search

OpenVPN / openvpn3-linux

OpenVPN 3 Linux client
GNU Affero General Public License v3.0
554 stars 148 forks source link

Fedora 33 needs systemd-resolved; resolv.conf not being restored properly #34

Closed sakalosj closed 3 years ago

sakalosj commented 3 years ago

after disconnecting from vpn, i am unable to connect again with error:

session-start: ERROR Failed to connect: Connection, Client reconnect

[:/] openvpn3 version OpenVPN 3/Linux v13_beta (openvpn3) OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

dsommers commented 3 years ago

You're thin on the details here. What exactly do you do? Do you first do a openvpn3 session-manage --disconnect and then a openvpn3 session-start ?

Can you please increase logging and provide that? Before starting your session, in a separate terminal run openvpn3 log --log-level 6 --config $CONFIG_FILENAME. Alternatively, as root run openvpn3-admin log-service --log-level 6 and extract log events from the systemd journal using either journalctl SYSLOG_IDENTIFIER=net.openvpn.v3.log, journalctl SYSLOG_IDENTIFIER=openvpn3-service-logger or journalctl -u dbus (what works depends on Linux distro and systemd versions). The log scope can further be reduced by adding --since today or --since 15:00.

sakalosj commented 3 years ago

first i succesfully connect using openvpn3 session-start --config

then disconnect using openvpn3 session-manage --disconnect --config

then trying to connect again: openvpn3 session-start --config

log:

Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/a9fc51c6s83b1s4e29s9523sbbd19a7b9067
2021-01-05 15:41:43 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/4a5504edxa5a9x43acx9b0fx7c9906291928
2021-01-05 15:41:43 Client INFO: Starting connection
2021-01-05 15:41:43 Client VERB1: Username/password provided successfully for 'asdf'
2021-01-05 15:41:43 >> Connection, Client connecting
2021-01-05 15:41:43 Client DEBUG: OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit OVPN-DCO
2021-01-05 15:41:43 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2021-01-05 15:41:43 Client DEBUG: UNUSED OPTIONS
     1 [persist-key]
     3 [ncp-ciphers] [AES-256-CBC]
     5 [tls-client]
     7 [resolv-retry] [infinite]
     12 [lport] [0]
     17 [verb] [4]
2021-01-05 15:41:43 Client VERB2: Resolving
2021-01-05 15:41:53 Client DEBUG: Server poll timeout, trying next remote entry...
2021-01-05 15:41:53 Client INFO: Reconnecting
2021-01-05 15:41:53 >> Connection, Client reconnect
2021-01-05 15:41:53 Client VERB2: Resolving
2021-01-05 15:42:03 Client DEBUG: Server poll timeout, trying next remote entry...
2021-01-05 15:42:03 Client INFO: Reconnecting
2021-01-05 15:42:03 >> Connection, Client reconnect
2021-01-05 15:42:03 Client VERB2: Resolving
2021-01-05 15:42:13 Client DEBUG: Server poll timeout, trying next remote entry...
2021-01-05 15:42:13 Client INFO: Reconnecting
2021-01-05 15:42:13 >> Connection, Client reconnect
2021-01-05 15:42:13 Client VERB2: Resolving
Session closed

VPN server is using MFA. after restarting computer I am able to login to VPN again.

dsommers commented 3 years ago

Okay, which Linux distribution do you use? You might want to double check that /etc/resolv.conf has been properly restored when disconnecting. Alternatively, if you have a distro with systemd v243 or newer and use systemd-resolved, you might want to consider using the systemd-resolved integration instead. More details here: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20607.html

sakalosj commented 3 years ago

distro: Fedora 33

openvpn was installed from copr dnf copr enable dsommers/openvpn3

/etc/resolv.conf was restored correctly, I have tried systemd-resolved integration, and still failing.

sakalosj commented 3 years ago

when I configure IP instead of FQDN it works

nslookp _vpn_server_fqdn_ doesn't work after disconnecting

dsommers commented 3 years ago

Using IP instead of hostname will not require the name lookup, so that is a workaround.

I will spin up a fresh Fedora 33 and try to reproduce it myself.

sakalosj commented 3 years ago

I was pretty sure I rebooted os, but now when I was digging into found out that it is working, so switching to systemd-resolved openvpn3-admin netcfg-service --config-set systemd-resolved 1 helped

for me it is working ok

many thanks for your help and ultra quick response :)

dsommers commented 3 years ago

Great! I'll do some testing on Fedora 33 and plan for the Fedora 33+ builds to have systemd-resolved enabled by default.

dsommers commented 3 years ago

As of the coming v14_beta release, systemd-resolved will now be enabled by default on Fedora 33 and newer.

dsommers commented 3 years ago

The v14_beta release is happening today. systemd-resolved will be enabled by default on Fedora 33 and newer, as well as Ubuntu 20.04 and newer.