Page 1 of 1

[Solved] block-outside-dns and cannot resolve host address issue

Posted: Thu May 26, 2016 2:28 pm
by SGWW
Hi guys

I've noticed an unpleasant issue which is caused by block-outside-dns and realy need advice how to overcome it.

The issue occurs on the latest 2.3.11 daemon on windows OS when block-outside-dns is used in server config
and remote dns name (not IP address) is used in client config.

As it write in documentation --block-outside-dns prevents Windows from accessing TCP or UDP port 53 except one inside the tunnel. However, when the reconnection occurs (because of bad link or --resolv-retry 3600) the windows client software fails to resolve the hostname of vpn server obviously because of --block-outside-dns.

I can not to disable --block-outside-dns cause want to have a protection against DNS-leak.
The only "solution" I found is --resolv-retry 0 which unfortunatly force user to initiate connection from scrach and to provide it's credentials again.

Might be someone can give a good recomendation how to fix this behaviour?

Thanks in advanced

Re: block-outside-dns and cannot resolve host address issue

Posted: Thu May 26, 2016 7:41 pm
by Traffic
If the host has a static IP then you can use that instead ..

Re: block-outside-dns and cannot resolve host address issue

Posted: Fri May 27, 2016 9:04 am
by SGWW
Hi Traffic!

Thank you for the reply.

Sure, static IP is a fix, however we need DNS round-robin and the ability to change servers's IPs (don't want to resend client's configs every time this happen).

Other suggestions?

PS I am not a professional developer but this issue looks like a software feature or bug. The simple solution is just to keep the remote IP (after the first success dns query) in some variable and then uses it when need to reconnect. Is it worth to create a bug/feature request?

Re: block-outside-dns and cannot resolve host address issue

Posted: Fri May 27, 2016 5:54 pm
by Traffic
The filters that block external dns are removed at reconnect, so this
should not happen --- provided the client detects the connection drop and
restarts (by say ping-restart).

Need to look at the logs to see what the real issue is.

Selva
I suggest you post your server and client configs and logs. (--verb 4)

Re: block-outside-dns and cannot resolve host address issue

Posted: Sun May 29, 2016 9:13 am
by SGWW
OpenVPN server version is

Code: Select all

root@debian:/# openvpn --version
OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 26 2016
library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
The server config is
local *.*.*.*
port 443
proto tcp
dev tun0
ca ca.crt
cert server1.crt
key server1.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# keepalive 10 120
tcp-queue-limit 256
tun-mtu 1400
ping 10
ping-exit 60
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 4
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
push "block-outside-dns"
OpenVpn client version is

