search

jonathanio / update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus.
Other
761 stars 94 forks source link

Error: Call failed: Invalid DNS server address and 'busctl' exited with status 1 #83

Closed alievrouw closed 4 years ago

alievrouw commented 4 years ago

I have two OpenVPN servers. One for my dev environment and one for prod. I have downloaded, accordingly modified and imported both servers client profiles into my client app (Pritunl). Prod connects correctly, with working DNS. Dev, however, fails to connect with the following log (private info redacted with <<>>):

Tue Oct  6 11:06:42 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
Tue Oct  6 11:06:42 2020 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Tue Oct  6 11:06:42 2020 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Tue Oct  6 11:06:42 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Oct  6 11:06:42 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct  6 11:06:42 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct  6 11:06:42 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]<<MY-OPENVPN-SERVER-IP>>:1194
Tue Oct  6 11:06:42 2020 UDP link local: (not bound)
Tue Oct  6 11:06:42 2020 UDP link remote: [AF_INET]<<MY-OPENVPN-SERVER-IP>>:1194
Tue Oct  6 11:06:42 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct  6 11:06:42 2020 VERIFY SCRIPT OK: depth=1, CN=OpenVPN CA
Tue Oct  6 11:06:42 2020 VERIFY OK: depth=1, CN=OpenVPN CA
Tue Oct  6 11:06:42 2020 VERIFY OK: nsCertType=SERVER
Tue Oct  6 11:06:42 2020 VERIFY SCRIPT OK: depth=0, CN=OpenVPN Server
Tue Oct  6 11:06:42 2020 VERIFY OK: depth=0, CN=OpenVPN Server
Tue Oct  6 11:06:44 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Oct  6 11:06:44 2020 [OpenVPN Server] Peer Connection Initiated with [AF_INET]<<MY-OPENVPN-SERVER-IP>>:1194
Tue Oct  6 11:06:50 2020 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.7)
Tue Oct  6 11:06:50 2020 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.7)
Tue Oct  6 11:06:50 2020 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.7)
Tue Oct  6 11:06:50 2020 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:20: register-dns (2.4.7)
Tue Oct  6 11:06:50 2020 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:21: block-ipv6 (2.4.7)
Tue Oct  6 11:06:50 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct  6 11:06:50 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct  6 11:06:50 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct  6 11:06:50 2020 TUN/TAP device tun0 opened
Tue Oct  6 11:06:50 2020 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct  6 11:06:50 2020 /sbin/ip addr add dev tun0 172.27.232.127/22 broadcast 172.27.235.255
Tue Oct  6 11:06:50 2020 /tmp/pritunl/109d2b2ef9feabf6add0e0e4d9864095-up.sh tun0 1500 1553 172.27.232.127 255.255.252.0 init
<14>Oct  6 11:06:50 109d2b2ef9feabf6add0e0e4d9864095-up.sh: Link 'tun0' coming up
<14>Oct  6 11:06:50 109d2b2ef9feabf6add0e0e4d9864095-up.sh: Adding IPv4 DNS Server 10.200.0.2
<14>Oct  6 11:06:50 109d2b2ef9feabf6add0e0e4d9864095-up.sh: Adding DNS Domain <<MY-PRIVATE-DOMAIN>>
<14>Oct  6 11:06:50 109d2b2ef9feabf6add0e0e4d9864095-up.sh: Adding IPv4 DNS Server 127.0.0.53
<14>Oct  6 11:06:50 109d2b2ef9feabf6add0e0e4d9864095-up.sh: SetLinkDNS(18 2 2 4 10 200 0 2 2 4 127 0 0 53)
Call failed: Invalid DNS server address
<8>Oct  6 11:06:50 109d2b2ef9feabf6add0e0e4d9864095-up.sh: 'busctl' exited with status 1
Tue Oct  6 11:06:50 2020 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Oct  6 11:06:50 2020 Exiting due to fatal error

Both profiles have been edited in the same way to look as follows, with the only exception being the DNS server (200 vs 199):

dhcp-option DNS 10.199.0.2
dhcp-option DOMAIN <<MY-PRIVATE-DOMAIN>>
script-security 2
up /etc/openvpn/scripts/update-systemd-resolved
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

I'm not sure why the dev profile is trying to add a secondary IPv4 DNS Server, or if this is even the problem, or if if the content of the SetLinkDNS line is formatted incorrectly (to be fair I don't know what correct looks like here). I reviewed the update-systemd-resolved script to try and understand where this second server is coming from, but it's unclear. Any help would be great! Thanks!

TinCanTech commented 4 years ago

Set --verb 4 in your client config file and verify what the server pushes.

alievrouw commented 4 years ago

Set --verb 4 in your client config file and verify what the server pushes.

I added that but don't see anything additional in the logs. Is there some other way I should be leveraging that config change?

TinCanTech commented 4 years ago

You do need to restart the client to load the new setting..

alievrouw commented 4 years ago

I was mistaken about the access server config. There was a setting to configure the clients to use the same DNS servers as the access server. I disabled that and the DNS information configured in the client config started working. Thanks for pointing me in the right direction!