Linux - Connection hangs after connection - DNS issue?

xsy77xsy77
in Linux VPN Setup
Hi guys,

Having an issue connecting to PIA via command line on a Linux enviroment.

Works perfectly well on iOS, MAC and PC via your official app so I know my credentials and network is solid.

Tried about 10 different ovpn files and a variety of commands, they all hang after receiving the response: "Initialization Sequence Completed"

Logs:

IP ro:
0.0.0.0/1 via 10.44.10.5 dev tun0 
default via 192.168.0.1 dev eth0 src 192.168.0.41 metric 202 
10.44.10.1 via 10.44.10.5 dev tun0 
10.44.10.5 dev tun0 proto kernel scope link src 10.44.10.6 
128.0.0.0/1 via 10.44.10.5 dev tun0 
177.234.153.145 via 192.168.0.1 dev eth0 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.41 metric 202

ip addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:fe:1d:f6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.41/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a985:4955:2800:1f3b/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether b8:27:eb:ab:48:a3 brd ff:ff:ff:ff:ff:ff
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.44.10.6 peer 10.44.10.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::7434:8280:f352:71a0/64 scope link flags 800 
       valid_lft forever preferred_lft forever

Comments

  • martoufmartouf
    there's no OpenVPN log contents in your post. provide in next post?
  • xsy77xsy77
    How do I extract OpenVPN Log from command line sorry?
  • martoufmartouf
    " issue connecting to PIA via command line  " -- presumably you're using a command of the form openvpn config-file.ovpn --verb 3 , yes? all that stuff that's printed on your console afterwards is the OpenVPN log
  • xsy77xsy77
    Doh! of course:

    command: sudo openvpn --config Brazil.ovpn

    Sat May 12 13:04:49 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017

    Sat May 12 13:04:49 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08

    Enter Auth Username:**********

    Enter Auth Password: **********

    Sat May 12 13:04:59 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]177.234.153.145:1198

    Sat May 12 13:04:59 2018 UDP link local: (not bound)

    Sat May 12 13:04:59 2018 UDP link remote: [AF_INET]177.234.153.145:1198

    Sat May 12 13:04:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

    Sat May 12 13:05:00 2018 [c639445f751951f6ef990700bf590a8a] Peer Connection Initiated with [AF_INET]177.234.153.145:1198

    Sat May 12 13:05:02 2018 TUN/TAP device tun0 opened

    Sat May 12 13:05:02 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

    Sat May 12 13:05:02 2018 /sbin/ip link set dev tun0 up mtu 1500

    Sat May 12 13:05:02 2018 /sbin/ip addr add dev tun0 local 10.44.10.6 peer 10.44.10.5

    Sat May 12 13:05:02 2018 Initialization Sequence Completed

    ^CSat May 12 13:17:22 2018 event_wait : Interrupted system call (code=4)

    Sat May 12 13:17:22 2018 /sbin/ip addr del dev tun0 local 10.44.10.6 peer 10.44.10.5

    Sat May 12 13:17:22 2018 SIGINT[hard,] received, process exiting


  • martoufmartouf
    okay. the VPN was up for 12 minutes and 20 seconds before you shut it back down again. adding "--verb 3" or putting "verb 3" in the ovpn file will make the log output more useful without making it too chatty.
  • xsy77xsy77
    Ok, agreed that it connects. But it doesn’t really. It hangs and does not return me to the command line.

    If I open another terminal window and try and ping anything or retrieve my external IP, I get no results.

    I’ll post a log of the same with Verb 3 in just a moment.

    Thank you so much for your help and prompt responses
  • xsy77xsy77

    Amended Verb 1 to Verb 3 and the log is show below.

