Opened 2 years ago

Closed 2 years ago

#882 closed User question (worksforme)

DNS trouble after successful connection to remote server

Reported by: ElCondor1969 Owned by:
Priority: trivial Milestone:
Component: OpenVPN Connect Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: DNS client failure
Cc:

Description

My system:
Windows 10 Home 64-bit
(Version: 1607 build SO: 14393.1066)

I use the configuration in the attached file "client.ovpn" to connect to the remote server and the connection is established successfully.
Also attached is the log file.
The problem is that once the connection is established, it is no longer possible to reach the internet sites by their names, as it seems that there is a problem at the DNS level during the name resolution operations.
At the same time, I can reach the various sites by explicitly specifying their IP addresses.

How can I fix this problem?
Thanks in advance.

Attachments (2)

Client.ovpn (4.9 KB) - added by ElCondor1969 2 years ago.
Client.log (1.9 KB) - added by ElCondor1969 2 years ago.

Download all attachments as: .zip

Change History (11)

Changed 2 years ago by ElCondor1969

Attachment: Client.ovpn added

Changed 2 years ago by ElCondor1969

Attachment: Client.log added

comment:1 Changed 2 years ago by selvanair

Priority: majortrivial
Type: Bug / DefectUser question
Version: 2.2.22.4.0

You use block-outside-dns, set public addresses for DNS servers (8.8.8.8 & 8.8.4.4) but no redirect-gateway. Unless you add a route to those DNS servers through the VPN tunnel, DNS resolution will not work.

To fix this either remove block-outside-dns or use DNS server addresses reachable through the VPN or use redirect-gateway. Most people would use block-outside-dns together with redirect-gateway.

P.S. Please remove secrets like private key and tls-auth key from the config file before posting.

comment:2 Changed 2 years ago by ElCondor1969

Hi selvanair.
Thank you very much for your reply.
I followed your hint and I comment out the follows from my config file:

# dhcp-option DNS 8.8.8.8
# dhcp-option DNS 8.8.4.4
# block-outside-dns

but the result is the same: once connected the DNS don't works.
I tried also uncomment the last config too, but the outcome is the same.

I write below the log file I got:

Tue May 02 18:31:58 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Tue May 02 18:31:58 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue May 02 18:31:58 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Enter Management Password:
Tue May 02 18:32:00 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]193.161.193.99:1194
Tue May 02 18:32:00 2017 UDP link local: (not bound)
Tue May 02 18:32:00 2017 UDP link remote: [AF_INET]193.161.193.99:1194
Tue May 02 18:32:07 2017 [193.161.193.99] Peer Connection Initiated with [AF_INET]193.161.193.99:1194
Tue May 02 18:32:09 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue May 02 18:32:09 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue May 02 18:32:09 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue May 02 18:32:09 2017 open_tun
Tue May 02 18:32:09 2017 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{21420065-D9F9-46E8-8FCD-48EAD076DA24}.tap
Tue May 02 18:32:09 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.66/255.255.255.252 on interface {21420065-D9F9-46E8-8FCD-48EAD076DA24} [DHCP-serv: 10.8.0.65, lease-time: 31536000]
Tue May 02 18:32:09 2017 Successful ARP Flush on interface [5] {21420065-D9F9-46E8-8FCD-48EAD076DA24}
Tue May 02 18:32:09 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue May 02 18:32:10 2017 Blocking outside dns using service succeeded.
Tue May 02 18:32:15 2017 Initialization Sequence Completed
Tue May 02 18:33:22 2017 Unblocking outside dns using service succeeded.
Tue May 02 18:33:22 2017 SIGTERM[hard,] received, process exiting

How can I do for DNS to work?
I have not access to the server and I can't modify the server config file.

Thank you in advance.

comment:3 Changed 2 years ago by selvanair

quoting from your new log

Tue May 02 18:32:09 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue May 02 18:32:10 2017 Blocking outside dns using service succeeded.

