search

amnezia-vpn / amnezia-client

Amnezia VPN Client (Desktop+Mobile)
https://amnezia.org
GNU General Public License v3.0
5.83k stars 365 forks source link

DNS blocked on the fresh installations #1224

Open shurrman opened 3 weeks ago

shurrman commented 3 weeks ago

Describe the bug Fresh self-hosted installations (tried on Centos 7 and Ubuntu 24 different hostings) block DNS requests, while other network connectivity seems to be ok.

To Reproduce Steps to reproduce the behavior:

  1. Get a freshly installed Ubuntu 24 on AWS, security group allows ports 22, 80, 443 worldwide.
  2. Create a new server in the client, select "OpenVPN over Cloak" in OpenVPN settings check off "Блокировать DNS запросы за пределами VPN" (seems not make any difference actually), it installs ok.
  3. Before connecting, do some checks: 
    
% nslookup google.com            
Server:         192.168.128.5
Address:        192.168.128.5#53

Non-authoritative answer: Name: google.com Address: 142.250.74.142

% curl -I 142.250.74.142 HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-HqwKqmVc-pX13cr7phpw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Date: Fri, 01 Nov 2024 13:28:17 GMT Expires: Sun, 01 Dec 2024 13:28:17 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN

% ping -c 1 8.8.4.4 PING 8.8.4.4 (8.8.4.4): 56 data bytes 64 bytes from 8.8.4.4: icmp_seq=0 ttl=57 time=69.493 ms

--- 8.8.4.4 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 69.493/69.493/69.493/0.000 ms


Things are working
4.
Now, connect it and do same tests again:

% ping -c 1 8.8.4.4 PING 8.8.4.4 (8.8.4.4): 56 data bytes 64 bytes from 8.8.4.4: icmp_seq=0 ttl=56 time=170.681 ms

--- 8.8.4.4 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 170.681/170.681/170.681/nan ms

% curl -I 142.250.74.142 HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-op7W5MF396OiHUKorFe2Ww' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Date: Fri, 01 Nov 2024 13:29:03 GMT Expires: Sun, 01 Dec 2024 13:29:03 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN

% nslookup google.com
;; connection timed out; no servers could be reached



So we see that connectivity is OK, but DNS is blocked. Tested other DNS servers - same thing

**Desktop (please complete the following information):**
 - OS: MacOS Sequoia 15.1
 - Version 4.5.2.0

**Server (please complete the following information):**
 - OS: Ubuntu 24

**Additional context**
Tried on CentOS 7 fresh hosting too - same result.
I set up a server in April - it works OK (no issues with DNS, etc.
shurrman commented 2 weeks ago

inside the container... no DNS?

bash-5.1# cat /etc/resolv.conf 
search ec2.internal
nameserver 127.0.0.11
options ndots:0
bash-5.1# ss -nlup
State               Recv-Q              Send-Q                           Local Address:Port                             Peer Address:Port              Process              
UNCONN              0                   0                                   127.0.0.11:44457                                 0.0.0.0:*                                      
bash-5.1# ss -nltp
State           Recv-Q           Send-Q                     Local Address:Port                      Peer Address:Port          Process                                      
LISTEN          0                4096                          127.0.0.11:32819                          0.0.0.0:*                                                          
LISTEN          0                32                               0.0.0.0:1194                           0.0.0.0:*              users:(("openvpn",pid=999,fd=7))            
LISTEN          0                1024                             0.0.0.0:6789                           0.0.0.0:*              users:(("ssserver",pid=1001,fd=9))          
LISTEN          0                4096                                   *:443                                  *:*              users:(("ck-server",pid=1003,fd=7))
shurrman commented 2 weeks ago

mmm...

bash-5.1# nslookup ya.ru
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:
Name:   ya.ru
Address: 77.88.55.242
Name:   ya.ru
Address: 77.88.44.242
Name:   ya.ru
Address: 5.255.255.242

Non-authoritative answer:
Name:   ya.ru
Address: 2a02:6b8::2:242