Code: Select all

C:\>openvpn --version
OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on
 May 10 2016
library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Windows version 6.2 (Windows 8 or greater) 64bit
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=y
es enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_d
lopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enabl
e_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enabl
e_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable
_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_
auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes
enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_
runtimes=yes enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes e
nable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes
enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with
_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sp
ecial_build= with_sysroot=no
OpenVpn client config
client
dev tun
proto tcp
remote server1.ourvpn.domain 443
nobind
persist-key
persist-tun
auth-user-pass
comp-lzo
reneg-sec 0
tun-mtu 1400
verb 4
<ca>
-----BEGIN CERTIFICATE-----
IBAgIJAJadsasadaImy+
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
+ghkStPQ3fsd343Rv7EA
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MBbdGOsV2g==
-----END PRIVATE KEY-----
</key>
I connect to VPN, then restart Wi-Fi and when OpenVpn client tries to reconnect the error "Cannot resolv host address" occures.
The client connection log
Sun May 29 12:02:50 2016 us=329970 Current Parameter Settings:
Sun May 29 12:02:50 2016 us=329970 config = 'server1.ourvpn.domain.ovpn'
Sun May 29 12:02:50 2016 us=329970 mode = 0
Sun May 29 12:02:50 2016 us=329970 show_ciphers = DISABLED
Sun May 29 12:02:50 2016 us=329970 show_digests = DISABLED
Sun May 29 12:02:50 2016 us=329970 show_engines = DISABLED
Sun May 29 12:02:50 2016 us=329970 genkey = DISABLED
Sun May 29 12:02:50 2016 us=329970 key_pass_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 show_tls_ciphers = DISABLED
Sun May 29 12:02:50 2016 us=329970 Connection profiles [default]:
Sun May 29 12:02:50 2016 us=329970 proto = tcp-client
Sun May 29 12:02:50 2016 us=329970 local = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 local_port = 0
Sun May 29 12:02:50 2016 us=329970 remote = 'server1.ourvpn.domain'
Sun May 29 12:02:50 2016 us=329970 remote_port = 443
Sun May 29 12:02:50 2016 us=329970 remote_float = DISABLED
Sun May 29 12:02:50 2016 us=329970 bind_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 bind_local = DISABLED
Sun May 29 12:02:50 2016 us=329970 connect_retry_seconds = 5
Sun May 29 12:02:50 2016 us=329970 connect_timeout = 10
Sun May 29 12:02:50 2016 us=329970 connect_retry_max = 0
Sun May 29 12:02:50 2016 us=329970 socks_proxy_server = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 socks_proxy_port = 0
Sun May 29 12:02:50 2016 us=329970 socks_proxy_retry = DISABLED
Sun May 29 12:02:50 2016 us=329970 tun_mtu = 1400
Sun May 29 12:02:50 2016 us=329970 tun_mtu_defined = ENABLED
Sun May 29 12:02:50 2016 us=329970 link_mtu = 1500
Sun May 29 12:02:50 2016 us=329970 link_mtu_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 tun_mtu_extra = 0
Sun May 29 12:02:50 2016 us=329970 tun_mtu_extra_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 mtu_discover_type = -1
Sun May 29 12:02:50 2016 us=329970 fragment = 0
Sun May 29 12:02:50 2016 us=329970 mssfix = 1450
Sun May 29 12:02:50 2016 us=329970 explicit_exit_notification = 0
Sun May 29 12:02:50 2016 us=329970 Connection profiles END
Sun May 29 12:02:50 2016 us=329970 remote_random = DISABLED
Sun May 29 12:02:50 2016 us=329970 ipchange = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 dev = 'tun'
Sun May 29 12:02:50 2016 us=329970 dev_type = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 dev_node = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 lladdr = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 topology = 1
Sun May 29 12:02:50 2016 us=329970 tun_ipv6 = DISABLED
Sun May 29 12:02:50 2016 us=329970 ifconfig_local = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ifconfig_remote_netmask = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ifconfig_noexec = DISABLED
Sun May 29 12:02:50 2016 us=329970 ifconfig_nowarn = DISABLED
Sun May 29 12:02:50 2016 us=329970 ifconfig_ipv6_local = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ifconfig_ipv6_netbits = 0
Sun May 29 12:02:50 2016 us=329970 ifconfig_ipv6_remote = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 shaper = 0
Sun May 29 12:02:50 2016 us=329970 mtu_test = 0
Sun May 29 12:02:50 2016 us=329970 mlock = DISABLED
Sun May 29 12:02:50 2016 us=329970 keepalive_ping = 0
Sun May 29 12:02:50 2016 us=329970 keepalive_timeout = 0
Sun May 29 12:02:50 2016 us=329970 inactivity_timeout = 0
Sun May 29 12:02:50 2016 us=329970 ping_send_timeout = 0
Sun May 29 12:02:50 2016 us=329970 ping_rec_timeout = 0
Sun May 29 12:02:50 2016 us=329970 ping_rec_timeout_action = 0
Sun May 29 12:02:50 2016 us=329970 ping_timer_remote = DISABLED
Sun May 29 12:02:50 2016 us=329970 remap_sigusr1 = 0
