Skip to main content

domain name system - NetworkManager is not changing /etc/resolv.conf after openvpn dns push

itemprop="text">

I've got a problem which is
"NetworkManager is not updating /etc/resolv.conf after openvpn
connection with dns push configured".



Here's my
openvpn server config: (I've changed domain name to ABC.COM for security
reason
;))



########################################

#
            Sample OpenVPN config file for
# 2.0-style multi-client udp
            server
#
# Adapted from
            http://openvpn.sourceforge.net/20notes.html
#
# tun-style
            tunnel

port 1194
dev
            tun


# Use "local" to set the source address on
            multi-homed hosts
#local [IP address]

# TLS
            parms
tls-server 
ca keys/ca.crt
cert
            keys/static.crt
key keys/static.key
dh
            keys/dh1024.pem
proto tcp-server


# Tell
            OpenVPN to be a multi-client udp server
mode server

# The
            server's virtual endpoints
ifconfig 10.8.0.1 10.8.0.2

#
            Pool of /30 subnets to be allocated to clients.
# When a client connects, an
            --ifconfig command
# will be automatically generated and pushed back
            to

# the client.
ifconfig-pool 10.8.0.4
            10.8.0.255

# Push route to client to bind it to our
            local
# virtual endpoint.
push "route 10.8.0.1
            255.255.255.255"

push "dhcp-option DNS
            10.8.0.1"

# Push any routes the client needs to get
            in

# to the local network.
#push "route 192.168.0.0
            255.255.255.0"

# Push DHCP options to Windows
            clients.
push "dhcp-option DOMAIN ABC.COM"
#push "dhcp-option DNS
            192.168.0.1"
#push "dhcp-option WINS 192.168.0.1"

#
            Client should attempt reconnection on link
#
            failure.

keepalive 10 60

# Delete client
            instances after some period
# of inactivity.
inactive
            600

# Route the --ifconfig pool range into the
# OpenVPN
            server.
route 10.8.0.0 255.255.255.0


# The
            server doesn't need privileges
user openvpn
group
            openvpn

# Keep TUN devices and keys open across
            restarts.
persist-tun
persist-key

verb
            4



As you
can see it's basicaly sample config with little
tuning.



Now..



On my machine (openvpn client), I can see that
dns is
ok:



{17:12}/etc/NetworkManager ➭
            nslookup git.ABC.COM 10.8.0.1
Server: 10.8.0.1
Address:
            10.8.0.1#53


Name: git.ABC.COM
Address:
            10.8.0.1

{17:18}/etc/NetworkManager ➭ nslookup ABC.COM 10.8.0.1
            
Server: 10.8.0.1
Address: 10.8.0.1#53

Name:
            ABC.COM
Address:
            18X.XX.XX.71



openvpn
logs on server side says (if I understand correctly) that DNS has been
pushed:



openvpn[13257]:
            TCPv4_SERVER link remote: [AF_INET]83.30.135.214:37658
openvpn[13257]:
            83.30.135.214:37658 TLS: Initial packet from [AF_INET]83.30.135.214:37658, sid=3251df51
            915772f3
openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=1, C=XX, ST=XX,
            L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX,
            emailAddress=mail@ABC.COM
openvpn[13257]: 83.30.135.214:37658 VERIFY OK:
            depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX,
            emailAddress=mail@ABC.COM
openvpn[13257]: 83.30.135.214:37658 Data Channel
            Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
openvpn[13257]:
            83.30.135.214:37658 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC
            authentication

openvpn[13257]: 83.30.135.214:37658 Data Channel
            Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
openvpn[13257]:
            83.30.135.214:37658 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC
            authentication
openvpn[13257]: 83.30.135.214:37658 Control Channel: TLSv1,
            cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
openvpn[13257]:
            83.30.135.214:37658 [jacek] Peer Connection Initiated with
            [AF_INET]83.30.135.214:37658
openvpn[13257]: jacek/83.30.135.214:37658
            MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
openvpn[13257]:
            jacek/83.30.135.214:37658 MULTI: Learn: 10.8.0.10 ->
            jacek/83.30.135.214:37658
openvpn[13257]: jacek/83.30.135.214:37658 MULTI:
            primary virtual IP for jacek/83.30.135.214:37658: 10.8.0.10
openvpn[13257]:
            jacek/83.30.135.214:37658 PUSH: Received control message:
            'PUSH_REQUEST'
openvpn[13257]: jacek/83.30.135.214:37658 send_push_reply():
            safe_cap=940
openvpn[13257]: jacek/83.30.135.214:37658 SENT CONTROL [jacek]:
            'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN
            ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9'
            (status=1)



openvp
logs on my side:



Aug 05 17:13:55
            localhost.localdomain openvpn[1198]: TCPv4_CLIENT link remote:
            [AF_INET]XXX.XX.37.71:1194
Aug 05 17:13:55 localhost.localdomain
            openvpn[1198]: TLS: Initial packet from [AF_INET]XXX.XX.37.71:1194, sid=89cc981c
            d57dd826
Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK:
            depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX,
            emailAddress=mail@ABC.COM
Aug 05 17:13:56 localhost.localdomain openvpn[1198]:
            VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX,
            emailAddress=mail@ABC.COM
Aug 05 17:13:58 localhost.localdomain openvpn[1198]:
            Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 05
            17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Using 160 bit
            message hash 'SHA1' for HMAC authentication