It is still blocking outside dns. Did you disconnect and connect again after commenting that line out? Or else the server is pushing you that option in which case it should also push DNS servers and redirect-gateway.

Post the part of the log showing PUSH options received from the server. (Generate log using verb 4)

Last edited 2 years ago by selvanair (previous) (diff)

comment:4 Changed 2 years ago by ElCondor1969

Hi Selvanair.

I tried with a verb 4 option for the log, that is:

Thu May 04 08:59:23 2017 us=762610 Current Parameter Settings:
Thu May 04 08:59:23 2017 us=764565   config = 'ElCondor1969.ovpn'
Thu May 04 08:59:23 2017 us=764565   mode = 0
Thu May 04 08:59:23 2017 us=764565   show_ciphers = DISABLED
Thu May 04 08:59:23 2017 us=764565   show_digests = DISABLED
Thu May 04 08:59:23 2017 us=764565   show_engines = DISABLED
Thu May 04 08:59:23 2017 us=764565   genkey = DISABLED
Thu May 04 08:59:23 2017 us=764565   key_pass_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   show_tls_ciphers = DISABLED
Thu May 04 08:59:23 2017 us=764565   connect_retry_max = 0
Thu May 04 08:59:23 2017 us=764565 Connection profiles [0]:
Thu May 04 08:59:23 2017 us=764565   proto = udp
Thu May 04 08:59:23 2017 us=764565   local = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   local_port = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   remote = '193.161.193.99'
Thu May 04 08:59:23 2017 us=764565   remote_port = '1194'
Thu May 04 08:59:23 2017 us=764565   remote_float = DISABLED
Thu May 04 08:59:23 2017 us=764565   bind_defined = DISABLED
Thu May 04 08:59:23 2017 us=764565   bind_local = DISABLED
Thu May 04 08:59:23 2017 us=764565   bind_ipv6_only = DISABLED
Thu May 04 08:59:23 2017 us=764565   connect_retry_seconds = 5
Thu May 04 08:59:23 2017 us=764565   connect_timeout = 120
Thu May 04 08:59:23 2017 us=764565   socks_proxy_server = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   socks_proxy_port = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   tun_mtu = 1500
Thu May 04 08:59:23 2017 us=764565   tun_mtu_defined = ENABLED
Thu May 04 08:59:23 2017 us=764565   link_mtu = 1500
Thu May 04 08:59:23 2017 us=764565   link_mtu_defined = DISABLED
Thu May 04 08:59:23 2017 us=764565   tun_mtu_extra = 0
Thu May 04 08:59:23 2017 us=764565   tun_mtu_extra_defined = DISABLED
Thu May 04 08:59:23 2017 us=764565   mtu_discover_type = -1
Thu May 04 08:59:23 2017 us=764565   fragment = 0
Thu May 04 08:59:23 2017 us=764565   mssfix = 1450
Thu May 04 08:59:23 2017 us=764565   explicit_exit_notification = 0
Thu May 04 08:59:23 2017 us=764565 Connection profiles END
Thu May 04 08:59:23 2017 us=764565   remote_random = DISABLED
Thu May 04 08:59:23 2017 us=764565   ipchange = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   dev = 'tun'
Thu May 04 08:59:23 2017 us=764565   dev_type = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   dev_node = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   lladdr = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   topology = 1
Thu May 04 08:59:23 2017 us=764565   ifconfig_local = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   ifconfig_remote_netmask = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565   ifconfig_noexec = DISABLED
Thu May 04 08:59:23 2017 us=764565   ifconfig_nowarn = DISABLED
Thu May 04 08:59:23 2017 us=765542   ifconfig_ipv6_local = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   ifconfig_ipv6_netbits = 0
Thu May 04 08:59:23 2017 us=765542   ifconfig_ipv6_remote = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   shaper = 0
Thu May 04 08:59:23 2017 us=765542   mtu_test = 0
Thu May 04 08:59:23 2017 us=765542   mlock = DISABLED
Thu May 04 08:59:23 2017 us=765542   keepalive_ping = 0
Thu May 04 08:59:23 2017 us=765542   keepalive_timeout = 0
Thu May 04 08:59:23 2017 us=765542   inactivity_timeout = 0
Thu May 04 08:59:23 2017 us=765542   ping_send_timeout = 0
Thu May 04 08:59:23 2017 us=765542   ping_rec_timeout = 0
Thu May 04 08:59:23 2017 us=765542   ping_rec_timeout_action = 0
Thu May 04 08:59:23 2017 us=765542   ping_timer_remote = DISABLED
