You are not logged in.

#1 2016-04-08 12:09:05

bungus
Member
Registered: 2016-04-08
Posts: 3

[SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

Hey, I've struggled with this problem for a couple of days. Whenever i connect to a VPN i lose internet connection, it doesnt seem to resolve or change the DNS from the .ovpn file properly.
I have openresolv installed, as well as the resolv script from the AUR.

I've tried different servers but still no luck.

Here is the output with resolvscript

sudo openvpn fi1.nordvpn.com.udp1194.ovpn 
[sudo] password for username: 
Fri Apr  8 12:48:22 2016 OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Fri Apr  8 12:48:22 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Enter Auth Username: *
Enter Auth Password: ***
Fri Apr  8 12:48:37 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Apr  8 12:48:37 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Apr  8 12:48:37 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri Apr  8 12:48:37 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:48:37 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:48:37 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  8 12:48:37 2016 UDPv4 link local: [undef]
Fri Apr  8 12:48:37 2016 UDPv4 link remote: [AF_INET]91.233.116.223:1194
Fri Apr  8 12:48:37 2016 TLS: Initial packet from [AF_INET]91.233.116.223:1194, sid=071a6cdd ea20e341
Fri Apr  8 12:48:37 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr  8 12:48:37 2016 VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=fi1.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Fri Apr  8 12:48:37 2016 Validating certificate key usage
Fri Apr  8 12:48:37 2016 ++ Certificate has key usage  00a0, expects 00a0
Fri Apr  8 12:48:37 2016 VERIFY KU OK
Fri Apr  8 12:48:37 2016 Validating certificate extended key usage
Fri Apr  8 12:48:37 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr  8 12:48:37 2016 VERIFY EKU OK
Fri Apr  8 12:48:37 2016 VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=fi1.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Fri Apr  8 12:48:38 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Apr  8 12:48:38 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:48:38 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Apr  8 12:48:38 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:48:38 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Apr  8 12:48:38 2016 [fi1.nordvpn.com] Peer Connection Initiated with [AF_INET]91.233.116.223:1194
Fri Apr  8 12:48:40 2016 SENT CONTROL [fi1.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Fri Apr  8 12:48:40 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route 10.8.8.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.8.162 10.8.8.161'
Fri Apr  8 12:48:40 2016 OPTIONS IMPORT: timers and/or timeouts modified
Fri Apr  8 12:48:40 2016 OPTIONS IMPORT: --ifconfig/up options modified
Fri Apr  8 12:48:40 2016 OPTIONS IMPORT: route options modified
Fri Apr  8 12:48:40 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Apr  8 12:48:40 2016 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=enp5s0 HWADDR=90:2b:34:34:c3:ee
Fri Apr  8 12:48:40 2016 TUN/TAP device tun0 opened
Fri Apr  8 12:48:40 2016 TUN/TAP TX queue length set to 100
Fri Apr  8 12:48:40 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr  8 12:48:40 2016 /usr/bin/ip link set dev tun0 up mtu 1500
Fri Apr  8 12:48:40 2016 /usr/bin/ip addr add dev tun0 local 10.8.8.162 peer 10.8.8.161
Fri Apr  8 12:48:40 2016 /etc/openvpn/update-resolv-conf tun0 1500 1590 10.8.8.162 10.8.8.161 init
which: no resolvconf in ((null))
dhcp-option DNS 78.46.223.24
dhcp-option DNS 162.242.211.137
/etc/openvpn/update-resolv-conf: line 56: -x: command not found
/etc/openvpn/update-resolv-conf: line 56: echo: write error: Broken pipe
Fri Apr  8 12:48:40 2016 /usr/bin/ip route add 91.233.116.223/32 via 192.168.10.1
Fri Apr  8 12:48:40 2016 /usr/bin/ip route add 0.0.0.0/1 via 10.8.8.161
Fri Apr  8 12:48:40 2016 /usr/bin/ip route add 128.0.0.0/1 via 10.8.8.161
Fri Apr  8 12:48:40 2016 /usr/bin/ip route add 10.8.8.1/32 via 10.8.8.161
Fri Apr  8 12:48:40 2016 Initialization Sequence Completed
^CFri Apr  8 12:48:55 2016 event_wait : Interrupted system call (code=4)
Fri Apr  8 12:48:55 2016 /usr/bin/ip route del 10.8.8.1/32
Fri Apr  8 12:48:55 2016 /usr/bin/ip route del 91.233.116.223/32
Fri Apr  8 12:48:55 2016 /usr/bin/ip route del 0.0.0.0/1
Fri Apr  8 12:48:55 2016 /usr/bin/ip route del 128.0.0.0/1
Fri Apr  8 12:48:55 2016 Closing TUN/TAP interface
Fri Apr  8 12:48:55 2016 /usr/bin/ip addr del dev tun0 local 10.8.8.162 peer 10.8.8.161
Fri Apr  8 12:48:55 2016 /etc/openvpn/update-resolv-conf tun0 1500 1590 10.8.8.162 10.8.8.161 init
which: no resolvconf in ((null))
/etc/openvpn/update-resolv-conf: line 59: -d: command not found
Fri Apr  8 12:48:55 2016 SIGINT[hard,] received, process exiting