Sun May 29 12:02:50 2016 us=329970 persist_tun = ENABLED
Sun May 29 12:02:50 2016 us=329970 persist_local_ip = DISABLED
Sun May 29 12:02:50 2016 us=329970 persist_remote_ip = DISABLED
Sun May 29 12:02:50 2016 us=329970 persist_key = ENABLED
Sun May 29 12:02:50 2016 us=329970 passtos = DISABLED
Sun May 29 12:02:50 2016 us=329970 resolve_retry_seconds = 1000000000
Sun May 29 12:02:50 2016 us=329970 username = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 groupname = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 chroot_dir = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 cd_dir = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 writepid = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 up_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 down_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 down_pre = DISABLED
Sun May 29 12:02:50 2016 us=329970 up_restart = DISABLED
Sun May 29 12:02:50 2016 us=329970 up_delay = DISABLED
Sun May 29 12:02:50 2016 us=329970 daemon = DISABLED
Sun May 29 12:02:50 2016 us=329970 inetd = 0
Sun May 29 12:02:50 2016 us=329970 log = ENABLED
Sun May 29 12:02:50 2016 us=329970 suppress_timestamps = DISABLED
Sun May 29 12:02:50 2016 us=329970 nice = 0
Sun May 29 12:02:50 2016 us=329970 verbosity = 4
Sun May 29 12:02:50 2016 us=329970 mute = 0
Sun May 29 12:02:50 2016 us=329970 gremlin = 0
Sun May 29 12:02:50 2016 us=329970 status_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 status_file_version = 1
Sun May 29 12:02:50 2016 us=329970 status_file_update_freq = 60
Sun May 29 12:02:50 2016 us=329970 occ = ENABLED
Sun May 29 12:02:50 2016 us=329970 rcvbuf = 0
Sun May 29 12:02:50 2016 us=329970 sndbuf = 0
Sun May 29 12:02:50 2016 us=329970 sockflags = 0
Sun May 29 12:02:50 2016 us=329970 fast_io = DISABLED
Sun May 29 12:02:50 2016 us=329970 lzo = 7
Sun May 29 12:02:50 2016 us=329970 route_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 route_default_gateway = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 route_default_metric = 0
Sun May 29 12:02:50 2016 us=329970 route_noexec = DISABLED
Sun May 29 12:02:50 2016 us=329970 route_delay = 5
Sun May 29 12:02:50 2016 us=329970 route_delay_window = 30
Sun May 29 12:02:50 2016 us=329970 route_delay_defined = ENABLED
Sun May 29 12:02:50 2016 us=329970 route_nopull = DISABLED
Sun May 29 12:02:50 2016 us=329970 route_gateway_via_dhcp = DISABLED
Sun May 29 12:02:50 2016 us=329970 max_routes = 100
Sun May 29 12:02:50 2016 us=329970 allow_pull_fqdn = DISABLED
Sun May 29 12:02:50 2016 us=329970 management_addr = '127.0.0.1'
Sun May 29 12:02:50 2016 us=329970 management_port = 25341
Sun May 29 12:02:50 2016 us=329970 management_user_pass = 'stdin'
Sun May 29 12:02:50 2016 us=329970 management_log_history_cache = 250
Sun May 29 12:02:50 2016 us=329970 management_echo_buffer_size = 100
Sun May 29 12:02:50 2016 us=329970 management_write_peer_info_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 management_client_user = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 management_client_group = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 management_flags = 6
Sun May 29 12:02:50 2016 us=329970 shared_secret_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 key_direction = 0
Sun May 29 12:02:50 2016 us=329970 ciphername_defined = ENABLED
Sun May 29 12:02:50 2016 us=329970 ciphername = 'BF-CBC'
Sun May 29 12:02:50 2016 us=329970 authname_defined = ENABLED
Sun May 29 12:02:50 2016 us=329970 authname = 'SHA1'
Sun May 29 12:02:50 2016 us=329970 prng_hash = 'SHA1'
Sun May 29 12:02:50 2016 us=329970 prng_nonce_secret_len = 16
Sun May 29 12:02:50 2016 us=329970 keysize = 0
Sun May 29 12:02:50 2016 us=329970 engine = DISABLED
Sun May 29 12:02:50 2016 us=329970 replay = ENABLED
Sun May 29 12:02:50 2016 us=329970 mute_replay_warnings = DISABLED
Sun May 29 12:02:50 2016 us=329970 replay_window = 64
Sun May 29 12:02:50 2016 us=329970 replay_time = 15
Sun May 29 12:02:50 2016 us=329970 packet_id_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 use_iv = ENABLED
Sun May 29 12:02:50 2016 us=329970 test_crypto = DISABLED
Sun May 29 12:02:50 2016 us=329970 tls_server = DISABLED
Sun May 29 12:02:50 2016 us=329970 tls_client = ENABLED
Sun May 29 12:02:50 2016 us=329970 key_method = 2
Sun May 29 12:02:50 2016 us=329970 ca_file = '[[INLINE]]'
Sun May 29 12:02:50 2016 us=329970 ca_path = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 dh_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 cert_file = '[[INLINE]]'
Sun May 29 12:02:50 2016 us=329970 extra_certs_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 priv_key_file = '[[INLINE]]'
Sun May 29 12:02:50 2016 us=329970 pkcs12_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 cryptoapi_cert = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 cipher_list = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 tls_verify = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 tls_export_cert = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 verify_x509_type = 0
