Hi On Thu, Jul 2, 2020 at 1:08 PM Marco De Vitis <starl...@mdv.eu> wrote:
> Il 01/07/20 21:18, Selva Nair ha scritto: > > fwiw, try removing the pushed block-outside-dns by adding this to the > client config: > > pull-filter ignore block-outside-dns > > > Hi, > I tried this and indeed it fixes the issue, Windows detects internet > connectivity. > > But it introduces a different issue related to my company setup: we have > internal servers which we need to reach by internal hostname (e.g. > myhost.companyname) when using the VPN. But when I do not use > block-outside-dns Windows tries to resolve them using external DNS servers, > and this will fail. > Yes, removing block-outside-dns is not a real solution and could break resolution of internal names as you see. Though I have setups where it works fine with resolution via both interfaces and connection-specific suffix set on the TAP interface. > > I tried setting the interface metrics to give a higher priority to the > OpenVPN interface - and so hopefully to its DNS, but the behaviour did not > change. > > At the moment it all seems to be working with the original VPN config > (block-outside-dns) plus the following two additions by the network guys, > but it's far from ideal: > > 1. The DNS of my LAN (i.e. my home router's IP) has been set as > default gateway for the OpenVPN interface. But I'll need to remember > changing it if I connect from elsewhere. > > That looks like a strange setting but probably doesn't hurt. > > 1. The company firewall has been configured to allow traffic from the > VPN client range to Microsoft connectivity check IPs 131.107.255.255 and > 13.107.4.52. But what if they change? (The firewall is usually configured > to block any traffic from VPN to external IPs, because the configured > routes should let this happen through the standard ethernet/wifi interface) > > Such weakening of the server-side firewall shouldn't be required as you are not sending any traffic to those IPs via the VPN. When you use block-outside DNS, the DNS server pushed must be ready to do all name resolutions for you. If it's doing that, and in particular resolving those dns.msftncsi.com etc involved in ncsi, you should be good. Probably Windows is doing something weird behind our backs. Have you tried setting a direct route via your router to those two IPs on your machine (instead of on the server-side firewall)? "route add 131.107.255.255 mask 255.255.255.255 192.168.1.1" etc. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