Thu May 04 08:59:23 2017 us=765542   remap_sigusr1 = 0
Thu May 04 08:59:23 2017 us=765542   persist_tun = DISABLED
Thu May 04 08:59:23 2017 us=765542   persist_local_ip = DISABLED
Thu May 04 08:59:23 2017 us=765542   persist_remote_ip = DISABLED
Thu May 04 08:59:23 2017 us=765542   persist_key = DISABLED
Thu May 04 08:59:23 2017 us=765542   passtos = DISABLED
Thu May 04 08:59:23 2017 us=765542   resolve_retry_seconds = 1000000000
Thu May 04 08:59:23 2017 us=765542   resolve_in_advance = DISABLED
Thu May 04 08:59:23 2017 us=765542   username = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   groupname = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   chroot_dir = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   cd_dir = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   writepid = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   up_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   down_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   down_pre = DISABLED
Thu May 04 08:59:23 2017 us=765542   up_restart = DISABLED
Thu May 04 08:59:23 2017 us=765542   up_delay = DISABLED
Thu May 04 08:59:23 2017 us=765542   daemon = DISABLED
Thu May 04 08:59:23 2017 us=765542   inetd = 0
Thu May 04 08:59:23 2017 us=765542   log = ENABLED
Thu May 04 08:59:23 2017 us=765542   suppress_timestamps = DISABLED
Thu May 04 08:59:23 2017 us=765542   machine_readable_output = DISABLED
Thu May 04 08:59:23 2017 us=765542   nice = 0
Thu May 04 08:59:23 2017 us=765542   verbosity = 4
Thu May 04 08:59:23 2017 us=765542   mute = 0
Thu May 04 08:59:23 2017 us=765542   gremlin = 0
Thu May 04 08:59:23 2017 us=765542   status_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   status_file_version = 1
Thu May 04 08:59:23 2017 us=765542   status_file_update_freq = 60
Thu May 04 08:59:23 2017 us=765542   occ = ENABLED
Thu May 04 08:59:23 2017 us=765542   rcvbuf = 0
Thu May 04 08:59:23 2017 us=765542   sndbuf = 0
Thu May 04 08:59:23 2017 us=765542   sockflags = 0
Thu May 04 08:59:23 2017 us=765542   fast_io = DISABLED
Thu May 04 08:59:23 2017 us=765542   comp.alg = 0
Thu May 04 08:59:23 2017 us=765542   comp.flags = 0
Thu May 04 08:59:23 2017 us=765542   route_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   route_default_gateway = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542   route_default_metric = 0
Thu May 04 08:59:23 2017 us=765542   route_noexec = DISABLED
Thu May 04 08:59:23 2017 us=766520   route_delay = 5
Thu May 04 08:59:23 2017 us=766520   route_delay_window = 30
Thu May 04 08:59:23 2017 us=766520   route_delay_defined = ENABLED
Thu May 04 08:59:23 2017 us=766520   route_nopull = DISABLED
Thu May 04 08:59:23 2017 us=766520   route_gateway_via_dhcp = DISABLED
Thu May 04 08:59:23 2017 us=766520   allow_pull_fqdn = DISABLED
Thu May 04 08:59:23 2017 us=766520   management_addr = '127.0.0.1'
Thu May 04 08:59:23 2017 us=766520   management_port = '25340'
Thu May 04 08:59:23 2017 us=766520   management_user_pass = 'stdin'
Thu May 04 08:59:23 2017 us=766520   management_log_history_cache = 250
Thu May 04 08:59:23 2017 us=766520   management_echo_buffer_size = 100
Thu May 04 08:59:23 2017 us=766520   management_write_peer_info_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   management_client_user = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   management_client_group = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   management_flags = 4102
Thu May 04 08:59:23 2017 us=766520   shared_secret_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   key_direction = 2
Thu May 04 08:59:23 2017 us=766520   ciphername = 'BF-CBC'
Thu May 04 08:59:23 2017 us=766520   ncp_enabled = ENABLED
Thu May 04 08:59:23 2017 us=766520   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu May 04 08:59:23 2017 us=766520   authname = 'SHA1'
Thu May 04 08:59:23 2017 us=766520   prng_hash = 'SHA1'
Thu May 04 08:59:23 2017 us=766520   prng_nonce_secret_len = 16
Thu May 04 08:59:23 2017 us=766520   keysize = 0
Thu May 04 08:59:23 2017 us=766520   engine = DISABLED
Thu May 04 08:59:23 2017 us=766520   replay = ENABLED
