Opened 7 years ago
Closed 7 years ago
#882 closed User question (worksforme)
DNS trouble after successful connection to remote server
| Reported by: | ElCondor1969 | Owned by: | |
|---|---|---|---|
| Priority: | trivial | Milestone: | |
| Component: | OpenVPN Connect | Version: | OpenVPN 2.4.0 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | DNS client failure |
| Cc: |
Description
My system:
Windows 10 Home 64-bit
(Version: 1607 build SO: 14393.1066)
I use the configuration in the attached file "client.ovpn" to connect to the remote server and the connection is established successfully.
Also attached is the log file.
The problem is that once the connection is established, it is no longer possible to reach the internet sites by their names, as it seems that there is a problem at the DNS level during the name resolution operations.
At the same time, I can reach the various sites by explicitly specifying their IP addresses.
How can I fix this problem?
Thanks in advance.
Attachments (2)
Change History (11)
Changed 7 years ago by
| Attachment: | Client.ovpn added |
|---|
Changed 7 years ago by
| Attachment: | Client.log added |
|---|
comment:1 Changed 7 years ago by
| Priority: | major → trivial |
|---|---|
| Type: | Bug / Defect → User question |
| Version: | 2.2.2 → 2.4.0 |
comment:2 Changed 7 years ago by
Hi selvanair.
Thank you very much for your reply.
I followed your hint and I comment out the follows from my config file:
# dhcp-option DNS 8.8.8.8
# dhcp-option DNS 8.8.4.4
# block-outside-dns
but the result is the same: once connected the DNS don't works.
I tried also uncomment the last config too, but the outcome is the same.
I write below the log file I got:
Tue May 02 18:31:58 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Tue May 02 18:31:58 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue May 02 18:31:58 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Enter Management Password:
Tue May 02 18:32:00 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]193.161.193.99:1194
Tue May 02 18:32:00 2017 UDP link local: (not bound)
Tue May 02 18:32:00 2017 UDP link remote: [AF_INET]193.161.193.99:1194
Tue May 02 18:32:07 2017 [193.161.193.99] Peer Connection Initiated with [AF_INET]193.161.193.99:1194
Tue May 02 18:32:09 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue May 02 18:32:09 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue May 02 18:32:09 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue May 02 18:32:09 2017 open_tun
Tue May 02 18:32:09 2017 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{21420065-D9F9-46E8-8FCD-48EAD076DA24}.tap
Tue May 02 18:32:09 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.66/255.255.255.252 on interface {21420065-D9F9-46E8-8FCD-48EAD076DA24} [DHCP-serv: 10.8.0.65, lease-time: 31536000]
Tue May 02 18:32:09 2017 Successful ARP Flush on interface [5] {21420065-D9F9-46E8-8FCD-48EAD076DA24}
Tue May 02 18:32:09 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue May 02 18:32:10 2017 Blocking outside dns using service succeeded.
Tue May 02 18:32:15 2017 Initialization Sequence Completed
Tue May 02 18:33:22 2017 Unblocking outside dns using service succeeded.
Tue May 02 18:33:22 2017 SIGTERM[hard,] received, process exiting
How can I do for DNS to work?
I have not access to the server and I can't modify the server config file.
Thank you in advance.
comment:3 Changed 7 years ago by
quoting from your new log
Tue May 02 18:32:09 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Tue May 02 18:32:10 2017 Blocking outside dns using service succeeded.
It is still blocking outside dns. Did you disconnect and connect again after commenting that line out? Or else the server is pushing you that option in which case it should also push DNS servers and redirect-gateway.
Post the part of the log showing PUSH options received from the server. (Generate log using verb 4)
comment:4 Changed 7 years ago by
Hi Selvanair.
