search

alfredopalhares / openvpn-update-resolv-conf

Script that updates DNS settings are pushed by the OpenVPN server
462 stars 129 forks source link

Limitations on Fedora 29 #30

Open Thomas-S opened 5 years ago

Thomas-S commented 5 years ago

Hi,

first of all, this script has been working for me very well in the past. Thanks for your effort :)

Yesterday, I upgraded to Fedora 29 and my /etc/resolv.conf does not get updated anymore.

My versions: OpenVPN 2.4.6 x86_64-redhat-linux-gnu Fedora release 29 (Twenty Nine)

Maybe this log message helps as well: Wed Nov 28 09:05:54 2018 /etc/openvpn/update-resolv-conf.sh tun0 1500 1604 10.242.2.21 255.255.255.0 init Unknown interface 'tun0': No such device Wed Nov 28 09:05:54 2018 SIGINT[hard,] received, process exiting

Regards, Thomas

LeTink commented 5 years ago

Ummm ... if there's no tun0 interface anymore, what is it called in the new version of Fedora?

alfredopalhares commented 5 years ago

Hello @Thomas-S,

First of all thank you and sorry for the delay on the response.

Strange that in interface is not tun0. Can you paste a more full log, with verbose 7 on your config? Please mask the sensitive parts like IPs. If you are not sure, email me the log.

Thomas-S commented 5 years ago

Hi thanks for the response :)

Ummm ... if there's no tun0 interface anymore, what is it called in the new version of Fedora?

If I run ifconfig the interface tun0 is still there (amongst many others).

Hello @Thomas-S,

First of all thank you and sorry for the delay on the response.

Strange that in interface is not tun0. Can you paste a more full log, with verbose 7 on your config? Please mask the sensitive parts like IPs. If you are not sure, email me the log.

I don't know what you mean by verbose 7

alfredopalhares commented 5 years ago

I don't know what you mean by verbose 7

This is an option that you can set on your openvpn client config file. verb 7

Thomas-S commented 5 years ago

Ah thanks. This is what comes up, verb 7 does not seem to give me more log info:


Mon Dec  3 09:54:25 2018 library versions: OpenSSL 1.1.1 FIPS  11 Sep 2018, LZO 2.08
Enter Auth Username: *******
Enter Auth Password: ****************
Mon Dec  3 09:54:38 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Dec  3 09:54:43 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]*******
Mon Dec  3 09:54:43 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Dec  3 09:54:43 2018 Attempting to establish TCP connection with [AF_INET]******* [nonblock]
Mon Dec  3 09:54:44 2018 TCP connection established with [AF_INET]*******
Mon Dec  3 09:54:44 2018 TCP_CLIENT link local: (not bound)
Mon Dec  3 09:54:44 2018 TCP_CLIENT link remote: [AF_INET]*******
Mon Dec  3 09:54:44 2018 TLS: Initial packet from [AF_INET]*******, sid=*******
Mon Dec  3 09:54:44 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Dec  3 09:54:45 2018 VERIFY OK: *******
Mon Dec  3 09:54:45 2018 VERIFY X509NAME OK: *******
Mon Dec  3 09:54:45 2018 VERIFY OK: *******
Mon Dec  3 09:54:45 2018 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec  3 09:54:45 2018 [*******] Peer Connection Initiated with [AF_INET]*******
Mon Dec  3 09:54:46 2018 SENT CONTROL [*******]: 'PUSH_REQUEST' (status=1)
Mon Dec  3 09:54:52 2018 SENT CONTROL [*******]: 'PUSH_REQUEST' (status=1)
Mon Dec  3 09:54:52 2018 PUSH: Received control message: 'PUSH_REPLY,route-gateway *******,route-gateway *******,topology subnet,ping 10,ping-restart 120,route *******,route *******,route *******,route *******,route *******,route *******,route *******,dhcp-option DNS ****DNS_HERE***,dhcp-option DOMAIN *******,ifconfig *******'
Mon Dec  3 09:54:52 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec  3 09:54:52 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec  3 09:54:52 2018 OPTIONS IMPORT: route options modified
Mon Dec  3 09:54:52 2018 OPTIONS IMPORT: route-related options modified
Mon Dec  3 09:54:52 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec  3 09:54:52 2018 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Dec  3 09:54:52 2018 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec  3 09:54:52 2018 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Dec  3 09:54:52 2018 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec  3 09:54:52 2018 ROUTE_GATEWAY *******/******* IFACE=eno1 HWADDR=*******
Mon Dec  3 09:54:52 2018 TUN/TAP device tun0 opened
Mon Dec  3 09:54:52 2018 TUN/TAP TX queue length set to 100
Mon Dec  3 09:54:52 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Dec  3 09:54:52 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Dec  3 09:54:52 2018 /sbin/ip addr add dev tun0 *******/24 broadcast *******
Mon Dec  3 09:54:52 2018 /etc/openvpn/update-resolv-conf.sh tun0 1500 1604 ******* init
dhcp-option DOMAIN-SEARCH *******
dhcp-option DOMAIN-SEARCH *******
dhcp-option DNS *******
dhcp-option DOMAIN *******
Mon Dec  3 09:54:56 2018 /sbin/ip route add *******/32 via *******
[...]
Mon Dec  3 09:54:56 2018 /sbin/ip route add *******/16 via *******
Mon Dec  3 09:54:56 2018 Initialization Sequence Completed

# When I press Ctrl+C ...

^CMon Dec  3 09:55:30 2018 event_wait : Interrupted system call (code=4)
Mon Dec  3 09:55:30 2018 /sbin/ip route del *******/32
Mon Dec  3 09:55:30 2018 /sbin/ip route del *******/16
Mon Dec  3 09:55:30 2018 Closing TUN/TAP interface
Mon Dec  3 09:55:30 2018 /sbin/ip addr del dev tun0 *******/24
Mon Dec  3 09:55:30 2018 /etc/openvpn/update-resolv-conf.sh tun0 1500 1604 ******* init
Unknown interface 'tun0': No such device
Mon Dec  3 09:55:30 2018 SIGINT[hard,] received, process exiting```
alfredopalhares commented 5 years ago

So, the problem here is that the interface is taken down before the down script is executed, so the tun interface.

Can you post your openvpn version and config? Please mask the sensistive information.

Thomas-S commented 5 years ago

I already posted the version in my initial message.

The config is as follows:

verb 7
client
dev tun
proto tcp
remote **** 8877
verify-x509-name "C=de, L=Frankfurt, O=****, CN=****, emailAddress=****"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
ca ****.ca.crt
cert ****.user.crt
key ****.user.key
auth-user-pass
cipher AES-256-CBC
auth SHA512
comp-lzo
route-delay 4
verb 3
reneg-sec 0

# Tom
# This updates the resolvconf with dns settings
dhcp-option DOMAIN-SEARCH ****
dhcp-option DOMAIN-SEARCH ******
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh