Giters

wknapik / vpnfailsafe

IP leak prevention for OpenVPN

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Resolv.conf keeping old dns

fecegogiw opened this issue · comments

commented

Hi, excellent script.

Initially I was having some issues with the routes, then I added this

route-noexec

before the script (like in your example) and it's now all working fine in regards to routes.

I don't know If I understood correctly the idea of the resolv.conf, but for me instead of just keeping the VPN dns address, it's just appending it to the config and keeping all my old ones.

Maybe it's not something that the script is doing (as when I run without the script it still does that), but maybe there's some config on my VPN that is adding it and I have to remove something or add something explicitly (like the route-noexec).

Besides that, even after editing by hand my resolv.conf and removing the other DNSs it still takes a while for it to persist. Even after that, it shows only my VPN DNS and a second one that is IP6 (this in ipleak.net), not sure if this is normal or not.

Also, you mention on the read-me a way of restoring the firewall to the previous config with an init config, can you point me where I can find it? Right now I'm removing all the rules and them re-enabling it with the GUI, it's a bit troublesome but still doable.

Thanks for this script.

Ah, forgot to mention. I'm using Arch Linux, and I have ipv6 disabled.

commented

Hi, excellent script.

Hi @fecegogiw. And thanks.

Initially I was having some issues with the routes, then I added this

route-noexec
before the script (like in your example) and it's now all working fine in regards to routes.

Yeah, route-noexec makes it a bit cleaner, but you can run without it and everything will still work correctly.

I don't know If I understood correctly the idea of the resolv.conf, but for me instead of just keeping the VPN dns address, it's just appending it to the config and keeping all my old ones.

That should not happen.
It sounds like something else than vpnfailsafe might be trying to handle resolv.conf (whether via resolvconf, or otherwise).
I'd start by checking OpenVPN output to see what DNS information was pushed by the server (journalctl -b _COMM=openvpn|grep PUSH_REPLY, or just look at stdout if OpenVPN was started in the foreground manually) and comparing it to resolvconf -l output. Does that look correct ?

Maybe it's not something that the script is doing (as when I run without the script it still does that), but maybe there's some config on my VPN that is adding it and I have to remove something or add something explicitly (like the route-noexec).

I'm not sure how OpenVPN behaves if the up option is passed more than once, but if it runs both scripts, then maybe there's another script configured to be run by OpenVPN ?
Can you paste your config (minus any confidential information) ?

Besides that, even after editing by hand my resolv.conf and removing the other DNSs it still takes a while for it to persist.

Not sure what you mean...

Even after that, it shows only my VPN DNS and a second one that is IP6 (this in ipleak.net), not sure if this is normal or not.

I'd check if those are IPv4 and IPv6 addresses of the same DNS server pushed by the OpenVPN server, just to be safe.

Also, you mention on the read-me a way of restoring the firewall to the previous config with an init config, can you point me where I can find it? Right now I'm removing all the rules and them re-enabling it with the GUI, it's a bit troublesome but still doable.

You can look into iptables-save and iptables-restore and the systemd iptables service, which uses iptables-restore. Just be sure not to save the entries created by vpnfailsafe.

Thanks for this script.

No problem, glad it's useful to others :)

Ah, forgot to mention. I'm using Arch Linux, and I have ipv6 disabled.

Same here ;]

commented

Hey, thanks for your reply.

One thing in the output I can see is this:

Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.2)

Do you think this is something else or maybe this is executed by vpnfailsafe?

Sorry to bug you with this, I'm don't know how vpns work that well.

commented

This error is not significant. The server is pushing a Windows-only option to a Linux client. I wouldn't expect that to cause any issues.

Please post:

  • Your VPN config file (with secrets removed, if any)
  • openvpn --config your_config_file output
  • resolvconf -l output
commented

Hey, here it is, I've removed all the "secret" part and the IPs as well using {{ and }} where I removed them

#Connection Settings
client
dev tun
proto udp
nobind
persist-key
keepalive 3 10

#Security Settings
auth sha512
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
verify-x509-name {{name_of_cert_here}} name

#Remote Ips
remote {{Removed the IP here}}
remote {{Removed the IP here}}
remote {{Removed the IP here}}
resolv-retry 10

# Set log file verbosity.
verb 1

# Silence repeating messages
mute 20

route-noexec
script-security 2
up /etc/openvpn/vpnfailsafe.sh
down /etc/openvpn/vpnfailsafe.sh

#User Info
....