Thu May 04 08:59:23 2017 us=766520   mute_replay_warnings = DISABLED
Thu May 04 08:59:23 2017 us=766520   replay_window = 64
Thu May 04 08:59:23 2017 us=766520   replay_time = 15
Thu May 04 08:59:23 2017 us=766520   packet_id_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   use_iv = ENABLED
Thu May 04 08:59:23 2017 us=766520   test_crypto = DISABLED
Thu May 04 08:59:23 2017 us=766520   tls_server = DISABLED
Thu May 04 08:59:23 2017 us=766520   tls_client = ENABLED
Thu May 04 08:59:23 2017 us=766520   key_method = 2
Thu May 04 08:59:23 2017 us=766520   ca_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=766520   ca_path = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   dh_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   cert_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=766520   extra_certs_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   priv_key_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=766520   pkcs12_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   cryptoapi_cert = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   cipher_list = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   tls_verify = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   tls_export_cert = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   verify_x509_type = 0
Thu May 04 08:59:23 2017 us=766520   verify_x509_name = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   crl_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520   ns_cert_type = 0
Thu May 04 08:59:23 2017 us=766520   remote_cert_ku[i] = 65535
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497   remote_cert_eku = 'TLS Web Server Authentication'
Thu May 04 08:59:23 2017 us=767497   ssl_flags = 0
Thu May 04 08:59:23 2017 us=767497   tls_timeout = 2
Thu May 04 08:59:23 2017 us=767497   renegotiate_bytes = -1
Thu May 04 08:59:23 2017 us=767497   renegotiate_packets = 0
Thu May 04 08:59:23 2017 us=767497   renegotiate_seconds = 3600
Thu May 04 08:59:23 2017 us=767497   handshake_window = 60
Thu May 04 08:59:23 2017 us=767497   transition_window = 3600
Thu May 04 08:59:23 2017 us=767497   single_session = DISABLED
Thu May 04 08:59:23 2017 us=767497   push_peer_info = DISABLED
Thu May 04 08:59:23 2017 us=767497   tls_exit = DISABLED
Thu May 04 08:59:23 2017 us=767497   tls_auth_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=767497   tls_crypt_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474   pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474   pkcs11_pin_cache_period = -1
Thu May 04 08:59:23 2017 us=768474   pkcs11_id = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474   pkcs11_id_management = DISABLED
Thu May 04 08:59:23 2017 us=768474   server_network = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   server_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   server_network_ipv6 = ::
Thu May 04 08:59:23 2017 us=768474   server_netbits_ipv6 = 0
Thu May 04 08:59:23 2017 us=768474   server_bridge_ip = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   server_bridge_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   server_bridge_pool_start = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   server_bridge_pool_end = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   ifconfig_pool_defined = DISABLED
Thu May 04 08:59:23 2017 us=768474   ifconfig_pool_start = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   ifconfig_pool_end = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   ifconfig_pool_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474   ifconfig_pool_persist_filename = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474   ifconfig_pool_persist_refresh_freq = 600
Thu May 04 08:59:23 2017 us=768474   ifconfig_ipv6_pool_defined = DISABLED
Thu May 04 08:59:23 2017 us=768474   ifconfig_ipv6_pool_base = ::
Thu May 04 08:59:23 2017 us=768474   ifconfig_ipv6_pool_netbits = 0
Thu May 04 08:59:23 2017 us=768474   n_bcast_buf = 256
Thu May 04 08:59:23 2017 us=768474   tcp_queue_limit = 64
Thu May 04 08:59:23 2017 us=768474   real_hash_size = 256
