You are not logged in.
I have Arch running on a home server that works as our router, with iptables and dnsmasq. The interfaces are:
lo
enp0s6 - internet facing
enp0s4 - internal LAN
tun0 - VPN service
Whenever the TUN device is added, DNS stops working. IP addresses are still ping-able; ongoing connections stay up. The dnsmasq logs show DNS queries being forwarded out to my ISP's DN servers, but no replies coming back in. dnsmasq is set to bind to my LAN facing device (it provides DHCP as well):
domain-needed
bogus-priv
local=/xyz/1.1.1.1
interface=enp0s4
bind-interfaces
expand-hosts
domain=xyz.com
dhcp-range=1.1.1.10,1.1.1.250,72h
dhcp-host=00:26:db:00:30:7f,1.1.1.5
dhcp-host=00:16:6f:66:a9:c6,1.1.1.8
dhcp-host=00:01:2e:2c:9e:44,1.1.1.7
dhcp-host=00:21:79:c2:16:44,1.1.1.231
dhcp-option=vendor:MSFT,2,1i
dhcp-leasefile=/var/log/dnsmasq.leases
log-facility=/var/log/dnsmasq
log-queriesIptables is setup for NAT for eth1, but the VPN will only be used on the server machine itself. Regardless, here's the config:
Chain INPUT (policy ACCEPT 12381 packets, 1998K bytes)
pkts bytes target prot opt in out source destination
2284K 127M ACCEPT all -- enp0s4 any anywhere anywhere
658 127K ACCEPT all -- lo any anywhere anywhere
755 62964 ACCEPT tcp -- enp0s6 any anywhere anywhere tcp dpt:225
185 12542 ACCEPT tcp -- enp0s6 any anywhere anywhere tcp dpt:http
97 6698 ACCEPT tcp -- enp0s6 any anywhere anywhere tcp dpt:https
39 1940 DROP tcp -- enp0s6 any anywhere anywhere tcp dpts:0:1023
23324 7458K DROP udp -- enp0s6 any anywhere anywhere udp dpts:0:1023
0 0 DROP udp -- enp0s6 any anywhere anywhere udp dpt:bootps
0 0 DROP udp -- enp0s6 any anywhere anywhere udp dpt:domain
0 0 DROP tcp -- enp0s6 any anywhere anywhere tcp dpt:ssh
0 0 DROP tcp -- enp0s6 any anywhere anywhere tcp dpt:netbios-ns
0 0 DROP tcp -- enp0s6 any anywhere anywhere tcp dpt:netbios-dgm
0 0 DROP tcp -- enp0s6 any anywhere anywhere tcp dpt:netbios-ssn
0 0 DROP tcp -- enp0s6 any anywhere anywhere tcp dpt:ipp
0 0 DROP tcp -- enp0s6 any anywhere anywhere tcp dpt:shilp
0 0 DROP udp -- enp0s6 any anywhere anywhere udp dpt:49152
4575K 2505M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- !enp0s6 any anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT 4700K packets, 355M bytes)
pkts bytes target prot opt in out source destination
5821K 7708M ACCEPT all -- enp0s6 enp0s4 anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT all -- enp0s6 enp0s4 anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 6377K packets, 6126M bytes)
pkts bytes target prot opt in out source destinationI'm not sure why adding the TUN interface would break DNS. Any hints on where to start? The TUN device gets a 10.0.0.0/24 (or 16 or something) address.
Offline
You actually use 1.1.1.x for LAN? These are internet routable addresses and I suppose that they would be handled by the VPN route when connected.
Last edited by roentgen (2013-08-31 22:17:12)
Offline
Yeah, I did it for fun. Perhaps that's part of it. Let me see if I can get wireshark running on it. But I don't have any internal LAN problems that I know of, and traffic going in/out on already resolved addresses, as far as I can tell, still work.
Last edited by krovisser (2013-09-01 14:27:36)
Offline
It was the routing tables. Openvpn added another default via it's subnet, which was failing. Openvpn seems to be setup by default to route all traffic through it, which is not what I want.
Removing it's redirects of 0.0.0.0/1 and 128.0.0.0/1 (???) through tun0 allows my internet to work normally while the tun0 device is up. So now I'm reading up on how to configure this all, which is pretty complicated so far.
Last edited by krovisser (2013-09-02 20:25:21)
Offline