I tried with a verb 4 option for the log, that is:
Thu May 04 08:59:23 2017 us=762610 Current Parameter Settings:
Thu May 04 08:59:23 2017 us=764565 config = 'ElCondor1969.ovpn'
Thu May 04 08:59:23 2017 us=764565 mode = 0
Thu May 04 08:59:23 2017 us=764565 show_ciphers = DISABLED
Thu May 04 08:59:23 2017 us=764565 show_digests = DISABLED
Thu May 04 08:59:23 2017 us=764565 show_engines = DISABLED
Thu May 04 08:59:23 2017 us=764565 genkey = DISABLED
Thu May 04 08:59:23 2017 us=764565 key_pass_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 show_tls_ciphers = DISABLED
Thu May 04 08:59:23 2017 us=764565 connect_retry_max = 0
Thu May 04 08:59:23 2017 us=764565 Connection profiles [0]:
Thu May 04 08:59:23 2017 us=764565 proto = udp
Thu May 04 08:59:23 2017 us=764565 local = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 local_port = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 remote = '193.161.193.99'
Thu May 04 08:59:23 2017 us=764565 remote_port = '1194'
Thu May 04 08:59:23 2017 us=764565 remote_float = DISABLED
Thu May 04 08:59:23 2017 us=764565 bind_defined = DISABLED
Thu May 04 08:59:23 2017 us=764565 bind_local = DISABLED
Thu May 04 08:59:23 2017 us=764565 bind_ipv6_only = DISABLED
Thu May 04 08:59:23 2017 us=764565 connect_retry_seconds = 5
Thu May 04 08:59:23 2017 us=764565 connect_timeout = 120
Thu May 04 08:59:23 2017 us=764565 socks_proxy_server = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 socks_proxy_port = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 tun_mtu = 1500
Thu May 04 08:59:23 2017 us=764565 tun_mtu_defined = ENABLED
Thu May 04 08:59:23 2017 us=764565 link_mtu = 1500
Thu May 04 08:59:23 2017 us=764565 link_mtu_defined = DISABLED
Thu May 04 08:59:23 2017 us=764565 tun_mtu_extra = 0
Thu May 04 08:59:23 2017 us=764565 tun_mtu_extra_defined = DISABLED
Thu May 04 08:59:23 2017 us=764565 mtu_discover_type = -1
Thu May 04 08:59:23 2017 us=764565 fragment = 0
Thu May 04 08:59:23 2017 us=764565 mssfix = 1450
Thu May 04 08:59:23 2017 us=764565 explicit_exit_notification = 0
Thu May 04 08:59:23 2017 us=764565 Connection profiles END
Thu May 04 08:59:23 2017 us=764565 remote_random = DISABLED
Thu May 04 08:59:23 2017 us=764565 ipchange = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 dev = 'tun'
Thu May 04 08:59:23 2017 us=764565 dev_type = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 dev_node = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 lladdr = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 topology = 1
Thu May 04 08:59:23 2017 us=764565 ifconfig_local = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 ifconfig_remote_netmask = '[UNDEF]'
Thu May 04 08:59:23 2017 us=764565 ifconfig_noexec = DISABLED
Thu May 04 08:59:23 2017 us=764565 ifconfig_nowarn = DISABLED
Thu May 04 08:59:23 2017 us=765542 ifconfig_ipv6_local = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 ifconfig_ipv6_netbits = 0
Thu May 04 08:59:23 2017 us=765542 ifconfig_ipv6_remote = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 shaper = 0
Thu May 04 08:59:23 2017 us=765542 mtu_test = 0
Thu May 04 08:59:23 2017 us=765542 mlock = DISABLED
Thu May 04 08:59:23 2017 us=765542 keepalive_ping = 0
Thu May 04 08:59:23 2017 us=765542 keepalive_timeout = 0
Thu May 04 08:59:23 2017 us=765542 inactivity_timeout = 0
Thu May 04 08:59:23 2017 us=765542 ping_send_timeout = 0
Thu May 04 08:59:23 2017 us=765542 ping_rec_timeout = 0
Thu May 04 08:59:23 2017 us=765542 ping_rec_timeout_action = 0
Thu May 04 08:59:23 2017 us=765542 ping_timer_remote = DISABLED
Thu May 04 08:59:23 2017 us=765542 remap_sigusr1 = 0
Thu May 04 08:59:23 2017 us=765542 persist_tun = DISABLED
Thu May 04 08:59:23 2017 us=765542 persist_local_ip = DISABLED