Here is the output without resolvscript and a different server

[bungus@bungus openvpn]$ sudo openvpn nl8.nordvpn.com.udp1194.ovpn 
Fri Apr  8 12:52:46 2016 OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Fri Apr  8 12:52:46 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Enter Auth Username: *
Enter Auth Password: ***
Fri Apr  8 12:52:56 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Apr  8 12:52:56 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri Apr  8 12:52:56 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:52:56 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:52:56 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  8 12:52:56 2016 UDPv4 link local: [undef]
Fri Apr  8 12:52:56 2016 UDPv4 link remote: [AF_INET]37.48.80.202:1194
Fri Apr  8 12:52:56 2016 TLS: Initial packet from [AF_INET]37.48.80.202:1194, sid=7ff9b7e6 b1ac8312
Fri Apr  8 12:52:56 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr  8 12:52:57 2016 VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=nl8.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Fri Apr  8 12:52:57 2016 Validating certificate key usage
Fri Apr  8 12:52:57 2016 ++ Certificate has key usage  00a0, expects 00a0
Fri Apr  8 12:52:57 2016 VERIFY KU OK
Fri Apr  8 12:52:57 2016 Validating certificate extended key usage
Fri Apr  8 12:52:57 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr  8 12:52:57 2016 VERIFY EKU OK
Fri Apr  8 12:52:57 2016 VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=nl8.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Fri Apr  8 12:52:57 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Apr  8 12:52:57 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:52:57 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Apr  8 12:52:57 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  8 12:52:57 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Apr  8 12:52:57 2016 [nl8.nordvpn.com] Peer Connection Initiated with [AF_INET]37.48.80.202:1194
Fri Apr  8 12:52:59 2016 SENT CONTROL [nl8.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Fri Apr  8 12:52:59 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route 10.8.8.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.8.114 10.8.8.113'
Fri Apr  8 12:52:59 2016 OPTIONS IMPORT: timers and/or timeouts modified
Fri Apr  8 12:52:59 2016 OPTIONS IMPORT: --ifconfig/up options modified
Fri Apr  8 12:52:59 2016 OPTIONS IMPORT: route options modified
Fri Apr  8 12:52:59 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Apr  8 12:52:59 2016 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=enp5s0 HWADDR=90:2b:34:34:c3:ee
Fri Apr  8 12:52:59 2016 TUN/TAP device tun0 opened
Fri Apr  8 12:52:59 2016 TUN/TAP TX queue length set to 100
Fri Apr  8 12:52:59 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr  8 12:52:59 2016 /usr/bin/ip link set dev tun0 up mtu 1500
Fri Apr  8 12:52:59 2016 /usr/bin/ip addr add dev tun0 local 10.8.8.114 peer 10.8.8.113
Fri Apr  8 12:52:59 2016 /usr/bin/ip route add 37.48.80.202/32 via 192.168.10.1
Fri Apr  8 12:52:59 2016 /usr/bin/ip route add 0.0.0.0/1 via 10.8.8.113
Fri Apr  8 12:52:59 2016 /usr/bin/ip route add 128.0.0.0/1 via 10.8.8.113
Fri Apr  8 12:52:59 2016 /usr/bin/ip route add 10.8.8.1/32 via 10.8.8.113
Fri Apr  8 12:52:59 2016 Initialization Sequence Completed
^CFri Apr  8 12:53:41 2016 event_wait : Interrupted system call (code=4)
Fri Apr  8 12:53:41 2016 /usr/bin/ip route del 10.8.8.1/32
Fri Apr  8 12:53:41 2016 /usr/bin/ip route del 37.48.80.202/32
Fri Apr  8 12:53:41 2016 /usr/bin/ip route del 0.0.0.0/1
Fri Apr  8 12:53:41 2016 /usr/bin/ip route del 128.0.0.0/1
Fri Apr  8 12:53:41 2016 Closing TUN/TAP interface
Fri Apr  8 12:53:41 2016 /usr/bin/ip addr del dev tun0 local 10.8.8.114 peer 10.8.8.113
Fri Apr  8 12:53:41 2016 SIGINT[hard,] received, process exiting

There is also a problem with the script i think.

/etc/openvpn/update-resolv-conf: line 56: -x: command not found
/etc/openvpn/update-resolv-conf: line 56: echo: write error: Broken pipe

Any help is appreciated

EDIT:

I found a workaround. I have to manually change DNS as it seems openresolv can't do it.