Aug 05 17:13:58
            localhost.localdomain openvpn[1198]: Data Channel Decrypt: Cipher 'BF-CBC' initialized
            with 128 bit key
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data
            Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug
            05 17:13:58 localhost.localdomain openvpn[1198]: Control Channel: TLSv1, cipher
            TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Aug 05 17:13:58
            localhost.localdomain openvpn[1198]: [static] Peer Connection Initiated with
            [AF_INET]XXX.XX.37.71:1194
Aug 05 17:14:00 localhost.localdomain
            openvpn[1198]: SENT CONTROL [static]: 'PUSH_REQUEST' (status=1)
Aug 05
            17:14:01 localhost.localdomain openvpn[1198]: PUSH: Received control message:
            'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN
            ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9'
Aug 05 17:14:01
            localhost.localdomain openvpn[1198]: OPTIONS IMPORT: timers and/or timeouts
            modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT:
            --ifconfig/up options modified
Aug 05 17:14:01 localhost.localdomain
            openvpn[1198]: OPTIONS IMPORT: route options modified
Aug 05 17:14:01
            localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
            options modified

Aug 05 17:14:01 localhost.localdomain
            openvpn[1198]: ROUTE_GATEWAY 10.123.123.1/255.255.255.0 IFACE=wlan0
            HWADDR=44:6d:57:32:81:2e
Aug 05 17:14:01 localhost.localdomain openvpn[1198]:
            TUN/TAP device tun0 opened
Aug 05 17:14:01 localhost.localdomain
            openvpn[1198]: TUN/TAP TX queue length set to 100
Aug 05 17:14:01
            localhost.localdomain openvpn[1198]: do_ifconfig, tt->ipv6=0,
            tt->did_ifconfig_ipv6_setup=0
Aug 05 17:14:01 localhost.localdomain
            openvpn[1198]: /usr/sbin/ip link set dev tun0 up mtu 1500
Aug 05 17:14:01
            localhost.localdomain openvpn[1198]: /usr/sbin/ip addr add dev tun0 local 10.8.0.10 peer
            10.8.0.9
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip
            route add 10.8.0.1/32 via 10.8.0.9
Aug 05 17:14:01 localhost.localdomain
            openvpn[1198]: Initialization Sequence
            Completed



It
looks like everything's fine.



But. I checked
/var/log/messages also... and I found that
line:



Aug 5 17:14:01 localhost
            NetworkManager[761]:  /sys/devices/virtual/net/tun0: couldn't determine
            device driver;
            ignoring...


ip
a returns:



5: tun0:
             mtu 1500 qdisc pfifo_fast state UNKNOWN
            qlen 100

 link/none 
 inet 10.8.0.10 peer 10.8.0.9/32
            scope global tun0
 valid_lft forever preferred_lft
            forever


route
-n returns:



# route
            -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric
            Ref Use Iface

0.0.0.0 10.123.123.1 0.0.0.0 UG 0 0 0
            wlan0
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
10.8.0.9
            0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.123.123.0 0.0.0.0 255.255.255.0 U 0 0
            0 wlan0


So basically
everything works, except the DNS being pushed... Oh! Right, and my
/etc/resolv.conf:



#
            Generated by NetworkManager
domain home

search
            home
nameserver
            10.123.123.1


Where's
the issue?



(I have a response from Windows-user
with openvpn client, that on his side DNS works fine, so it's an issue on my
side.



Ok now I have another response (after I
restarted openvpn service on server side) - it's not
working.




I must say that it worked
yesterday on my machine too.. so have I screwed up something on server? What could it
be?
)



Edit:
Okay,
I've got another Windows-user response (the same user as before) - it's working now.
So.. I guess it was caused by openvpn restart and some delays with it. I haven't done
anything since then. So we're back onto my
machine.



I also traced that that wierd
tun0 message appeared also yesterday, and yesterday it worked.
Or maybe I added entry to resolv.conf by myself? I don't
remember.. (damn it)


itemprop="text">
class="normal">Answer



This
works for me: href="http://www.softwarepassion.com/solving-dns-problems-with-openvpn-on-ubuntu-box/"
rel="noreferrer">http://www.softwarepassion.com/solving-dns-problems-with-openvpn-on-ubuntu-box/



The
important step is adding following two lines of configuration into your
client openvpn config
file:




up
            /etc/openvpn/update-resolv-conf
down
            /etc/openvpn/update-resolv-conf


Also
ensure the resolvconf package is installed on the client,
because that update-resolv-conf script depends on
it.



It works with openvpn client service or
command to start it manually.



However, the
Ubuntu Network Manager doesn't this. It's an issue so far: href="https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110"
rel="noreferrer">https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110




Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more