Thu May 04 08:59:23 2017 us=765542 persist_remote_ip = DISABLED
Thu May 04 08:59:23 2017 us=765542 persist_key = DISABLED
Thu May 04 08:59:23 2017 us=765542 passtos = DISABLED
Thu May 04 08:59:23 2017 us=765542 resolve_retry_seconds = 1000000000
Thu May 04 08:59:23 2017 us=765542 resolve_in_advance = DISABLED
Thu May 04 08:59:23 2017 us=765542 username = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 groupname = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 chroot_dir = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 cd_dir = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 writepid = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 up_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 down_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 down_pre = DISABLED
Thu May 04 08:59:23 2017 us=765542 up_restart = DISABLED
Thu May 04 08:59:23 2017 us=765542 up_delay = DISABLED
Thu May 04 08:59:23 2017 us=765542 daemon = DISABLED
Thu May 04 08:59:23 2017 us=765542 inetd = 0
Thu May 04 08:59:23 2017 us=765542 log = ENABLED
Thu May 04 08:59:23 2017 us=765542 suppress_timestamps = DISABLED
Thu May 04 08:59:23 2017 us=765542 machine_readable_output = DISABLED
Thu May 04 08:59:23 2017 us=765542 nice = 0
Thu May 04 08:59:23 2017 us=765542 verbosity = 4
Thu May 04 08:59:23 2017 us=765542 mute = 0
Thu May 04 08:59:23 2017 us=765542 gremlin = 0
Thu May 04 08:59:23 2017 us=765542 status_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 status_file_version = 1
Thu May 04 08:59:23 2017 us=765542 status_file_update_freq = 60
Thu May 04 08:59:23 2017 us=765542 occ = ENABLED
Thu May 04 08:59:23 2017 us=765542 rcvbuf = 0
Thu May 04 08:59:23 2017 us=765542 sndbuf = 0
Thu May 04 08:59:23 2017 us=765542 sockflags = 0
Thu May 04 08:59:23 2017 us=765542 fast_io = DISABLED
Thu May 04 08:59:23 2017 us=765542 comp.alg = 0
Thu May 04 08:59:23 2017 us=765542 comp.flags = 0
Thu May 04 08:59:23 2017 us=765542 route_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 route_default_gateway = '[UNDEF]'
Thu May 04 08:59:23 2017 us=765542 route_default_metric = 0
Thu May 04 08:59:23 2017 us=765542 route_noexec = DISABLED
Thu May 04 08:59:23 2017 us=766520 route_delay = 5
Thu May 04 08:59:23 2017 us=766520 route_delay_window = 30
Thu May 04 08:59:23 2017 us=766520 route_delay_defined = ENABLED
Thu May 04 08:59:23 2017 us=766520 route_nopull = DISABLED
Thu May 04 08:59:23 2017 us=766520 route_gateway_via_dhcp = DISABLED
Thu May 04 08:59:23 2017 us=766520 allow_pull_fqdn = DISABLED
Thu May 04 08:59:23 2017 us=766520 management_addr = '127.0.0.1'
Thu May 04 08:59:23 2017 us=766520 management_port = '25340'
Thu May 04 08:59:23 2017 us=766520 management_user_pass = 'stdin'
Thu May 04 08:59:23 2017 us=766520 management_log_history_cache = 250
Thu May 04 08:59:23 2017 us=766520 management_echo_buffer_size = 100
Thu May 04 08:59:23 2017 us=766520 management_write_peer_info_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 management_client_user = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 management_client_group = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 management_flags = 4102
Thu May 04 08:59:23 2017 us=766520 shared_secret_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 key_direction = 2
Thu May 04 08:59:23 2017 us=766520 ciphername = 'BF-CBC'
Thu May 04 08:59:23 2017 us=766520 ncp_enabled = ENABLED
Thu May 04 08:59:23 2017 us=766520 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu May 04 08:59:23 2017 us=766520 authname = 'SHA1'
Thu May 04 08:59:23 2017 us=766520 prng_hash = 'SHA1'
Thu May 04 08:59:23 2017 us=766520 prng_nonce_secret_len = 16
Thu May 04 08:59:23 2017 us=766520 keysize = 0