The output from my OpenVpn file is:

- OpenVPN 2.4.2 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
-library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
-NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
- TCP/UDP: Preserving recently used remote address: [AF_INET]{{remote ip here}}
- UDP link local: (not bound)
- UDP link remote: [AF_INET]{{remote ip here}}
- [{{name_of_cert_here}}] Peer Connection Initiated with [AF_INET]{{remote ip here}}
- Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.2)
- TUN/TAP device tun0 opened
- do_ifconfig, tt->did_ifconfig_ipv6_setup=0
- /usr/bin/ip link set dev tun0 up mtu 1500
- /usr/bin/ip addr add dev tun0 {{another_ip_here}}/24 broadcast {{another_ip}}
- /etc/openvpn/vpnfailsafe.sh tun0 1500 1552 {{another_ip}} 255.255.255.0 init
- Initialization Sequence Completed
commented

I don't see any obvious issues with the config, but the line verb 1 reduces output verbosity to the point where it's not very useful. Particularly, the PUSH_REPLY is not visible in the OpenVPN log because of it. Please change that value to a 3, or 4 and paste a new OpenVPN log. Also, what's the resolvconf -l output (and contents of /etc/resolv.conf) after the VPN connection is established ? Feel free to modify IPs/hosts, as long as the same values remain the same after the changes.

commented

Hello, sorry for taking so long to reply.

I think I've found where the issue is, but I have no idea how to fix it.

When I connect now with more details being printed, I can see this (I've replaced the server name with {servername} and the proper gateway ip with {proper-gateway-ip} and another ip (seems in the same range as the gateway, but I don't know what is this ip with {another-ip}

Apparently it is receiving some instructions from the server but has no script to execute.

This is part of what shows up when connecting:

SENT CONTROL [{servername}]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,redirect-gateway def1,dhcp-option DNS {proper-gateway-ip},persist-tun,persist-key,route-gateway {proper-gateway-ip},topology subnet,ping 10,ping-restart 60,ifconfig {another-ip} 255.255.255.0,peer-id 3,cipher AES-256-GCM'
Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.2)
commented

Hi @fecegogiw

Please update to the latest version. It should resolve the problem. That was totally my bad - didn't use the -x switch to resolvconf. Sorry for taking so long to realize that. Let me know if I can close the issue.

Cheers.

PS. The error you pasted, about unrecognized options - you can safely ignore it. It's just the server pushing a Windows-only option.

commented

Hey @wknapik

I've just updated the script and now it is working.

Thank you very much.

One thing though, the AUR script is still not getting the latest version apparently, so I've just downloaded it manually and it worked.

Thanks again.

commented

Glad to hear that @fecegogiw. As for the AUR package - depending on what you use, the update procedure for -git packages may be different, than for regular ones. I've certainly seen that with some tools. Anyway - thanks for the report :)

commented

After updating with d951d43 I get this error:

Tue Jul 11 23:54:48 2017 /etc/openvpn/vpnfailsafe.sh tun0 1500 1558 xxx.xxx.xxx.xxx 255.255.255.0 init
resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)
/etc/openvpn/vpnfailsafe.sh:78: `echo -e "${domains/ /search }\n${ns// /$'\n'nameserver }"|resolvconf -xa "$dev"' returned 99
Tue Jul 11 23:54:49 2017 WARNING: Failed running command (--up/--down): external program exited with error status: 99
Tue Jul 11 23:54:49 2017 Exiting due to fatal error

System: Linux osmc 4.9.29-8-osmc #1 SMP PREEMPT Fri Jun 16 21:37:12 UTC 2017 armv7l GNU/Linux

commented

Hi @triath. It seems you're using an old version of resolvconf. Looks like this commit introduced exclusive interfaces (the -x switch). That was over 2 years ago. Upgrading to a newer version of openresolv should fix the issue. Let me know how it goes!