You are not logged in.

#1 2021-02-08 21:15:32

djrollins
Member
From: Leeds, UK
Registered: 2016-07-11
Posts: 6
Website

OpenVPN client + update-systemd-resolved. DNS not working

Hi folks,

I'm having some serious trouble getting DNS working with OpenVPN. I know there has been some problems with permission changes in the latest versions of OpenVPN but everything _seems_ to execute cleanly so I think this is something different. I am not really a networking guy so I am genuinely at a loss of where to look next.

I have used Private Internet Access with OpenVPN for a few years, but I've recently installed arch on a new machine and it no longer seems to work. Trying to resolve any domain will just hang, but I am able to ping IP address directly.

I am using systemd-resolved, which is active and running, and my /etc/resolve.conf is symlinked to /run/systemd/resolve/stub-resolv.conf.

I installed openvpn-update-systemd-resolved from the AUR and added the recommended up/down script lines to my config. I also have the polkit rules setup to allow the openvpn user to set the DNS servers (but I don't think this is relevant as I am running openvpn with sudo?).

Here is my OpenVPN config. It is downloaded from the PIA website and I added the "auth-user-pass" line as well as the final block with the up/down scripts. (It's also worth noting that all files in the /etc/openvpn directory are owned by "openvpn:network").

client
dev tun
proto udp
remote uk-london.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass pia-credentials.txt
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>

disable-occ
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/scripts/update-systemd-resolved
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

Executing OpenVPN:

/etc/openvpn/client >>> sudo openvpn  uk_london.conf
[sudo] password for djr:
2021-02-08 20:58:30 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
2021-02-08 20:58:30 WARNING: file 'pia-credentials.txt' is group or others accessible
2021-02-08 20:58:30 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
2021-02-08 20:58:30 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-02-08 20:58:30 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-02-08 20:58:30 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----

2021-02-08 20:58:30 TCP/UDP: Preserving recently used remote address: [AF_INET]212.102.53.72:1198
2021-02-08 20:58:30 UDP link local: (not bound)
2021-02-08 20:58:30 UDP link remote: [AF_INET]212.102.53.72:1198
2021-02-08 20:58:30 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-08 20:58:31 [london405] Peer Connection Initiated with [AF_INET]212.102.53.72:1198
2021-02-08 20:58:32 sitnl_send: rtnl: generic error (-101): Network is unreachable
2021-02-08 20:58:32 TUN/TAP device tun0 opened
2021-02-08 20:58:32 net_iface_mtu_set: mtu 1500 for tun0
2021-02-08 20:58:32 net_iface_up: set tun0 up
2021-02-08 20:58:32 net_addr_v4_add: 10.60.112.115/24 dev tun0
2021-02-08 20:58:32 /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1553 10.60.112.115 255.255.255.0 init
<14>Feb  8 20:58:32 update-systemd-resolved: Link 'tun0' coming up
<14>Feb  8 20:58:32 update-systemd-resolved: Adding IPv4 DNS Server 10.0.0.243
<14>Feb  8 20:58:32 update-systemd-resolved: SetLinkDNS(16 1 2 4 10 0 0 243)
2021-02-08 20:58:32 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
2021-02-08 20:58:32 add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
2021-02-08 20:58:32 Initialization Sequence Completed

resolvectl status:

~ >>> resolvectl status
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888

Link 2 (enp10s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 194.168.8.100
       DNS Servers: 194.168.4.100 194.168.8.100

Link 16 (tun0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

I'd be grateful for any ideas on what to try to resolve this issue. Or even a recommendation for a different approach entirely to getting OpenVPN working.

Cheers.

Offline

#2 2021-07-11 11:31:39

TheLateJC
Member
Registered: 2009-01-29
Posts: 6

Re: OpenVPN client + update-systemd-resolved. DNS not working

I've decided to have a crack at fixing my long running issues with this today. I'm using the update-resolv-conf script, and I noticed that my VPN provider supplies 2 DNS entries, and somehow the script borks itself.

As a temp workaround I replaced:

  echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet" 

with:

  echo -n "nameserver $NS" | $RESOLVCONF -x -a "${dev}.inet"

resolvectl dns posts stuff that makes little sense hmm


If you want, you can try adding the following into the up script, and it might post some interesting information for you:

 set -x 

 


I have a similar config to yours, bar the up script, and by the looks of it we might have similar purpose. I hope you get sorted in time.

--
JC

Offline

#3 2021-07-11 11:56:02

TheLateJC
Member
Registered: 2009-01-29
Posts: 6

Re: OpenVPN client + update-systemd-resolved. DNS not working

Huh... try this: https://aur.archlinux.org/packages/open … -resolved/

Works out of the box for me, which is nice.

Offline

Board footer

Powered by FluxBB