-resolv-conf uses /sbin/resolvconf

I don't know your network topology and routing but I'd first consider the following scenario: your N810 has a default route. You have internal DNS names in your LAN. Your N810 wants to do a DNS lookup of your internal network (e.g. webserver.lan) ((or heck it might use Bonjour for *.local which by default uses default route too)) to know the IP address you want to connect to. It tries this via the default route using your ISPs DNS server, which cannot resolve e.g. webserver.lan.

You can solve this in 4 ways: tell to dnsmasq it should use specific DNS server to resolve certain hostnames (such as *.lan) or forward (ie. IPT) all DNS traffic to the tun device. You can also just add default route to your VPN endpoint (ie. 10.0.0.1). Or you could add a route to your DNS servers over e.g. eth0 or wlan0 e.g. route add 192.168.1.1 dev eth0

If you add a default route to remote VPN (with --redirect-gateway) you will have to use a DNS server reachable from that remote VPN. Such as your internal one. You can push this. In theory, you should be able to use a private range like 192.168.0.0/24 to use local DNS but IIRC this doesn't work on WiFi in combination with tun driver and this was fixed in recent Linux kernel. Not sure, it was something like that... does your firewall do any bridging?

What kind of error do you get in your browser? "Cannot get to sites on the internel, but nothing internal" is vague since it doesn't tell us in which layer or protocol stuff goes wrong. You try to use a webbrowser to access an internal HTTP server? Before you test a webbrowser with HTTP protocol try to pinpoint the problem using less complex programs and protocols.

If VPN is enabled can you ping 192.168.0.50? I recommend to check your firewall log, or run a packet sniffer on the remote OpenVPN interface (ie. tun0). You also need ip_forwarding for ipv4 on via sysctl and enable NAT (because 192.168.0.50 and OpenVPN's tun0 interface aren't in the same range). You could also run a packet sniffer on the N810's tun0 to check where the DNS (and HTTP) traffic is going to.

Bottom line is: because of the complexity its important to find out if this is a firewall or a routing issue!

Yes, that is because first the DNS server binds to interfaces specified while the tun or tap interface is only used after OpenVPN is fired up (even though the driver is loaded and its defined and given an IP address in e.g. /etc/networking/interfaces). So the DNS server never knew about that interface and IP address. You can solve that by bringing up OpenVPN first (but it then OpenVPN cannot use the local DNS server right away).

Also, from quoted text it isn't clear a DNS server runs on same computer as the OpenVPN server or the firewall, nor is it clear OpenVPN runs on port 53.

AFAIK resolvconf is not available in Maemo, at least not in Diablo.

My OpenVPN package includes a script that makes a token effort to update the configuration, i.e. it saves the old file, rewrites it with the info coming from the server and later restores it (no fancy editing like /sbin/resolvconf does!)

Of course you need to enable it.