search

dperson / openvpn-client

GNU Affero General Public License v3.0
1.06k stars 587 forks source link

DNS issues #69

Closed jaymart1983 closed 7 years ago

jaymart1983 commented 7 years ago

I can not get DNS to work through my StrongVPN connection. I have a usenetserver VPN that works fine but there is no in-bound unsolicited connections, that is why I have StrongVPN. I have added the --dns and -d flags but nothing is working. I am using a .conf file. When I exec -it /bin/bash into the container and ping google.com I get nothing, however I am able to ping 8.8.8.8 (or any other IP) and I get a response. Below is my docker run command (I have changed the path):

docker run -it --name vpn --cap-add=NET_ADMIN --device /dev/net/tun \ --dns 8.8.8.8 -v /path/to/config:/vpn \ -d dperson/openvpn-client -d

What in this config is causing DNS to fail? This is my UsenetServer VPN conf file (some stuff changed for anonymity):

remote xx.xx.xx.xx 4672 udp remote xx.xx.xx.xx 123 udp remote xx.xx.xx.xx 53 udp key-direction 1 cipher AES-128-CBC client dev tun resolv-retry infinite nobind persist-key persist-tun verb 4 reneg-sec 86400 echo vpn-server name tun-mtu 1500 route-method exe route-delay 2 redirect-gateway def1 comp-lzo no explicit-exit-notify 2 fragment 1390 mssfix 1390 hand-window 30

-----BEGIN CERTIFICATE----- removed -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- removed -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- removed -----END CERTIFICATE----- -----BEGIN OpenVPN Static key V1----- removed -----END OpenVPN Static key V1-----

//# This updates the resolvconf with dns settings script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

dperson commented 7 years ago

I doubt that you need to run both --dns and -d options at the same time... Can you provide the log messages from: sudo docker logs <vpn_container_name> (replacing with the actual container name)?

krispharper commented 7 years ago

I'm not 100% sure if this is the same issue, but I am also having name resolution issues. My logs are

Sat Jun 17 14:31:27 2017 OpenVPN 2.4.0 [git:master/d73f7253d939e293+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 22 2017
Sat Jun 17 14:31:27 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Sat Jun 17 14:31:27 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:27 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:27 2017 Could not determine IPv4/IPv6 protocol
Sat Jun 17 14:31:27 2017 SIGUSR1[soft,init_instance] received, process restarting
Sat Jun 17 14:31:32 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:32 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:32 2017 Could not determine IPv4/IPv6 protocol
Sat Jun 17 14:31:32 2017 SIGUSR1[soft,init_instance] received, process restarting
Sat Jun 17 14:31:37 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:37 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:37 2017 Could not determine IPv4/IPv6 protocol
Sat Jun 17 14:31:37 2017 SIGUSR1[soft,init_instance] received, process restarting
Sat Jun 17 14:31:42 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:42 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Sat Jun 17 14:31:42 2017 Could not determine IPv4/IPv6 protocol
Sat Jun 17 14:31:42 2017 SIGUSR1[soft,init_instance] received, process restarting
Sat Jun 17 14:31:47 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)

This only started happening recently, so my guess was that it was a recent change to the image, but I can't quite figure out what the issue is.

My run command looks like

docker run --name vpn --rm --cap-add=NET_ADMIN --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt dperson/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD;1194"
dperson commented 7 years ago

@krispharper for testing, please run:

docker run -it --name vpn --rm --cap-add=NET_ADMIN --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt dperson/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD;1194" bash

In the container that will be created run cat /vpn/vpn.conf and ping -c3 google.com. Thanks.

krispharper commented 7 years ago

Yeah, I tried ping earlier. The DNS part seems to work (in that it picks out the IP address for google.com). So I'm not sure why openvpn complains about resolution.