Sun May 29 12:02:50 2016 us=329970 verify_x509_name = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 crl_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ns_cert_type = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku[i] = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku[i] = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku[i] = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku[i] = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku[i] = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_ku[i] = 0
Sun May 29 12:02:50 2016 us=329970 remote_cert_eku = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ssl_flags = 0
Sun May 29 12:02:50 2016 us=329970 tls_timeout = 2
Sun May 29 12:02:50 2016 us=329970 renegotiate_bytes = 0
Sun May 29 12:02:50 2016 us=329970 renegotiate_packets = 0
Sun May 29 12:02:50 2016 us=329970 renegotiate_seconds = 0
Sun May 29 12:02:50 2016 us=329970 handshake_window = 60
Sun May 29 12:02:50 2016 us=329970 transition_window = 3600
Sun May 29 12:02:50 2016 us=329970 single_session = DISABLED
Sun May 29 12:02:50 2016 us=329970 push_peer_info = DISABLED
Sun May 29 12:02:50 2016 us=329970 tls_exit = DISABLED
Sun May 29 12:02:50 2016 us=329970 tls_auth_file = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_protected_authentication = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_private_mode = 00000000
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_cert_private = DISABLED
Sun May 29 12:02:50 2016 us=329970 pkcs11_pin_cache_period = -1
Sun May 29 12:02:50 2016 us=329970 pkcs11_id = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 pkcs11_id_management = DISABLED
Sun May 29 12:02:50 2016 us=329970 server_network = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 server_netmask = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 server_network_ipv6 = ::
Sun May 29 12:02:50 2016 us=329970 server_netbits_ipv6 = 0
Sun May 29 12:02:50 2016 us=329970 server_bridge_ip = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 server_bridge_netmask = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 server_bridge_pool_start = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 server_bridge_pool_end = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 ifconfig_pool_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 ifconfig_pool_start = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 ifconfig_pool_end = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 ifconfig_pool_netmask = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 ifconfig_pool_persist_filename = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ifconfig_pool_persist_refresh_freq = 600
Sun May 29 12:02:50 2016 us=329970 ifconfig_ipv6_pool_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 ifconfig_ipv6_pool_base = ::
Sun May 29 12:02:50 2016 us=329970 ifconfig_ipv6_pool_netbits = 0
Sun May 29 12:02:50 2016 us=329970 n_bcast_buf = 256
Sun May 29 12:02:50 2016 us=329970 tcp_queue_limit = 64
Sun May 29 12:02:50 2016 us=329970 real_hash_size = 256
Sun May 29 12:02:50 2016 us=329970 virtual_hash_size = 256
Sun May 29 12:02:50 2016 us=329970 client_connect_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 learn_address_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 client_disconnect_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 client_config_dir = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 ccd_exclusive = DISABLED
Sun May 29 12:02:50 2016 us=329970 tmp_dir = 'C:\Users\sgww\AppData\Local\Temp\'
Sun May 29 12:02:50 2016 us=329970 push_ifconfig_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 push_ifconfig_local = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 push_ifconfig_remote_netmask = 0.0.0.0
Sun May 29 12:02:50 2016 us=329970 push_ifconfig_ipv6_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 push_ifconfig_ipv6_local = ::/0
Sun May 29 12:02:50 2016 us=329970 push_ifconfig_ipv6_remote = ::
Sun May 29 12:02:50 2016 us=329970 enable_c2c = DISABLED
Sun May 29 12:02:50 2016 us=329970 duplicate_cn = DISABLED
Sun May 29 12:02:50 2016 us=329970 cf_max = 0
Sun May 29 12:02:50 2016 us=329970 cf_per = 0
Sun May 29 12:02:50 2016 us=329970 max_clients = 1024
Sun May 29 12:02:50 2016 us=329970 max_routes_per_client = 256
Sun May 29 12:02:50 2016 us=329970 auth_user_pass_verify_script = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 auth_user_pass_verify_script_via_file = DISABLED
Sun May 29 12:02:50 2016 us=329970 client = ENABLED
Sun May 29 12:02:50 2016 us=329970 pull = ENABLED
Sun May 29 12:02:50 2016 us=329970 auth_user_pass_file = 'stdin'
Sun May 29 12:02:50 2016 us=329970 show_net_up = DISABLED
Sun May 29 12:02:50 2016 us=329970 route_method = 0
Sun May 29 12:02:50 2016 us=329970 block_outside_dns = DISABLED
Sun May 29 12:02:50 2016 us=329970 ip_win32_defined = DISABLED
Sun May 29 12:02:50 2016 us=329970 ip_win32_type = 3
Sun May 29 12:02:50 2016 us=329970 dhcp_masq_offset = 0
Sun May 29 12:02:50 2016 us=329970 dhcp_lease_time = 31536000
Sun May 29 12:02:50 2016 us=329970 tap_sleep = 0
Sun May 29 12:02:50 2016 us=329970 dhcp_options = DISABLED
Sun May 29 12:02:50 2016 us=329970 dhcp_renew = DISABLED
Sun May 29 12:02:50 2016 us=329970 dhcp_pre_release = DISABLED