    Command: sudo openvpn --config Brazil.ovpn

    Sun May 13 13:04:13 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017

    Sun May 13 13:04:13 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08

    Enter Auth Username: *********

    Enter Auth Password: **********

    Sun May 13 13:05:26 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]177.234.153.150:1198

    Sun May 13 13:05:26 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]

    Sun May 13 13:05:26 2018 UDP link local: (not bound)

    Sun May 13 13:05:26 2018 UDP link remote: [AF_INET]177.234.153.150:1198

    Sun May 13 13:05:27 2018 TLS: Initial packet from [AF_INET]177.234.153.150:1198, sid=80babac7 675ae059

    Sun May 13 13:05:27 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

    Sun May 13 13:05:27 2018 VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, [email protected]

    Sun May 13 13:05:27 2018 Validating certificate key usage

    Sun May 13 13:05:27 2018 ++ Certificate has key usage  00a0, expects 00a0

    Sun May 13 13:05:27 2018 VERIFY KU OK

    Sun May 13 13:05:27 2018 Validating certificate extended key usage

    Sun May 13 13:05:27 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

    Sun May 13 13:05:27 2018 VERIFY EKU OK

    Sun May 13 13:05:27 2018 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=31f6b00ee3a32ee9d07d30342007e765, name=31f6b00ee3a32ee9d07d30342007e765

    Sun May 13 13:05:28 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

    Sun May 13 13:05:28 2018 [31f6b00ee3a32ee9d07d30342007e765] Peer Connection Initiated with [AF_INET]177.234.153.150:1198

    Sun May 13 13:05:29 2018 SENT CONTROL [31f6b00ee3a32ee9d07d30342007e765]: 'PUSH_REQUEST' (status=1)

    Sun May 13 13:05:29 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.49.11.1,topology net30,ifconfig 10.49.11.6 10.49.11.5,auth-token'

    Sun May 13 13:05:29 2018 OPTIONS IMPORT: timers and/or timeouts modified

    Sun May 13 13:05:29 2018 OPTIONS IMPORT: compression parms modified

    Sun May 13 13:05:29 2018 OPTIONS IMPORT: --ifconfig/up options modified

    Sun May 13 13:05:29 2018 OPTIONS IMPORT: route options modified

    Sun May 13 13:05:29 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

    Sun May 13 13:05:29 2018 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

    Sun May 13 13:05:29 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

    Sun May 13 13:05:29 2018 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

    Sun May 13 13:05:29 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

    Sun May 13 13:05:29 2018 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:fe:1d:f6

    Sun May 13 13:05:29 2018 TUN/TAP device tun0 opened

    Sun May 13 13:05:29 2018 TUN/TAP TX queue length set to 100

    Sun May 13 13:05:29 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

    Sun May 13 13:05:29 2018 /sbin/ip link set dev tun0 up mtu 1500

    Sun May 13 13:05:29 2018 /sbin/ip addr add dev tun0 local 10.49.11.6 peer 10.49.11.5

    Sun May 13 13:05:29 2018 /sbin/ip route add 177.234.153.150/32 via 192.168.0.1

    Sun May 13 13:05:29 2018 /sbin/ip route add 0.0.0.0/1 via 10.49.11.5

    Sun May 13 13:05:29 2018 /sbin/ip route add 128.0.0.0/1 via 10.49.11.5

    Sun May 13 13:05:29 2018 /sbin/ip route add 10.49.11.1/32 via 10.49.11.5

    Sun May 13 13:05:29 2018 Initialization Sequence Completed


    Opened a new terminal window and trying to ping.

    Can ping 1.1.1.1 & 8.8.8.8 no problem.

    Cannot ping bbc.co.uk or google.co.uk

    Looks to be a DNS issue but no idea how to fix it :(

  • martoufmartouf
    edited May 2018
    good. you've narrowed it down to DNS. plus points. what does your /etc/resolv.conf file look like: (1) with VPN down (2) with VPN up ?
    the openvpn process is supposed to keep running and doing the "VPN stuff" (you called it 'hanging')

  • xsy77xsy77
    So the contents of resolv.conf remain unchanged after the VPN connection and always show my ISP's DNS servers.

    Think we are getting to the route of the problem!! thank you buddy!

    Is the an amendment I can make to the ovpn file to force a DNS update?