root@740b6695cda2:/# cat /vpn/vpn.conf
client
dev tun
proto udp
remote nl.privateinteraccess.com 1194
resolv-retry infinite
keepalive 10 30
nobind
persist-key
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /vpn/vpn.cert_auth
comp-lzo
verb 1
reneg-sec 0
ca /vpn/vpn-ca.crt
redirect-gateway def1
root@740b6695cda2:/# ping -c3 google.com
PING google.com (172.217.3.110): 56 data bytes
ping: sending packet: Operation not permitted
dperson commented 7 years ago

You're getting errors in trying to ping... which works fine on my system. I'd suggest pinging the VPN servers and/or the Google 8.8.8.8 DNS server... both of which also work for me.

krispharper commented 7 years ago

Does your system successfully connect to the VPN though? My understanding was that openvpn.sh added IP tables rules to drop traffic that's not over the VPN connection, which would mean if I can't successfully start openvpn, ping traffic would be blocked.

As a crude test, I tried ping while taking out the --cap-add=NET_ADMIN parameter so the iptables calls failed, and I was able to ping successfully.

kris@artemis:~$ docker run -it --name vpn --rm --cap-add=NET_ADMIN --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt dperson/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD;1194" ping -c3 google.com
ls: cannot access '/vpn/*.pem': No such file or directory
PING google.com (172.217.11.14): 56 data bytes
ping: sending packet: Operation not permitted
kris@artemis:~$ docker run -it --name vpn --rm --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt dperson/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD;1194" ping -c3 google.com
ls: cannot access '/vpn/*.pem': No such file or directory
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
PING google.com (172.217.11.14): 56 data bytes
64 bytes from 172.217.11.14: icmp_seq=0 ttl=53 time=11.224 ms
64 bytes from 172.217.11.14: icmp_seq=1 ttl=53 time=12.106 ms
64 bytes from 172.217.11.14: icmp_seq=2 ttl=53 time=11.576 ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.224/11.635/12.106/0.363 ms
dperson commented 7 years ago

It will setup a firewall, but not by default. You have to add the -f "" option, or set the FIREWALL environment variable. I didn't see either of those in your command line.

dperson commented 7 years ago

Hmm, I'd forgotten that I'd had it add a /vpn/.firewall file once you'd started it, to make sure you were running it from then on. But you're also not keeping a persistent /vpn volume, so I'm not sure why the firewall is starting on your system.

krispharper commented 7 years ago

It looks like if you pass in the port argument to -v, it triggers the firewall. I originally hadn't needed the port argument, but I think there might have been a bug a little while ago which required it. Looks like either I was wrong or that bug is fixed, because now I don't need to include the port.

All that being said, this is the output of your original ask after I took out 1194 from the end of the argument passed to -v.

kris@artemis:~$ docker run -it --name vpn --rm --cap-add=NET_ADMIN --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt krispharper/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD" bash
ls: cannot access '/vpn/*.pem': No such file or directory
root@89bcae8c3e62:/# cat /vpn/vpn.conf
client
dev tun
proto udp
remote nl.privateinteraccess.com 1194
resolv-retry infinite
keepalive 10 30
nobind
persist-key
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /vpn/vpn.cert_auth
comp-lzo
verb 1
reneg-sec 0
ca /vpn/vpn-ca.crt
redirect-gateway def1
root@89bcae8c3e62:/# ping -c3 google.com
PING google.com (172.217.10.238): 56 data bytes
64 bytes from 172.217.10.238: icmp_seq=0 ttl=53 time=14.263 ms
64 bytes from 172.217.10.238: icmp_seq=1 ttl=53 time=11.811 ms
64 bytes from 172.217.10.238: icmp_seq=2 ttl=53 time=14.167 ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.811/13.414/14.263/1.134 ms

This time ping is working.

dperson commented 7 years ago

Okay, very good. Also thanks for spotting that bug, it was just there to make sure the firewall was letting through the right port. But was always enabling the firewall. I'll fix that as well.

krispharper commented 7 years ago

To be clear, the exact same command still gives an error with resolving the host. Even though I can ping correctly, openvpn still throws a resolve host error.