Thu May 04 08:59:23 2017 us=766520 engine = DISABLED
Thu May 04 08:59:23 2017 us=766520 replay = ENABLED
Thu May 04 08:59:23 2017 us=766520 mute_replay_warnings = DISABLED
Thu May 04 08:59:23 2017 us=766520 replay_window = 64
Thu May 04 08:59:23 2017 us=766520 replay_time = 15
Thu May 04 08:59:23 2017 us=766520 packet_id_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 use_iv = ENABLED
Thu May 04 08:59:23 2017 us=766520 test_crypto = DISABLED
Thu May 04 08:59:23 2017 us=766520 tls_server = DISABLED
Thu May 04 08:59:23 2017 us=766520 tls_client = ENABLED
Thu May 04 08:59:23 2017 us=766520 key_method = 2
Thu May 04 08:59:23 2017 us=766520 ca_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=766520 ca_path = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 dh_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 cert_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=766520 extra_certs_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 priv_key_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=766520 pkcs12_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 cryptoapi_cert = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 cipher_list = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 tls_verify = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 tls_export_cert = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 verify_x509_type = 0
Thu May 04 08:59:23 2017 us=766520 verify_x509_name = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 crl_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=766520 ns_cert_type = 0
Thu May 04 08:59:23 2017 us=766520 remote_cert_ku[i] = 65535
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_ku[i] = 0
Thu May 04 08:59:23 2017 us=767497 remote_cert_eku = 'TLS Web Server Authentication'
Thu May 04 08:59:23 2017 us=767497 ssl_flags = 0
Thu May 04 08:59:23 2017 us=767497 tls_timeout = 2
Thu May 04 08:59:23 2017 us=767497 renegotiate_bytes = -1
Thu May 04 08:59:23 2017 us=767497 renegotiate_packets = 0
Thu May 04 08:59:23 2017 us=767497 renegotiate_seconds = 3600
Thu May 04 08:59:23 2017 us=767497 handshake_window = 60
Thu May 04 08:59:23 2017 us=767497 transition_window = 3600
Thu May 04 08:59:23 2017 us=767497 single_session = DISABLED
Thu May 04 08:59:23 2017 us=767497 push_peer_info = DISABLED
Thu May 04 08:59:23 2017 us=767497 tls_exit = DISABLED
Thu May 04 08:59:23 2017 us=767497 tls_auth_file = '[[INLINE]]'
Thu May 04 08:59:23 2017 us=767497 tls_crypt_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_protected_authentication = DISABLED
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=767497 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474 pkcs11_private_mode = 00000000
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_cert_private = DISABLED
Thu May 04 08:59:23 2017 us=768474 pkcs11_pin_cache_period = -1
Thu May 04 08:59:23 2017 us=768474 pkcs11_id = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474 pkcs11_id_management = DISABLED
Thu May 04 08:59:23 2017 us=768474 server_network = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 server_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 server_network_ipv6 = ::
Thu May 04 08:59:23 2017 us=768474 server_netbits_ipv6 = 0
Thu May 04 08:59:23 2017 us=768474 server_bridge_ip = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 server_bridge_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 server_bridge_pool_start = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 server_bridge_pool_end = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 ifconfig_pool_defined = DISABLED