Thu May 04 08:59:23 2017 us=768474   virtual_hash_size = 256
Thu May 04 08:59:23 2017 us=768474   client_connect_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474   learn_address_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474   client_disconnect_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474   client_config_dir = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452   ccd_exclusive = DISABLED
Thu May 04 08:59:23 2017 us=769452   tmp_dir = 'C:\Users\Sergio\AppData\Local\Temp\'
Thu May 04 08:59:23 2017 us=769452   push_ifconfig_defined = DISABLED
Thu May 04 08:59:23 2017 us=769452   push_ifconfig_local = 0.0.0.0
Thu May 04 08:59:23 2017 us=769452   push_ifconfig_remote_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=769452   push_ifconfig_ipv6_defined = DISABLED
Thu May 04 08:59:23 2017 us=769452   push_ifconfig_ipv6_local = ::/0
Thu May 04 08:59:23 2017 us=769452   push_ifconfig_ipv6_remote = ::
Thu May 04 08:59:23 2017 us=769452   enable_c2c = DISABLED
Thu May 04 08:59:23 2017 us=769452   duplicate_cn = DISABLED
Thu May 04 08:59:23 2017 us=769452   cf_max = 0
Thu May 04 08:59:23 2017 us=769452   cf_per = 0
Thu May 04 08:59:23 2017 us=769452   max_clients = 1024
Thu May 04 08:59:23 2017 us=769452   max_routes_per_client = 256
Thu May 04 08:59:23 2017 us=769452   auth_user_pass_verify_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452   auth_user_pass_verify_script_via_file = DISABLED
Thu May 04 08:59:23 2017 us=769452   auth_token_generate = DISABLED
Thu May 04 08:59:23 2017 us=769452   auth_token_lifetime = 0
Thu May 04 08:59:23 2017 us=769452   client = ENABLED
Thu May 04 08:59:23 2017 us=769452   pull = ENABLED
Thu May 04 08:59:23 2017 us=769452   auth_user_pass_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452   show_net_up = DISABLED
Thu May 04 08:59:23 2017 us=769452   route_method = 3
Thu May 04 08:59:23 2017 us=769452   block_outside_dns = DISABLED
Thu May 04 08:59:23 2017 us=769452   ip_win32_defined = DISABLED
Thu May 04 08:59:23 2017 us=769452   ip_win32_type = 3
Thu May 04 08:59:23 2017 us=769452   dhcp_masq_offset = 0
Thu May 04 08:59:23 2017 us=769452   dhcp_lease_time = 31536000
Thu May 04 08:59:23 2017 us=769452   tap_sleep = 0
Thu May 04 08:59:23 2017 us=769452   dhcp_options = DISABLED
Thu May 04 08:59:23 2017 us=769452   dhcp_renew = DISABLED
Thu May 04 08:59:23 2017 us=769452   dhcp_pre_release = DISABLED
Thu May 04 08:59:23 2017 us=769452   domain = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452   netbios_scope = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452   netbios_node_type = 0
Thu May 04 08:59:23 2017 us=769452   disable_nbt = DISABLED
Thu May 04 08:59:23 2017 us=769452 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Thu May 04 08:59:23 2017 us=769452 Windows version 6.2 (Windows 8 or greater) 64bit
Thu May 04 08:59:23 2017 us=769452 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Enter Management Password:
Thu May 04 08:59:23 2017 us=771408 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 04 08:59:23 2017 us=771408 Need hold release from management interface, waiting...
Thu May 04 08:59:24 2017 us=225781 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu May 04 08:59:24 2017 us=326917 MANAGEMENT: CMD 'state on'
Thu May 04 08:59:24 2017 us=327418 MANAGEMENT: CMD 'log all on'
Thu May 04 08:59:24 2017 us=512009 MANAGEMENT: CMD 'echo all on'
Thu May 04 08:59:24 2017 us=512987 MANAGEMENT: CMD 'hold off'
Thu May 04 08:59:24 2017 us=513965 MANAGEMENT: CMD 'hold release'
Thu May 04 08:59:24 2017 us=627276 MANAGEMENT: CMD 'proxy NONE  '
Thu May 04 08:59:25 2017 us=755663 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:25 2017 us=755663 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:25 2017 us=755663 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu May 04 08:59:25 2017 us=755663 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu May 04 08:59:25 2017 us=756163 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu May 04 08:59:25 2017 us=756163 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu May 04 08:59:25 2017 us=756163 TCP/UDP: Preserving recently used remote address: [AF_INET]193.161.193.99:1194
