Networking

無法讓客戶端通過 openVPN 隧道傳遞 DNS 查詢

  • November 26, 2021

我無法讓我的 openVPN 客戶端電腦 (Windows 10) 通過 VPN 隧道傳遞 DNS 查詢。

10.0.0.1作為 DNS 伺服器推送,VPN 連接顯示它是該連接的 DNS 伺服器。

Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Apple Mobile Device Ethernet
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.20.10.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Lease Obtained. . . . . . . . . . : 03 September 2015 09:55:59
Lease Expires . . . . . . . . . . : 04 September 2015 12:05:04
Default Gateway . . . . . . . . . : 172.20.10.1
DHCP Server . . . . . . . . . . . : 172.20.10.1
DNS Servers . . . . . . . . . . . : 172.20.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled


Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.8.0.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 03 September 2015 11:25:47
Lease Expires . . . . . . . . . . : 02 September 2016 12:19:32
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.254
DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

連接創建此路由表

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.2     20
         0.0.0.0        128.0.0.0         10.8.0.1         10.8.0.4     31
        10.0.0.0    255.255.255.0         10.8.0.1         10.8.0.4     31
        10.8.0.0    255.255.255.0         On-link          10.8.0.4    286
        10.8.0.4  255.255.255.255         On-link          10.8.0.4    286
      10.8.0.255  255.255.255.255         On-link          10.8.0.4    286
  **.***.***.***  255.255.255.255      172.20.10.1      172.20.10.2     21  <-- Public VPN Address
       127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
       127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
 127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       128.0.0.0        128.0.0.0         10.8.0.1         10.8.0.4     31
     172.20.10.0  255.255.255.240         On-link       172.20.10.2    276
     172.20.10.2  255.255.255.255         On-link       172.20.10.2    276
    172.20.10.15  255.255.255.255         On-link       172.20.10.2    276
       224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
       224.0.0.0        240.0.0.0         On-link          10.8.0.4    286
       224.0.0.0        240.0.0.0         On-link       172.20.10.2    276
 255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
 255.255.255.255  255.255.255.255         On-link          10.8.0.4    286
 255.255.255.255  255.255.255.255         On-link       172.20.10.2    276
===========================================================================

伺服器配置文件

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-server
tls-auth ta.key 0
dev tun
local 10.0.0.250
port 1194
proto udp
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
cipher BF-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status openvpn-status.log
log openvpn.log
verb 6

nslookup 結果如下:

C:\Windows\system32>nslookup alpha.intranet.app
Server:  UnKnown
Address:  172.20.10.1

Non-authoritative answer:
Name:    alpha.intranet.app
Address:  127.0.53.53

但是,強制 nslookup 使用所需的 DNS 伺服器會導致:

C:\Windows\system32>nslookup alpha.intranet.app 10.0.0.1
Server:  lan.router
Address:  10.0.0.1

Non-authoritative answer:
Name:    alpha.intranet.app
Address:  10.0.0.251

如果我手動將 DNS 伺服器更改為Ethernet adapter Ethernet 3nslookup ,則10.0.0.1無需強制使用 DNS 伺服器,並且我的 Intranet 頁面載入正常。

關於為什麼物理連接的 DNS 伺服器優先於 VPN 以及如何更改的任何想法?

謝謝

我在 dnsleaktest.com 找到了一組腳本,它在創建隧道之前刪除了任何現有的 DNS 解析器連結,並添加了 VPN 連接的連結。一旦連接關閉,它也會反轉這一點。

只需添加

block-outside-dns

到您的配置文件(您選擇),可在此處找到:

C:\Program Files\OpenVPN\config

在 Windows 上

或在系統托盤中:

系統托盤

點擊編輯配置,然後添加 block-outside-dns

引用自:https://serverfault.com/questions/718808