Thu May 04 08:59:23 2017 us=768474 ifconfig_pool_start = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 ifconfig_pool_end = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 ifconfig_pool_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=768474 ifconfig_pool_persist_filename = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474 ifconfig_pool_persist_refresh_freq = 600
Thu May 04 08:59:23 2017 us=768474 ifconfig_ipv6_pool_defined = DISABLED
Thu May 04 08:59:23 2017 us=768474 ifconfig_ipv6_pool_base = ::
Thu May 04 08:59:23 2017 us=768474 ifconfig_ipv6_pool_netbits = 0
Thu May 04 08:59:23 2017 us=768474 n_bcast_buf = 256
Thu May 04 08:59:23 2017 us=768474 tcp_queue_limit = 64
Thu May 04 08:59:23 2017 us=768474 real_hash_size = 256
Thu May 04 08:59:23 2017 us=768474 virtual_hash_size = 256
Thu May 04 08:59:23 2017 us=768474 client_connect_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474 learn_address_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474 client_disconnect_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=768474 client_config_dir = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452 ccd_exclusive = DISABLED
Thu May 04 08:59:23 2017 us=769452 tmp_dir = 'C:\Users\Sergio\AppData\Local\Temp\'
Thu May 04 08:59:23 2017 us=769452 push_ifconfig_defined = DISABLED
Thu May 04 08:59:23 2017 us=769452 push_ifconfig_local = 0.0.0.0
Thu May 04 08:59:23 2017 us=769452 push_ifconfig_remote_netmask = 0.0.0.0
Thu May 04 08:59:23 2017 us=769452 push_ifconfig_ipv6_defined = DISABLED
Thu May 04 08:59:23 2017 us=769452 push_ifconfig_ipv6_local = ::/0
Thu May 04 08:59:23 2017 us=769452 push_ifconfig_ipv6_remote = ::
Thu May 04 08:59:23 2017 us=769452 enable_c2c = DISABLED
Thu May 04 08:59:23 2017 us=769452 duplicate_cn = DISABLED
Thu May 04 08:59:23 2017 us=769452 cf_max = 0
Thu May 04 08:59:23 2017 us=769452 cf_per = 0
Thu May 04 08:59:23 2017 us=769452 max_clients = 1024
Thu May 04 08:59:23 2017 us=769452 max_routes_per_client = 256
Thu May 04 08:59:23 2017 us=769452 auth_user_pass_verify_script = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452 auth_user_pass_verify_script_via_file = DISABLED
Thu May 04 08:59:23 2017 us=769452 auth_token_generate = DISABLED
Thu May 04 08:59:23 2017 us=769452 auth_token_lifetime = 0
Thu May 04 08:59:23 2017 us=769452 client = ENABLED
Thu May 04 08:59:23 2017 us=769452 pull = ENABLED
Thu May 04 08:59:23 2017 us=769452 auth_user_pass_file = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452 show_net_up = DISABLED
Thu May 04 08:59:23 2017 us=769452 route_method = 3
Thu May 04 08:59:23 2017 us=769452 block_outside_dns = DISABLED
Thu May 04 08:59:23 2017 us=769452 ip_win32_defined = DISABLED
Thu May 04 08:59:23 2017 us=769452 ip_win32_type = 3
Thu May 04 08:59:23 2017 us=769452 dhcp_masq_offset = 0
Thu May 04 08:59:23 2017 us=769452 dhcp_lease_time = 31536000
Thu May 04 08:59:23 2017 us=769452 tap_sleep = 0
Thu May 04 08:59:23 2017 us=769452 dhcp_options = DISABLED
Thu May 04 08:59:23 2017 us=769452 dhcp_renew = DISABLED
Thu May 04 08:59:23 2017 us=769452 dhcp_pre_release = DISABLED
Thu May 04 08:59:23 2017 us=769452 domain = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452 netbios_scope = '[UNDEF]'
Thu May 04 08:59:23 2017 us=769452 netbios_node_type = 0
Thu May 04 08:59:23 2017 us=769452 disable_nbt = DISABLED
Thu May 04 08:59:23 2017 us=769452 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Thu May 04 08:59:23 2017 us=769452 Windows version 6.2 (Windows 8 or greater) 64bit
Thu May 04 08:59:23 2017 us=769452 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Enter Management Password:
Thu May 04 08:59:23 2017 us=771408 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 04 08:59:23 2017 us=771408 Need hold release from management interface, waiting...