I made a bash script to make it automatic and it seems to work

The script:

#Switch between DNS and connect to VPN with this simple script


ISPDNS="
# ISPDNS
domain home
nameserver isp.dns
nameserver isp.dns2"

VPNDNS="
# VPNDNS
domain home
nameserver vpn.dns
nameserver vpn.dns2"

sudo echo "$VPNDNS" > /etc/resolv.conf

sudo openvpn /etc/openvpn/vpnfile.ovpn

wait

sudo echo "$ISPDNS" > /etc/resolv.conf

Last edited by bungus (2016-04-08 15:40:59)

Offline

#2 2016-04-08 12:15:03

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,587

Re: [SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

Moing to "Networking, Server and Protection".

Offline

#3 2016-04-08 13:20:11

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

Please post your ovpn configuration file, after removing the certificates and private keys of course.

Also post the output of 'ip route' after you establish the connection to the vpn. Try pinging 8.8.8.8 or 8.8.4.4 (google's dns servers), this will help check if packets are getting anywhere or if there is any other problem.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#4 2016-04-08 15:39:28

bungus
Member
Registered: 2016-04-08
Posts: 3

Re: [SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

I found a workaround and returned to post it, I have to manually change DNS as it seems openresolv can't do it.

I made a bash script to make it automatic and it seems to work

The script:

#Switch between DNS and connect to VPN with this simple script


ISPDNS="
# ISPDNS
domain home
nameserver isp.dns
nameserver isp.dns2"

VPNDNS="
# VPNDNS
domain home
nameserver vpn.dns
nameserver vpn.dns2"

sudo echo "$VPNDNS" > /etc/resolv.conf

sudo openvpn /etc/openvpn/vpnfile.ovpn

wait

sudo echo "$ISPDNS" > /etc/resolv.conf

Anyhow here's the ovpn file.

#           _   _               ___     ______  _   _
#          | \ | | ___  _ __ __| \ \   / /  _ \| \ | |
#          |  \| |/ _ \| '__/ _` |\ \ / /| |_) |  \| |
#          | |\  | (_) | | | (_| | \ V / |  __/| |\  |
#          |_| \_|\___/|_|  \__,_|  \_/  |_|   |_| \_|
#


client
dev tun
proto udp
remote 37.48.80.202 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

#mute 10000
auth-user-pass

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

IP Route:

[bungus@bungus ~]$ ip route
default via 192.168.10.1 dev enp5s0  proto static  metric 100 
192.168.10.0/24 dev enp5s0  proto kernel  scope link  src 192.168.10.198  metric 100 

Ping:

[bungus@bungus ~]$ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=24.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=24.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=45 time=24.1 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 24.112/24.267/24.504/0.212 ms

Last edited by bungus (2016-04-08 15:43:52)

Offline

#5 2016-04-09 01:40:13

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

If your problem is really just dns I can't be of much help as I don't use anything to manage resolv.conf. Due to the way I have my system set up I don't want any programs to do changes to my resolv.conf.

Regarding your ovpn file, I see an option that should do nothing in your case (remote-random) and things that you should know very well what you are doing before fiddling with them (tun-mtu, tun-mtu-extra, mssfix). If you got that from your vpn provider then those should be ok.

Your output of 'ip route' does not seem to be obtained after connecting to the vpn, if it is you have more problems than just dns. This means that your ping test might not have gone through the vpn and as such tells us nothing.

Also your workaround script might not be doing what you expect it to be doing. Even though you use sudo, the redirection will be done as the user under which the script runs. This means it will work only under root, which means your use of sudo is redundant. It will work under your "normal" user only if you have changed the permissions/acls on resolv.conf to allow your user to write to it, which I'd say is a bad idea.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#6 2016-04-09 19:21:48

bungus
Member
Registered: 2016-04-08
Posts: 3

Re: [SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

Someone on reddit linked me to a new resolv-script that worked flawlessly.


This is the script: https://wiki.archlinux.org/index.php/Mullvad

Thanks for the heads-up r00kie, I'll stop using my bash script and use mullvad instead.
Although, the resolv.conf file changes after running the script, not sure what you were implying so it might not be what you meant.

Last edited by bungus (2016-04-09 19:22:09)

Offline

#7 2016-04-09 23:03:22

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [SEMI-SOLVED] OpenVPN cant change/resolve dns properly.

What I meant is, if you do

[bungus@bungus ~]$ sudo echo "Hello World!" > /etc/resolv.conf

then only the echo command will run as root, the redirection '>' will be done as the user bungus. This would only work to change a resolv.conf with the default permissions and ownership if you ran your whole script as root, this means that your use of sudo is redundant because everything is ran as root already.

I'll leave further research of how all that works as homework smile


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Board footer

Powered by FluxBB