  • xsy77xsy77
    OK, so did some digging and found this post: https://aaronhorler.com/articles/openvpn-17.10-dns-leak.html

    Followed it to the letter and still nothing.

    I know I did it right as the OPENVPN Log is now different at the end:

    <14>May 13 20:25:43 update-systemd-resolved: Adding IPv4 DNS Server 209.222.18.222

    <14>May 13 20:25:43 update-systemd-resolved: Adding IPv4 DNS Server 209.222.18.218

    but still, no DNS :(
  • martoufmartouf
    if your /etc/resolv.conf is a link and not just a regular file (check with ls -l /etc/resolv.conf ) or if your distro (not yet specified by you) has a systemd service for managing resolv.conf (check with systemctl status systemd-resolved ) then you're going to need additional openvpn command params: --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf
    (can also add equivalent lines in your ovpn file)(aaron horler's instructions are applicable only if your distro doesn't already provide the systemd-resolved service)(i can't say now what your system is going to do after adding horler's stuff on top of an already existing systemd-resolved service)
  • xsy77xsy77
    you sir, are a genius! This worked!

    Couple of tidyup questions if you would be so kind:

    1. ls -l /etc/resolv.conf returned:

    -rw-r--r-- 1 root root 76 May 14 06:38 /etc/resolv.conf

    I guess that means that its a regular file. Can you confirm?

    2. Using the arguments --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf from the command line successfully connected to the VPN. However, the resolve.conf now reads:

    # Generated by resolvconf
    nameserver 209.222.18.222
    nameserver 209.222.18.218
    nameserver XXX.XXX.XXX.XXX (ISP DNS)
    nameserver XXX.XXX.XXX.XXX (ISP DNS)

    Is that OK? Would I not prefer the ISP DNS's to me removed? Is this possible with another argument?

    3. Is there anyway to get this to work by editing the ovpn file and using the standard "sudo openvpn VPNname.ovpn" command? I tried disabling the aaron horler service and re-adding them to the ovpn file but got the same results when testing.

    Again, thank you massivley for your help!
  • matador86matador86
    edited May 2018

    I am trying to establish a connection to a remote host via IP address and Port number. The connection does get established (even verified using cmd netstat) however when I try to close the connection in code: not defined any one knows please help 

    clientConnection.Client.Close();
clientConnection.Client.Dispose();
clientConnection.Close();
    _____________________
    Tutuapp 9Apps Aptoide


  • martoufmartouf
    so i guess then your distro already has resolver management and the update-resolv-conf script, didn't need the Horler stuff, and it's the resolver config that's messed up and needs to be sorted. this would be easier if you would share which distro baseline you started from...

    1. yep, that's a regular file. the permission bits start with "-rw" (not "lrw") and the link count is 1.

    3. the config (ovpn) file entries look pretty much the same as the command line parameters
    verb 3
    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    2. (yes, out-of-order) it seems to me the correct content for resolv.conf is the ISP DNS entries (you don't have a local DNS cache in your router/ap ?) when the VPN is down. just that. nothing else. then, the update-resolv-conf script will substitute the PIA DNS servers as the VPN is brought up and then put the ISP servers back as the VPN is taken down.
  • xsy77xsy77
    You sir have only gone and done it again!

    Sorry, thought I thought I mentioned it in first post. This is a Raspbian distro running on a Raspberry Pi 3.

    I don't think I have a local DNS, I never set one up anyway.

    I just though the update-resolv-conf script would REPLACE the ISP's DNS with the VPN's, not APPEND to it.

    Anyway its not a major issue.

    Thank you so much, how can I ever repay you?

  • martoufmartouf
    edited May 2018
    keep an eye on postings here. when the next Raspbian question comes along..

    ps: often your local router advertises itself via DHCP as the place to send DNS queries. that way it caches the requests for your whole home LAN
  • martoufmartouf
    raspbian being debian in origin: i think you'll find it useful to see what's going on with your resolver configuration as you do things like add additional network interfaces (VPN, ethernet, etc) by installing the resolvconf package and using the /usr/share/resolvconf/dump-debug-info script
Sign In or Register to comment.