Thu May 04 08:59:24 2017 us=225781 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu May 04 08:59:24 2017 us=326917 MANAGEMENT: CMD 'state on'
Thu May 04 08:59:24 2017 us=327418 MANAGEMENT: CMD 'log all on'
Thu May 04 08:59:24 2017 us=512009 MANAGEMENT: CMD 'echo all on'
Thu May 04 08:59:24 2017 us=512987 MANAGEMENT: CMD 'hold off'
Thu May 04 08:59:24 2017 us=513965 MANAGEMENT: CMD 'hold release'
Thu May 04 08:59:24 2017 us=627276 MANAGEMENT: CMD 'proxy NONE '
Thu May 04 08:59:25 2017 us=755663 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:25 2017 us=755663 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:25 2017 us=755663 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu May 04 08:59:25 2017 us=755663 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu May 04 08:59:25 2017 us=756163 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu May 04 08:59:25 2017 us=756163 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu May 04 08:59:25 2017 us=756163 TCP/UDP: Preserving recently used remote address: [AF_INET]193.161.193.99:1194
Thu May 04 08:59:25 2017 us=756163 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu May 04 08:59:25 2017 us=756163 UDP link local: (not bound)
Thu May 04 08:59:25 2017 us=756163 UDP link remote: [AF_INET]193.161.193.99:1194
Thu May 04 08:59:25 2017 us=756163 MANAGEMENT: >STATE:1493881165,WAIT,,,,,,
Thu May 04 08:59:25 2017 us=976038 MANAGEMENT: >STATE:1493881165,AUTH,,,,,,
Thu May 04 08:59:25 2017 us=976038 TLS: Initial packet from [AF_INET]193.161.193.99:1194, sid=66d1dc07 82fc552d
Thu May 04 08:59:26 2017 us=827960 VERIFY OK: depth=1, CN=portmap.io
Thu May 04 08:59:27 2017 us=76559 VERIFY KU OK
Thu May 04 08:59:27 2017 us=76559 Validating certificate extended key usage
Thu May 04 08:59:27 2017 us=76559 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu May 04 08:59:27 2017 us=76559 VERIFY EKU OK
Thu May 04 08:59:27 2017 us=76559 VERIFY OK: depth=0, CN=193.161.193.99
Thu May 04 08:59:27 2017 us=754148 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu May 04 08:59:27 2017 us=754651 [193.161.193.99] Peer Connection Initiated with [AF_INET]193.161.193.99:1194
Thu May 04 08:59:28 2017 us=860744 MANAGEMENT: >STATE:1493881168,GET_CONFIG,,,,,,
Thu May 04 08:59:28 2017 us=861241 SENT CONTROL [193.161.193.99]: 'PUSH_REQUEST' (status=1)
Thu May 04 08:59:28 2017 us=957627 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.66 10.8.0.65'
Thu May 04 08:59:28 2017 us=957627 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 04 08:59:28 2017 us=958127 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 04 08:59:28 2017 us=958127 OPTIONS IMPORT: route options modified
Thu May 04 08:59:28 2017 us=958127 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 04 08:59:28 2017 us=958127 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:406 ET:0 EL:3 ]
Thu May 04 08:59:29 2017 us=173803 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 04 08:59:29 2017 us=173803 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu May 04 08:59:29 2017 us=173803 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:29 2017 us=173803 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 04 08:59:29 2017 us=173803 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu May 04 08:59:29 2017 us=173803 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 04 08:59:29 2017 us=173803 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu May 04 08:59:29 2017 us=174781 interactive service msg_channel=632
Thu May 04 08:59:29 2017 us=340439 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=17 HWADDR=50:b7:c3:b1:87:af
Thu May 04 08:59:29 2017 us=341417 open_tun
Thu May 04 08:59:29 2017 us=552991 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{21420065-D9F9-46E8-8FCD-48EAD076DA24}.tap
Thu May 04 08:59:29 2017 us=553492 TAP-Windows Driver Version 9.21
Thu May 04 08:59:29 2017 us=553992 TAP-Windows MTU=1500
Thu May 04 08:59:29 2017 us=558495 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.66/255.255.255.252 on interface {21420065-D9F9-46E8-8FCD-48EAD076DA24} [DHCP-serv: 10.8.0.65, lease-time: 31536000]
Thu May 04 08:59:29 2017 us=559496 Successful ARP Flush on interface [5] {21420065-D9F9-46E8-8FCD-48EAD076DA24}
Thu May 04 08:59:29 2017 us=564499 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu May 04 08:59:29 2017 us=564499 MANAGEMENT: >STATE:1493881169,ASSIGN_IP,,10.8.0.66,,,,
Thu May 04 08:59:29 2017 us=564499 Blocking outside DNS
Thu May 04 08:59:29 2017 us=564499 Using service to add block dns filters
Thu May 04 08:59:31 2017 us=465296 Blocking outside dns using service succeeded.
Thu May 04 08:59:36 2017 us=742925 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu May 04 08:59:36 2017 us=743425 MANAGEMENT: >STATE:1493881176,ADD_ROUTES,,,,,,
Thu May 04 08:59:36 2017 us=743425 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.65
Thu May 04 08:59:36 2017 us=748340 Route addition via service succeeded
Thu May 04 08:59:36 2017 us=748340 Initialization Sequence Completed
Thu May 04 08:59:36 2017 us=748340 MANAGEMENT: >STATE:1493881176,CONNECTED,SUCCESS,10.8.0.66,193.161.193.99,1194,,
I hope this can give you some clues.
comment:5 Changed 7 years ago by
Thu May 04 08:59:28 2017 us=957627 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.66 10.8.0.65'
The server is pushing block-outside-dns which will block dns traffic through all adapters except through the VPN. In that case you need to assign DNS server(s) to the TAP adapter and those servers should be reachable through VPN connection.
Your options depend on the purpose of the VPN and whether the server is managed by you:
(i) If the server is not run by you ask the server administrator for a proper config file -- especially DNS servers and appropriate routes and/or redirect-gateway are needed. Or the server should push those.
(ii) If the server is run by you, ask in the users mailing list or forum about how to properly use block-outside-dns and DNS server settings. In short, (a) if the VPN is only to access services on a server-side private network, push a DNS server in that network and make sure there is a route to it through the VPN (b) if all external traffic is required to flow through the VPN push private or public DNS server(s) and redirect-gateway. Instead of pushing, these settings could be added to the local config as well.
comment:6 Changed 7 years ago by
Hi Selvanair.
The case is the first: the server is not run by me and I not have access to it.
The client config file was delivered to me by administrators of the remote server and it wasn't write by me.
Is there a way to force the client to ignore the "block-outside-dns" config pushed by server?
If not, I will follow your advice and I will write administrators about DNS servers and appropriate routes and/or redirect-gateway that I should use in my client config file.
Thank you very much.
comment:7 Changed 7 years ago by
Is there a way to force the client to ignore the "block-outside-dns" config pushed by server?
Yes there is. But I would not suggest that as the purpose of this VPN is unclear to me. The pushed block-outside-dns is inconsistent with your config file and if its supplied by the VPN provider, contact them. If this VPN is for redirecting all external traffic, the correct fix would be redirect-gateway in some form.
Further questions on this is better handled in the openvpn-users mailing list.
comment:9 Changed 7 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
You use block-outside-dns, set public addresses for DNS servers (8.8.8.8 & 8.8.4.4) but no redirect-gateway. Unless you add a route to those DNS servers through the VPN tunnel, DNS resolution will not work.
To fix this either remove block-outside-dns or use DNS server addresses reachable through the VPN or use redirect-gateway. Most people would use block-outside-dns together with redirect-gateway.
P.S. Please remove secrets like private key and tls-auth key from the config file before posting.