Sun May 29 12:02:50 2016 us=329970 dhcp_release = DISABLED
Sun May 29 12:02:50 2016 us=329970 domain = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 netbios_scope = '[UNDEF]'
Sun May 29 12:02:50 2016 us=329970 netbios_node_type = 0
Sun May 29 12:02:50 2016 us=329970 disable_nbt = DISABLED
Sun May 29 12:02:50 2016 us=329970 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Sun May 29 12:02:50 2016 us=329970 Windows version 6.2 (Windows 8 or greater) 64bit
Sun May 29 12:02:50 2016 us=329970 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Sun May 29 12:02:50 2016 us=329970 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun May 29 12:02:50 2016 us=329970 Need hold release from management interface, waiting...
Sun May 29 12:02:50 2016 us=830025 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun May 29 12:02:50 2016 us=939407 MANAGEMENT: CMD 'state on'
Sun May 29 12:02:50 2016 us=939407 MANAGEMENT: CMD 'log all on'
Sun May 29 12:02:51 2016 us=64383 MANAGEMENT: CMD 'hold off'
Sun May 29 12:02:51 2016 us=64383 MANAGEMENT: CMD 'hold release'
Sun May 29 12:03:05 2016 us=48659 MANAGEMENT: CMD 'username "Auth" "svpn149"'
Sun May 29 12:03:05 2016 us=48659 MANAGEMENT: CMD 'password [...]'
Sun May 29 12:03:05 2016 us=48659 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun May 29 12:03:05 2016 us=158011 LZO compression initialized
Sun May 29 12:03:05 2016 us=173636 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Sun May 29 12:03:05 2016 us=173636 Control Channel MTU parms [ L:1444 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun May 29 12:03:05 2016 us=173636 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun May 29 12:03:05 2016 us=173636 MANAGEMENT: >STATE:1464512585,RESOLVE,,,
Sun May 29 12:03:05 2016 us=345550 Data Channel MTU parms [ L:1444 D:1444 EF:44 EB:143 ET:0 EL:3 AF:3/1 ]
Sun May 29 12:03:05 2016 us=345550 Local Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun May 29 12:03:05 2016 us=345550 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun May 29 12:03:05 2016 us=345550 Local Options hash (VER=V4): '7dfc3732'
Sun May 29 12:03:05 2016 us=345550 Expected Remote Options hash (VER=V4): '347277f0'
Sun May 29 12:03:05 2016 us=345550 Attempting to establish TCP connection with [AF_INET]*.*.*.*:443 [nonblock]
Sun May 29 12:03:05 2016 us=345550 MANAGEMENT: >STATE:1464512585,TCP_CONNECT,,,
Sun May 29 12:03:06 2016 us=345579 TCP connection established with [AF_INET]*.*.*.*:443
Sun May 29 12:03:06 2016 us=345579 TCPv4_CLIENT link local: [undef]
Sun May 29 12:03:06 2016 us=345579 TCPv4_CLIENT link remote: [AF_INET]*.*.*.*:443
Sun May 29 12:03:06 2016 us=345579 MANAGEMENT: >STATE:1464512586,WAIT,,,
Sun May 29 12:03:06 2016 us=423730 MANAGEMENT: >STATE:1464512586,AUTH,,,
Sun May 29 12:03:06 2016 us=423730 TLS: Initial packet from [AF_INET]*.*.*.*:443, sid=f00e72e7 96cfdb5e
Sun May 29 12:03:06 2016 us=423730 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May 29 12:03:06 2016 us=736247 VERIFY OK: depth=1, C=HK, ST=HK, L=Hong Kong, O=IT Privacy limited, OU=secretvpn, CN=IT Privacy limited CA, name=EasyRSA, emailAddress=support@secretvpn.net
Sun May 29 12:03:06 2016 us=736247 VERIFY OK: depth=0, C=HK, ST=HK, L=Hong Kong, O=IT Privacy limited, OU=secretvpn, CN=server1, name=EasyRSA, emailAddress=support@secretvpn.net
Sun May 29 12:03:07 2016 us=79994 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 29 12:03:07 2016 us=79994 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 29 12:03:07 2016 us=79994 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 29 12:03:07 2016 us=79994 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 29 12:03:07 2016 us=79994 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun May 29 12:03:07 2016 us=79994 [server1] Peer Connection Initiated with [AF_INET]*.*.*.*:443
Sun May 29 12:03:08 2016 us=113413 MANAGEMENT: >STATE:1464512588,GET_CONFIG,,,
Sun May 29 12:03:09 2016 us=149752 SENT CONTROL [server1]: 'PUSH_REQUEST' (status=1)
Sun May 29 12:03:09 2016 us=290389 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,route 10.8.0.1,topology net30,ifconfig 10.8.0.6 10.8.0.5'
Sun May 29 12:03:09 2016 us=290389 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 29 12:03:09 2016 us=290389 OPTIONS IMPORT: route options modified
Sun May 29 12:03:09 2016 us=290389 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 29 12:03:09 2016 us=321637 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=12 HWADDR=c4:85:08:97:45:1e
Sun May 29 12:03:09 2016 us=368514 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun May 29 12:03:09 2016 us=368514 MANAGEMENT: >STATE:1464512589,ASSIGN_IP,,10.8.0.6,
Sun May 29 12:03:09 2016 us=368514 open_tun, tt->ipv6=0
Sun May 29 12:03:09 2016 us=368514 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{8373657A-5DAE-449A-B7D7-4D5261EB0E84}.tap
Sun May 29 12:03:09 2016 us=368514 TAP-Windows Driver Version 9.21
Sun May 29 12:03:09 2016 us=368514 TAP-Windows MTU=1500
Sun May 29 12:03:09 2016 us=384150 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {8373657A-5DAE-449A-B7D7-4D5261EB0E84} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun May 29 12:03:09 2016 us=384150 DHCP option string: 06080808 08080808 0404
