0

got a requirement to enable split tunneling for our work openVPN as server's

This also includes having a "split DNS" configuration where some internal/public company domains traffic should go through the VPN server

e.g company domain is example.com and xyz.example.com traffic should go through the VPN

Whats not working ?

seems like the traffic still goes through my local network rather then VPN network even it's whitelisted

Confirmed it by using traceroute / visiting https://whatismyipaddress.com (when it's whitelisted)

My setup

(local)

  • MacOS Ventura 13.0
  • OpenVPN client v3.4.1

(remote)

  • EC2 Instance (ubuntu-focal-20.04-amd64-server-20230207 AMI)
  • OpenVPN access server v2.12.3

my config so far

Routing

enter image description here

DNS settings

enter image description here

Improve this question
5
  • You should specify the client platforms tested due to some platforms perform DNS queries in parallel against all servers by default. openvpn.net/vpn-server-resources/…
    – Greg Askew
    Commented Nov 26, 2023 at 14:41
  • @GregAskew added
    – Eyal Solomon
    Commented Nov 26, 2023 at 14:56
  • @GregAskew any change you have an idea ?
    – Eyal Solomon
    Commented Nov 28, 2023 at 8:57
  • 1
    shouldn't the "DNS resolution zones" contain instead: "example.com" (and only that) ?
    – Olivier Dulac
    Commented Nov 28, 2023 at 15:46
  • @OlivierDulac I don't think so, as you can see at screenshot "specify a comma-separated list of internal ..."
    – Eyal Solomon
    Commented Nov 28, 2023 at 15:58

1 Answer 1

Reset to default
0
+50

You write that your setup requires split DNS, which means that when connected to your VPN, the hostname xyz.example.com should resolve to an internal IP which is included inside your VPN configuration. For this to work, you must have a special DNS server, which is reachable through your VPN, and that DNS server must be pushed to all your clients connecting.

Here are the steps required to pinpoint the problem:

  • while connected to your VPN, execute ping xyz.example.com to see if:
    1. the hostname resolves to the internal IP address
    2. the ping works and the server is actually reachable - to test if the internal IP address is included in the VPN definition. Don't forget to ping the internal IP address manually, if the DNS resolution is not working - you also must make sure that the VPN is working as intended!
  • if the hostname does not resolve to the internal IP address, execute host xyz.example.de 1.2.3.4 where 1.2.3.4 is the IP address of your internal DNS server.

Depending on the outcome of this command:

  • if the above command does not resolve this name to the internal IP, check the configuration of your internal DNS server.
  • if the host command gives a timeout, you probably need to include the DNS IP inside your VPN definition.
  • if the command correctly returns the internal IP address, you need to check your VPN configuration to ensure that the internal DNS server is pushed to the client and actually replaces the one your client has been using! (check /etc/resolv.conf on your mac!)

I am pretty sure you will find the issue with these steps.

Improve this answer
1
  • Makes sense, thanks !
    – Eyal Solomon
    Commented Nov 29, 2023 at 15:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .