search

morpheusthewhite / nordpy

A gui application to connect automatically to the recommended NordVPN server
GNU General Public License v3.0
105 stars 16 forks source link

Failure in name resolution as regular user #41

Closed MountainX closed 4 years ago

MountainX commented 4 years ago

Describe the bug

failure in name resolution as regular user

$ ping: google.com: Temporary failure in name resolution

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=55.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=56.7 ms

However, as root user, it works:

# ping google.com
PING google.com (172.217.8.142) 56(84) bytes of data.
64 bytes from mia07s49-in-f14.1e100.net (172.217.8.142): icmp_seq=1 ttl=56 time=56.5 ms
64 bytes from mia07s49-in-f14.1e100.net (172.217.8.142): icmp_seq=2 ttl=56 time=55.9 ms

To Reproduce Steps to reproduce the behavior:

  1. install on Arch with yay -S nordpy (like any other AUR package)
  2. In KDE Plasma 5, launch NordPy application, leave all default settings, connect to NordVPN. Verify connection is successful.
  3. Try to reach a domain name on the web, either via Firefox or curl or ping.
  4. See error above.
  5. Change to root user and repeat a command such as ping or curl using the same domain name that previously failed. Now it succeed.

Expected behavior Expect normal Internet access as normal user.

Desktop (please complete the following information):

Additional context

$ curl icanhazip.com
curl: (6) Could not resolve host: icanhazip.com
$ sudo !!
sudo curl icanhazip.com
[sudo] password for myuser:
196.247.XX.XX (a NordVPN address)

[Click "Disconnect" button in NordPy GUI]


$ curl icanhazip.com
123.43.56.789 (my normal IP address)

More info:

-rwxr-xr-x 1 root root 2115 Apr 12 01:38 /usr/share/NordPy/nordpy.py

$ pacman -Qi nordpy
Name            : nordpy
Version         : 1.3.3-1
Description     : An application with gui to connect automatically to the recommended NordVPN server
Architecture    : any
URL             : https://github.com/morpheusthewhite/NordPy
Licenses        : GPL3
Groups          : None
Provides        : nordpy
Depends On      : python3  openvpn  tk  python-requests  wget  unzip  net-tools
Optional Deps   : networkmanager-openvpn
                  strongswan
Required By     : None
Optional For    : None
Conflicts With  : nordpy
Replaces        : None
Installed Size  : 215.05 KiB
Packager        : Unknown Packager
Build Date      : Sun 12 Apr 2020 01:38:41 AM EDT
Install Date    : Sun 12 Apr 2020 01:38:49 AM EDT
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : None

trying same steps when started from command line results in same error.

$ nordpy --quick-connect
Trying to connect to the last server type
Verifing saved file
File is correct
resulting url: https://nordvpn.com/wp-admin/admin-ajax.php?action=servers_recommendations&filters={%22servers_groups%22:11}
Best server retrieved: us3155.nordvpn.com
Turning on killswitch
Default interface: eth0
IP and port of the VPN server: 196.247.50.107 443
Network address on eth0: 192.168.1.0/24
Launching tcp connection with 196.247.50.107:443 on eth0 (on network 192.168.1.0/24)
[OPENVPN]: Sun Apr 12 02:26:46 2020 OpenVPN 2.4.8 [git:makepkg/3976acda9bf10b5e+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan  3 2020

[OPENVPN]: Sun Apr 12 02:26:46 2020 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10

[OPENVPN]: Sun Apr 12 02:26:46 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit

[OPENVPN]: Sun Apr 12 02:26:46 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

[OPENVPN]: Sun Apr 12 02:26:46 2020 NOTE: --fast-io is disabled since we are not using UDP

[OPENVPN]: Sun Apr 12 02:26:46 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

[OPENVPN]: Sun Apr 12 02:26:46 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

[OPENVPN]: Sun Apr 12 02:26:46 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]196.247.50.107:443

[OPENVPN]: Sun Apr 12 02:26:46 2020 Socket Buffers: R=[131072->131072] S=[16384->16384]

[OPENVPN]: Sun Apr 12 02:26:46 2020 Attempting to establish TCP connection with [AF_INET]196.247.50.107:443 [nonblock]

[OPENVPN]: Sun Apr 12 02:26:47 2020 TCP connection established with [AF_INET]196.247.50.107:443

[OPENVPN]: Sun Apr 12 02:26:47 2020 TCP_CLIENT link local: (not bound)

[OPENVPN]: Sun Apr 12 02:26:47 2020 TCP_CLIENT link remote: [AF_INET]196.247.50.107:443

[OPENVPN]: Sun Apr 12 02:26:47 2020 TLS: Initial packet from [AF_INET]196.247.50.107:443, sid=b967da6d 7889766f

[OPENVPN]: Sun Apr 12 02:26:47 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

[OPENVPN]: Sun Apr 12 02:26:47 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA

[OPENVPN]: Sun Apr 12 02:26:47 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4

[OPENVPN]: Sun Apr 12 02:26:47 2020 VERIFY KU OK

[OPENVPN]: Sun Apr 12 02:26:47 2020 Validating certificate extended key usage

[OPENVPN]: Sun Apr 12 02:26:47 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

[OPENVPN]: Sun Apr 12 02:26:47 2020 VERIFY EKU OK

[OPENVPN]: Sun Apr 12 02:26:47 2020 VERIFY OK: depth=0, CN=us3155.nordvpn.com

[OPENVPN]: Sun Apr 12 02:26:48 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

[OPENVPN]: Sun Apr 12 02:26:48 2020 [us3155.nordvpn.com] Peer Connection Initiated with [AF_INET]196.247.50.107:443

[OPENVPN]: Sun Apr 12 02:26:49 2020 SENT CONTROL [us3155.nordvpn.com]: 'PUSH_REQUEST' (status=1)

[OPENVPN]: Sun Apr 12 02:26:49 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.6 255.255.255.0,peer-id 0,cipher AES-256-GCM'

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: timers and/or timeouts modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: compression parms modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 Socket Buffers: R=[131072->425984] S=[46080->425984]

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: --ifconfig/up options modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: route options modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: route-related options modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: peer-id set

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: adjusting link_mtu to 1659

[OPENVPN]: Sun Apr 12 02:26:49 2020 OPTIONS IMPORT: data channel crypto options modified

[OPENVPN]: Sun Apr 12 02:26:49 2020 Data Channel: using negotiated cipher 'AES-256-GCM'

[OPENVPN]: Sun Apr 12 02:26:49 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

[OPENVPN]: Sun Apr 12 02:26:49 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

[OPENVPN]: Sun Apr 12 02:26:49 2020 ROUTE_GATEWAY 192.168.5.250/255.255.255.0 IFACE=eth0 HWADDR=38:d5:47:b0:3d:b5

[OPENVPN]: Sun Apr 12 02:26:49 2020 TUN/TAP device tun0 opened

[OPENVPN]: Sun Apr 12 02:26:49 2020 TUN/TAP TX queue length set to 100

[OPENVPN]: Sun Apr 12 02:26:49 2020 /usr/bin/ip link set dev tun0 up mtu 1500

[OPENVPN]: Sun Apr 12 02:26:49 2020 /usr/bin/ip addr add dev tun0 10.7.1.6/24 broadcast 10.7.1.255

[OPENVPN]: Sun Apr 12 02:26:49 2020 /usr/share/NordPy/scripts/nordpy_up.sh tun0 1500 1587 10.7.1.6 255.255.255.0 init

[OPENVPN]: Sun Apr 12 02:26:49 2020 /usr/bin/ip route add 196.247.50.107/32 via 192.168.5.250

[OPENVPN]: Sun Apr 12 02:26:49 2020 /usr/bin/ip route add 0.0.0.0/1 via 10.7.1.1

[OPENVPN]: Sun Apr 12 02:26:49 2020 /usr/bin/ip route add 128.0.0.0/1 via 10.7.1.1

[OPENVPN]: Sun Apr 12 02:26:49 2020 Initialization Sequence Completed

$ curl icanhazip.com
curl: (6) Could not resolve host: icanhazip.com
MountainX commented 4 years ago

Here is /etc/resolv.conf while connected.

# Appended by NordPy
nameserver 103.86.96.100
nameserver 103.86.99.100
# Generated by NetworkManager
search localdomain
MountainX commented 4 years ago

I see you asked for this info in another issue, so preemptively providing it:

When NOT connected to NordVPN

$ nordpy --status
captured grep
Disabled

$ sudo cat /etc/resolv.conf
\# Generated by NetworkManager
search localdomain
nameserver 192.168.1.1

$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ ping github.com
PING github.com (140.82.112.3) 56(84) bytes of data.
64 bytes from lb-140-82-112-3-iad.github.com (140.82.112.3): icmp_seq=1 ttl=54 time=55.5 ms
64 bytes from lb-140-82-112-3-iad.github.com (140.82.112.3): icmp_seq=2 ttl=54 time=58.4 ms

--- github.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 55.493/56.932/58.371/1.439 ms

When connected to NordVPN

$ nordpy --status
captured grep  14649 pts/2    S      0:00 sudo openvpn --config /usr/share/NordPy/ovpn_tcp/us3155.nordvpn.com.tcp.ovpn --auth-user-pass /usr/share/NordPy/credentials --script-security 2 --up /usr/share/NordPy/scripts/nordpy_up.sh --down /usr/share/NordPy/scripts/nordpy_down.sh
  14650 pts/2    S      0:00 openvpn --config /usr/share/NordPy/ovpn_tcp/us3155.nordvpn.com.tcp.ovpn --auth-user-pass /usr/share/NordPy/credentials --script-security 2 --up /usr/share/NordPy/scripts/nordpy_up.sh --down /usr/share/NordPy/scripts/nordpy_down.sh

Enabled

$ sudo cat /etc/resolv.conf
\# Appended by NordPy
nameserver 103.86.96.100
nameserver 103.86.99.100
\# Generated by NetworkManager
search localdomain

$ sudo iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     tcp  --  undefined.hostname.localhost  anywhere             tcp spt:https
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.1.0/24
ACCEPT     tcp  --  anywhere             undefined.hostname.localhost  tcp dpt:https
ACCEPT     all  --  anywhere             anywhere

Firefox error: **"Hmm. W'ere having trouble finding that site."**

$ ping github.com
ping: github.com: **Temporary failure in name resolution**

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=59.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=57.7 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 57.660/58.460/59.261/0.800 ms
MountainX commented 4 years ago 
$ drill google.com
Warning: Could not create a resolver structure: Could not open the files ((null))
morpheusthewhite commented 4 years ago

Can you try to run drill -V 5 github.com?