Sun May 29 12:03:09 2016 us=384150 Successful ARP Flush on interface [59] {8373657A-5DAE-449A-B7D7-4D5261EB0E84}
Sun May 29 12:03:09 2016 us=446636 Blocking outside DNS
Sun May 29 12:03:09 2016 us=446636 Opening WFP engine
Sun May 29 12:03:09 2016 us=446636 Adding WFP sublayer
Sun May 29 12:03:09 2016 us=462263 Blocking DNS using WFP
Sun May 29 12:03:09 2016 us=462263 Tap Luid: 1688850011258880
Sun May 29 12:03:09 2016 us=462263 Filter (Permit OpenVPN IPv4 DNS) added with ID=1384084
Sun May 29 12:03:09 2016 us=462263 Filter (Permit OpenVPN IPv6 DNS) added with ID=1384085
Sun May 29 12:03:09 2016 us=462263 Filter (Block IPv4 DNS) added with ID=1384086
Sun May 29 12:03:09 2016 us=462263 Filter (Block IPv6 DNS) added with ID=1384087
Sun May 29 12:03:09 2016 us=462263 Filter (Permit IPv4 DNS queries from TAP) added with ID=1384088
Sun May 29 12:03:09 2016 us=462263 Filter (Permit IPv6 DNS queries from TAP) added with ID=1384089
Sun May 29 12:03:14 2016 us=451554 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sun May 29 12:03:14 2016 us=451554 C:\Windows\system32\route.exe ADD *.*.*.* MASK 255.255.255.255 192.168.43.1
Sun May 29 12:03:14 2016 us=467178 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Sun May 29 12:03:14 2016 us=467178 Route addition via IPAPI succeeded [adaptive]
Sun May 29 12:03:14 2016 us=467178 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun May 29 12:03:14 2016 us=482801 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun May 29 12:03:14 2016 us=482801 Route addition via IPAPI succeeded [adaptive]
Sun May 29 12:03:14 2016 us=482801 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun May 29 12:03:14 2016 us=498426 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun May 29 12:03:14 2016 us=498426 Route addition via IPAPI succeeded [adaptive]
Sun May 29 12:03:14 2016 us=498426 MANAGEMENT: >STATE:1464512594,ADD_ROUTES,,,
Sun May 29 12:03:14 2016 us=498426 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Sun May 29 12:03:14 2016 us=514052 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun May 29 12:03:14 2016 us=514052 Route addition via IPAPI succeeded [adaptive]
Sun May 29 12:03:14 2016 us=514052 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun May 29 12:03:14 2016 us=514052 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun May 29 12:03:14 2016 us=514052 Route addition via IPAPI succeeded [adaptive]
Sun May 29 12:03:14 2016 us=514052 Initialization Sequence Completed
Sun May 29 12:03:14 2016 us=514052 MANAGEMENT: >STATE:1464512594,CONNECTED,SUCCESS,10.8.0.6,*.*.*.*
Sun May 29 12:06:44 2016 us=255537 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Sun May 29 12:06:44 2016 us=255537 Connection reset, restarting [-1]
Sun May 29 12:06:44 2016 us=255537 TCP/UDP: Closing socket
Sun May 29 12:06:44 2016 us=255537 SIGUSR1[soft,connection-reset] received, process restarting
Sun May 29 12:06:44 2016 us=255537 MANAGEMENT: >STATE:1464512804,RECONNECTING,connection-reset,,
Sun May 29 12:06:44 2016 us=255537 Restart pause, 5 second(s)
Sun May 29 12:06:49 2016 us=256842 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun May 29 12:06:49 2016 us=256842 Re-using SSL/TLS context
Sun May 29 12:06:49 2016 us=256842 LZO compression initialized
Sun May 29 12:06:49 2016 us=256842 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Sun May 29 12:06:49 2016 us=256842 Control Channel MTU parms [ L:1444 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun May 29 12:06:49 2016 us=256842 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun May 29 12:06:49 2016 us=256842 MANAGEMENT: >STATE:1464512809,RESOLVE,,,
Sun May 29 12:07:01 2016 us=273773 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:07:01 2016 us=273773 Data Channel MTU parms [ L:1444 D:1444 EF:44 EB:143 ET:0 EL:3 AF:3/1 ]
Sun May 29 12:07:01 2016 us=273773 Local Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun May 29 12:07:01 2016 us=273773 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun May 29 12:07:01 2016 us=273773 Local Options hash (VER=V4): '7dfc3732'
Sun May 29 12:07:01 2016 us=273773 Expected Remote Options hash (VER=V4): '347277f0'
Sun May 29 12:07:01 2016 us=273773 MANAGEMENT: >STATE:1464512821,RESOLVE,,,
Sun May 29 12:07:13 2016 us=302359 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:07:30 2016 us=346983 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:07:47 2016 us=390154 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:08:04 2016 us=421238 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:08:21 2016 us=460368 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:08:38 2016 us=498007 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:08:55 2016 us=550962 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:09:12 2016 us=615410 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:09:29 2016 us=672182 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.
Sun May 29 12:09:46 2016 us=711883 RESOLVE: Cannot resolve host address: server1.ourvpn.domain: Этот хост неизвестен.


