Traffic Log of OpenVPN tunnel

Networking Solutions
1

Hi,

I am debugging a DNS issue where I have split DNS and my clients are getting back empty answers (answer section empty) for a query on the forwarded domain. Here is my sudo -u musictrace -i
(anonymized) DNS configuration:

image
image752×515 31.9 KB

image
image778×680 46.7 KB

Here a tcpdump between client and the Teltonika device:

tcpdump -v -i eth0 -np not tcp port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
11:50:51.833783 IP (tos 0x0, ttl 64, id 38896, offset 0, flags [none], proto UDP
(17), length 61)
172.22.26.10.44761 > 172.22.26.1.53: 33383+ A? ``doesnotexist.example.com``. (33)
11:50:51.860567 IP (tos 0x0, ttl 64, id 15277, offset 0, flags [DF], proto UDP (
17), length 110)
172.22.26.1.53 > 172.22.26.10.44761: 33383 NXDomain* 0/1/0 (82)
11:50:59.466052 IP (tos 0x0, ttl 64, id 6736, offset 0, flags [DF], proto UDP (1
7), length 70)
172.22.26.10.46269 > 172.22.26.1.53: 40774+ A? ``exists.example.com``. (32)
11:51:01.567313 IP (tos 0x0, ttl 64, id 16108, offset 0, flags [DF], proto UDP (
17), length 60)
172.22.26.1.53 > 172.22.26.10.46269: 40774* 0/0/0 (32)
11:51:01.567571 IP (tos 0x0, ttl 64, id 50688, offset 0, flags [none], proto UDP
(17), length 60)

I am a bit astonished that the Teltonika Device looks like it knows which hosts do exist in example.com and which don’t, but when I tcpdump on the far side on the OpenVPN link where the DNS server is found, I don’t see any traffic. From where does the Teltonika Router find that information?

That being said, I’d love to be able to enable traffic logging on an OpenVPN tunnel.

image
image752×353 16.7 KB

How can I do that?

Greetings, Marc Haber

3

Hi, Marc,

Could you please clarify what you are trying to achieve exactly?

You could tcpdump OpenVPN interface traffic into a file to later read it: tcpdump -i tun_c_name -w /tmp/openvpn_traffic.pcap

Your interface name might be different than tun_c_name, so keep that in mind.

A colleague of mine also suggested using a custom OpenWRT package called darkstat: Testing to determine if you are a bot!

Regards,
M.

4

I wanted to avoid logging in to the CLI since I am on a conference and don’t want to type the password, but I then remembered that the Teltonika has ssh (where I can paste the password).

The diagnosis is that I tcpdumped wrong on the OpenVPN Gateway. When I tcpdump on the Teltonika Device itself, I see it asking the forwarder, and receiving a correct answer:

12:59:54.051738 IP 10.242.4.154.48227 > 192.168.2.42.53: 53006+ A? exists.example.com. (34)
12:59:54.076794 IP 192.168.2.42.53 > 10.242.4.154.48227: 53006*- 1/2/1 A 192.168.2.42 (101)
12:59:54.078612 IP 10.242.4.154.43602 > 192.168.2.42.53: 50753+ AAAA? exists.example.com. (34)
12:59:54.104379 IP 192.168.2.42.53 > 10.242.4.154.43602: 50753*- 0/1/0 (76)

and then returns an empty answer to the actual client:

13:59:53.498952 IP 172.22.26.10.33745 > 172.22.26.1.53: 15713+ A? exists.example.com. (34)
13:59:53.525483 IP 172.22.26.1.53 > 172.22.26.10.33745: 15713* 0/0/0 (34)
13:59:53.525736 IP 172.22.26.10.52172 > 172.22.26.1.53: 9440+ AAAA? exists.example.com (34)
13:59:53.552796 IP 172.22.26.1.53 > 172.22.26.10.52172: 9440* 0/1/0 (76)

What is going on here? I tried playing with the settings on the “Advanced” Tab of the DNS configuration but that didn’t work.

Greetings, Marc Haber

5

Hello,

Could you first try to disable DNS Rebind protection under Network → DNS?

image
image1086×555 31.9 KB

This allows dnsmasq to forward and return local/private IP answers (192.168.x.x, 10.x.x.x, etc.) for your split DNS domains.

If that doesn’t help, please also try to disable Filter private and Localise queries under the advanced settings:

image
image719×643 35.4 KB

Regards,
M.

6

Disabling Rebind Protection did the thing. That was the one option I ruled out to interfere here and therefore I didn’t try. The hint to disable rebind protection when using custom redirects should go into the docs.

And, there should be a better method to log VPN traffic short of logging in to the CLI. That method is there for the lan, it should be available for all pysical and logical interfaces.

Greetings, Marc

7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.