Can connect to OpenVPN server but no DNS resolution
1,926 views
Skip to first unread message
nicolasd...@gmail.com
Feb 6, 2017, 5:55:18 PM2/6/17
to tunnelblick-discuss
Hi !
XXX.XXX.XXX.XXX is my server IP masked ;)
I'm not really familiar with network science, just the basis.
Do you want me to copy/paste the diagnostic infos too ?
I've seen plenty of messages like this one and test every solution but since I can connect to my OpenVPN server with tunnelbrick, the DNS resolution fails and I've no error message anywhere in logs.
Only the message : "Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting".
I'm using OSX Sierra and no DNS are set manually.
My Openserver configuration is :
port 1194proto udpdev tunuser nobodygroup nogrouppersist-keypersist-tunkeepalive 10 120topology subnetserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "dhcp-option DNS 62.210.16.6"push "dhcp-option DNS 62.210.16.7"push "redirect-gateway def1 bypass-dhcp"crl-verify crl.pemca ca.crtcert server.crtkey server.keytls-auth tls-auth.key 0dh dh.pemauth SHA256cipher AES-128-CBCtls-servertls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256status openvpn.logverb 3Note that the DNS IPs here are the one set on the Server in /etc/resolv.conf and nothing is different if I use OpenDNS IPs or google ones.
Iptables rules are default ones on the server.
My ovpn file begin with :
clientproto udpremote XXX.XXX.XXX.XXX 1194dev tunresolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls serverauth SHA256cipher AES-128-CBCtls-clienttls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256setenv opt block-outside-dnsverb 3XXX.XXX.XXX.XXX is my server IP masked ;)
Note that I've used this script to install and configure OpenVPN on the server :
When I launch the connection in TunnelBlick, everything looks fine, and I can connect via SSH to the 10.8.0.1 IP (the server). From there ping google.com works perfectly.
But from local terminal (10.8.0.2), ping does not return anything.
And IPs are not found too.... ping 208.67.222.123 are all timeout.
My /etc/resolv.conf is well changed to :
search openvpnnameserver 62.210.16.6nameserver 62.210.16.7I'm not really familiar with network science, just the basis.
Is there a tool I can use to look for a problem somewhere ?
Here is the tunnelBrick log messages :
*Tunnelblick: OS X 10.12.3; Tunnelblick 3.7.1beta01 (build 4800); prior version 3.7.0 (build 4790)2017-02-06 23:24:28 *Tunnelblick: Attempting connection with testuser using shadow copy; Set nameserver = 769; monitoring connection2017-02-06 23:24:28 *Tunnelblick: openvpnstart start testuser.tblk 1337 769 0 1 0 1066800 -ptADGNWradsgnw 2.3.14-openssl-1.0.2k2017-02-06 23:24:28 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.14-openssl-1.0.2k/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Snicolasderambure-SLibrary-SApplication Support-STunnelblick-SConfigurations-Stestuser.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1066800.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Users/nicolasderambure/testuser.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Users/nicolasderambure/testuser.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Users/nicolasderambure/testuser.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --redirect-gateway def1 --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw
2017-02-06 23:24:28 Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/nicolasderambure/testuser.tblk/Contents/Resources/config.ovpn:15: block-outside-dns (2.3.14)2017-02-06 23:24:28 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 30 20172017-02-06 23:24:28 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.092017-02-06 23:24:28 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:13372017-02-06 23:24:28 Need hold release from management interface, waiting...2017-02-06 23:24:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:13372017-02-06 23:24:28 *Tunnelblick: openvpnstart starting OpenVPN2017-02-06 23:24:28 *Tunnelblick: Established communication with OpenVPN2017-02-06 23:24:28 MANAGEMENT: CMD 'pid'2017-02-06 23:24:28 MANAGEMENT: CMD 'state on'2017-02-06 23:24:28 MANAGEMENT: CMD 'state'2017-02-06 23:24:28 MANAGEMENT: CMD 'bytecount 1'2017-02-06 23:24:28 MANAGEMENT: CMD 'hold release'2017-02-06 23:24:28 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts2017-02-06 23:24:28 Control Channel Authentication: tls-auth using INLINE static key file2017-02-06 23:24:28 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication2017-02-06 23:24:28 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication2017-02-06 23:24:28 Socket Buffers: R=[196724->196724] S=[9216->9216]2017-02-06 23:24:28 UDPv4 link local: [undef]2017-02-06 23:24:28 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:11942017-02-06 23:24:28 