System DNS does not work too until the current openvpn connection manyally close.

Code: Select all

C:\>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  8.8.8.8

> openvpn.net
Server:  UnKnown
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
>

Re: block-outside-dns and cannot resolve host address issue

Posted: Sun May 29, 2016 11:14 am
by Traffic
SGWW wrote:Sun May 29 12:03:14 2016 us=514052 MANAGEMENT: STATE:1464512594,CONNECTED,SUCCESS,10.8.0.6,*.*.*.*
Sun May 29 12:06:44 2016 us=255537 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Sun May 29 12:06:44 2016 us=255537 Connection reset, restarting [-1]
Sun May 29 12:06:44 2016 us=255537 TCP/UDP: Closing socket
Try adding

Code: Select all

keepalive 10 60
to your server config .. You can adjust the values as needed.

Re: block-outside-dns and cannot resolve host address issue

Posted: Mon May 30, 2016 12:28 pm
by SGWW
I've tried, nothing has changed

Re: block-outside-dns and cannot resolve host address issue

Posted: Tue May 31, 2016 12:25 pm
by FalconTent
Try removing this:

Code: Select all

persist-key
persist-tun
from your client config.

Re: block-outside-dns and cannot resolve host address issue

Posted: Tue May 31, 2016 5:00 pm
by SGWW
Wow, Windowsectomy, thank you so much!

Remove persist-tun fixes this issue.