kris@artemis:~$ docker run -it --name vpn --rm --cap-add=NET_ADMIN --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt krispharper/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD"
ls: cannot access '/vpn/*.pem': No such file or directory
Tue Jun 20 21:50:13 2017 OpenVPN 2.4.0 [git:master/d73f7253d939e293+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 22 2017
Tue Jun 20 21:50:13 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Tue Jun 20 21:50:13 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Tue Jun 20 21:50:13 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Tue Jun 20 21:50:13 2017 Could not determine IPv4/IPv6 protocol
Tue Jun 20 21:50:13 2017 SIGUSR1[soft,init_instance] received, process restarting
Tue Jun 20 21:50:18 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Tue Jun 20 21:50:18 2017 RESOLVE: Cannot resolve host address: nl.privateinteraccess.com:1194 (Name or service not known)
Tue Jun 20 21:50:18 2017 Could not determine IPv4/IPv6 protocol
Tue Jun 20 21:50:18 2017 SIGUSR1[soft,init_instance] received, process restarting

Also, pinging that specific host does work, so I don't think that's the problem either.

kris@artemis:~$ docker run -it --name vpn --rm --cap-add=NET_ADMIN --dns 8.8.8.8 --device /dev/net/tun -e VPN_USERNAME=$VPN_USERNAME -e VPN_PASSWORD=$VPN_PASSWORD -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt krispharper/openvpn-client -v "nl.privateinteraccess.com;$VPN_USERNAME;$VPN_PASSWORD" ping -c3 nl.privateinternetaccess.com
ls: cannot access '/vpn/*.pem': No such file or directory
PING nl.privateinternetaccess.com (46.166.138.131): 56 data bytes
64 bytes from 46.166.138.131: icmp_seq=0 ttl=50 time=88.901 ms
64 bytes from 46.166.138.131: icmp_seq=1 ttl=48 time=94.555 ms
64 bytes from 46.166.138.131: icmp_seq=2 ttl=48 time=91.616 ms
--- nl.privateinternetaccess.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 88.901/91.691/94.555/2.309 ms
dperson commented 7 years ago

The firewall rules specifically allow outbound UDP traffic on port 53 (DNS). So it shouldn't be blocked. As a test pick one of the roundrobin IPs that nl.privateinternetaccess.com resolves to and use it.

IE: sudo docker run -it --name vpn --rm --cap-add=NET_ADMIN --device /dev/net/tun -v /etc/ssl/certs/pia.crt:/vpn/vpn-ca.crt dperson/openvpn-client -v "109.201.154.155;$VPN_USERNAME;$VPN_PASSWORD"

NOTE: I use PIA too, and they now have 3 sets of certs for connection, that each have their own port. Depending on which cert you're using you'll have to use the matching port (the open VPN server doesn't support multiple certs so they're running different instances).

dperson@tundro$ host nl.privateinternetaccess.com
nl.privateinternetaccess.com has address 109.201.154.155
nl.privateinternetaccess.com has address 46.166.138.165
nl.privateinternetaccess.com has address 109.201.154.205
nl.privateinternetaccess.com has address 46.166.188.225
nl.privateinternetaccess.com has address 46.166.188.199
nl.privateinternetaccess.com has address 46.166.190.186
nl.privateinternetaccess.com has address 109.201.154.147
nl.privateinternetaccess.com has address 109.201.152.13
nl.privateinternetaccess.com has address 46.166.138.140
nl.privateinternetaccess.com has address 46.166.190.215
nl.privateinternetaccess.com has address 46.166.188.216
nl.privateinternetaccess.com has address 46.166.188.218
nl.privateinternetaccess.com has address 46.166.188.230
krispharper commented 7 years ago

Hmm. Okay, so, I have it working using nl.privateinternetaccess.com, port 1198, and this cert

https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt

which is different than the one I was using previously.

However, I had to make a couple changes. Without changing both the auth and cipher directives, I would get AUTH_FAILED.

I wonder if there's a clean way to make openvpn.sh generic based on the cert that's being used.

dperson commented 7 years ago

Hmm, I'll make the default be to just use the defaults from the server, unless there is an override. Sorry for the SNAFU. The new version should be available now.