Thu May 04 08:59:25 2017 us=756163 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu May 04 08:59:25 2017 us=756163 UDP link local: (not bound)
Thu May 04 08:59:25 2017 us=756163 UDP link remote: [AF_INET]193.161.193.99:1194
Thu May 04 08:59:25 2017 us=756163 MANAGEMENT: >STATE:1493881165,WAIT,,,,,,
Thu May 04 08:59:25 2017 us=976038 MANAGEMENT: >STATE:1493881165,AUTH,,,,,,
Thu May 04 08:59:25 2017 us=976038 TLS: Initial packet from [AF_INET]193.161.193.99:1194, sid=66d1dc07 82fc552d
Thu May 04 08:59:26 2017 us=827960 VERIFY OK: depth=1, CN=portmap.io
Thu May 04 08:59:27 2017 us=76559 VERIFY KU OK
Thu May 04 08:59:27 2017 us=76559 Validating certificate extended key usage
Thu May 04 08:59:27 2017 us=76559 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu May 04 08:59:27 2017 us=76559 VERIFY EKU OK
Thu May 04 08:59:27 2017 us=76559 VERIFY OK: depth=0, CN=193.161.193.99
Thu May 04 08:59:27 2017 us=754148 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu May 04 08:59:27 2017 us=754651 [193.161.193.99] Peer Connection Initiated with [AF_INET]193.161.193.99:1194
Thu May 04 08:59:28 2017 us=860744 MANAGEMENT: >STATE:1493881168,GET_CONFIG,,,,,,
Thu May 04 08:59:28 2017 us=861241 SENT CONTROL [193.161.193.99]: 'PUSH_REQUEST' (status=1)
Thu May 04 08:59:28 2017 us=957627 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.66 10.8.0.65'
Thu May 04 08:59:28 2017 us=957627 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 04 08:59:28 2017 us=958127 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 04 08:59:28 2017 us=958127 OPTIONS IMPORT: route options modified
Thu May 04 08:59:28 2017 us=958127 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 04 08:59:28 2017 us=958127 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:406 ET:0 EL:3 ]
Thu May 04 08:59:29 2017 us=173803 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 04 08:59:29 2017 us=173803 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu May 04 08:59:29 2017 us=173803 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:29 2017 us=173803 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 04 08:59:29 2017 us=173803 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu May 04 08:59:29 2017 us=173803 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:29 2017 us=173803 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu May 04 08:59:29 2017 us=174781 interactive service msg_channel=632
Thu May 04 08:59:29 2017 us=340439 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=17 HWADDR=50:b7:c3:b1:87:af
Thu May 04 08:59:29 2017 us=341417 open_tun
Thu May 04 08:59:29 2017 us=552991 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{21420065-D9F9-46E8-8FCD-48EAD076DA24}.tap
Thu May 04 08:59:29 2017 us=553492 TAP-Windows Driver Version 9.21 
Thu May 04 08:59:29 2017 us=553992 TAP-Windows MTU=1500
Thu May 04 08:59:29 2017 us=558495 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.66/255.255.255.252 on interface {21420065-D9F9-46E8-8FCD-48EAD076DA24} [DHCP-serv: 10.8.0.65, lease-time: 31536000]
Thu May 04 08:59:29 2017 us=559496 Successful ARP Flush on interface [5] {21420065-D9F9-46E8-8FCD-48EAD076DA24}
Thu May 04 08:59:29 2017 us=564499 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu May 04 08:59:29 2017 us=564499 MANAGEMENT: >STATE:1493881169,ASSIGN_IP,,10.8.0.66,,,,
Thu May 04 08:59:29 2017 us=564499 Blocking outside DNS
Thu May 04 08:59:29 2017 us=564499 Using service to add block dns filters
Thu May 04 08:59:31 2017 us=465296 Blocking outside dns using service succeeded.
Thu May 04 08:59:36 2017 us=742925 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu May 04 08:59:36 2017 us=743425 MANAGEMENT: >STATE:1493881176,ADD_ROUTES,,,,,,
Thu May 04 08:59:36 2017 us=743425 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.65
Thu May 04 08:59:36 2017 us=748340 Route addition via service succeeded
Thu May 04 08:59:36 2017 us=748340 Initialization Sequence Completed
Thu May 04 08:59:36 2017 us=748340 MANAGEMENT: >STATE:1493881176,CONNECTED,SUCCESS,10.8.0.66,193.161.193.99,1194,,