MANAGEMENT: >STATE:1486419868,WAIT,,,2017-02-06 23:24:28 MANAGEMENT: >STATE:1486419868,AUTH,,,2017-02-06 23:24:28 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=70847e22 7cb78db32017-02-06 23:24:28 VERIFY OK: depth=1, CN=ChangeMe2017-02-06 23:24:28 Validating certificate key usage2017-02-06 23:24:28 ++ Certificate has key usage 00a0, expects 00a02017-02-06 23:24:28 VERIFY KU OK2017-02-06 23:24:28 Validating certificate extended key usage2017-02-06 23:24:28 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2017-02-06 23:24:28 VERIFY EKU OK2017-02-06 23:24:28 VERIFY OK: depth=0, CN=server2017-02-06 23:24:29 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key2017-02-06 23:24:29 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication2017-02-06 23:24:29 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key2017-02-06 23:24:29 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication2017-02-06 23:24:29 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 3072 bit RSA2017-02-06 23:24:29 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:11942017-02-06 23:24:30 MANAGEMENT: >STATE:1486419870,GET_CONFIG,,,2017-02-06 23:24:31 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)2017-02-06 23:24:31 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 62.210.16.6,dhcp-option DNS 62.210.16.7,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'2017-02-06 23:24:31 OPTIONS IMPORT: timers and/or timeouts modified2017-02-06 23:24:31 OPTIONS IMPORT: --ifconfig/up options modified2017-02-06 23:24:31 OPTIONS IMPORT: route options modified2017-02-06 23:24:31 OPTIONS IMPORT: route-related options modified2017-02-06 23:24:31 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified2017-02-06 23:24:31 Opening utun (connect(AF_SYS_CONTROL)): Resource busy2017-02-06 23:24:31 Opened utun device utun12017-02-06 23:24:31 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=02017-02-06 23:24:31 MANAGEMENT: >STATE:1486419871,ASSIGN_IP,,10.8.0.2,2017-02-06 23:24:31 /sbin/ifconfig utun1 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address2017-02-06 23:24:31 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure2017-02-06 23:24:31 /sbin/ifconfig utun1 10.8.0.2 10.8.0.2 netmask 255.255.255.0 mtu 1500 up2017-02-06 23:24:31 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0 add net 10.8.0.0: gateway 10.8.0.22017-02-06 23:24:31 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw utun1 1500 1569 10.8.0.2 255.255.255.0 init ********************************************** Start of output from client.up.tunnelblick.sh Disabled IPv6 for 'Ethernet' Disabled IPv6 for 'Wi-Fi' Disabled IPv6 for 'Bluetooth PAN' Disabled IPv6 for 'Thunderbolt Bridge' Disabled IPv6 for 'iPhone' Retrieved from OpenVPN: name server(s) [ 62.210.16.6 62.210.16.7 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ] Not aggregating ServerAddresses because running on OS X 10.6 or higher Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected Saved the DNS and SMB configurations so they can be restored Changed DNS ServerAddresses setting from '192.168.0.254' to '62.210.16.6 62.210.16.7' Changed DNS SearchDomains setting from '' to 'openvpn' Changed DNS DomainName setting from '' to 'openvpn' Did not change SMB NetBIOSName setting of '' Did not change SMB Workgroup setting of '' Did not change SMB WINSAddresses setting of '' DNS servers '62.210.16.6 62.210.16.7' will be used for DNS queries when the VPN is active NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems. Flushed the DNS cache via dscacheutil /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil Notified mDNSResponder that the DNS cache was flushed Setting up to monitor system configuration with process-network-changes End of output from client.up.tunnelblick.sh **********************************************2017-02-06 23:24:35 *Tunnelblick: No 'connected.sh' script to execute2017-02-06 23:24:35 /sbin/route add -net XXX.XXX.XXX.XXX 192.168.0.254 255.255.255.255 add net XXX.XXX.XXX.XXX: gateway 192.168.0.2542017-02-06 23:24:35 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0 add net 0.0.0.0: gateway 10.8.0.12017-02-06 23:24:35 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0 add net 128.0.0.0: gateway 10.8.0.12017-02-06 23:24:35 Initialization Sequence Completed2017-02-06 23:24:35 MANAGEMENT: >STATE:1486419875,CONNECTED,SUCCESS,10.8.0.2,XXX.XXX.XXX.XXX2017-02-06 23:25:16 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.2017-02-06 23:25:51 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.
Do you want me to copy/paste the diagnostic infos too ?
Thank you for your help !
winli...@gmail.com
Mar 4, 2020, 10:09:40 PM3/4/20
to tunnelblick-discuss
remove this
setenv opt block-outside-dns
on your client conf
Reply all
Reply to author
Forward
0 new messages