I hope this can give you some clues.

comment:5 Changed 2 years ago by selvanair

Thu May 04 08:59:28 2017 us=957627 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.66 10.8.0.65'

The server is pushing block-outside-dns which will block dns traffic through all adapters except through the VPN. In that case you need to assign DNS server(s) to the TAP adapter and those servers should be reachable through VPN connection.

Your options depend on the purpose of the VPN and whether the server is managed by you:

(i) If the server is not run by you ask the server administrator for a proper config file -- especially DNS servers and appropriate routes and/or redirect-gateway are needed. Or the server should push those.

(ii) If the server is run by you, ask in the users mailing list or forum about how to properly use block-outside-dns and DNS server settings. In short, (a) if the VPN is only to access services on a server-side private network, push a DNS server in that network and make sure there is a route to it through the VPN (b) if all external traffic is required to flow through the VPN push private or public DNS server(s) and redirect-gateway. Instead of pushing, these settings could be added to the local config as well.

comment:6 Changed 2 years ago by ElCondor1969

Hi Selvanair.

The case is the first: the server is not run by me and I not have access to it.
The client config file was delivered to me by administrators of the remote server and it wasn't write by me.

Is there a way to force the client to ignore the "block-outside-dns" config pushed by server?
If not, I will follow your advice and I will write administrators about DNS servers and appropriate routes and/or redirect-gateway that I should use in my client config file.

Thank you very much.

comment:7 Changed 2 years ago by selvanair

Is there a way to force the client to ignore the "block-outside-dns" config pushed by server?

Yes there is. But I would not suggest that as the purpose of this VPN is unclear to me. The pushed block-outside-dns is inconsistent with your config file and if its supplied by the VPN provider, contact them. If this VPN is for redirecting all external traffic, the correct fix would be redirect-gateway in some form.

Further questions on this is better handled in the openvpn-users mailing list.

comment:8 Changed 2 years ago by ElCondor1969

Thank you very much Selvanair for your precious help.
Bye.

comment:9 Changed 2 years ago by selvanair

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.