DuckDNS - unable to resolve

[superdx]

On iOS (iPhone or iPad), under wifi network (Airport Express), OpenVPN seems to be stuck at at "Looking up DNS name". However on all my OSX machines I'm able to connect to my OpenVPN servers which have DuckDNS hostnames using Tunnelblick as the client (latest version).

I've tried connecting to the same server with iOS Safari and can get to webpages fine, so it doesn't appear to be a DNS look-up problem with iOS and the DuckDNS service.

Adding to the wrinkle, if I switch to a 3G connection (no longer wifi), OpenVPN Connect is able to connect immediately.

I'm at a loss to pinpoint the source problem, any ideas? Below is the log file while connected to wifi:

Code: Select all

2016-02-15 00:44:47 LZO-ASYM init swap=0 asym=0
2016-02-15 00:44:47 EVENT: RESOLVE
2016-02-15 00:44:57 Server poll timeout, trying next remote entry...
2016-02-15 00:44:57 EVENT: RECONNECTING
2016-02-15 00:44:57 LZO-ASYM init swap=0 asym=0
2016-02-15 00:44:57 EVENT: RESOLVE
2016-02-15 00:45:07 Server poll timeout, trying next remote entry...
2016-02-15 00:45:07 EVENT: RECONNECTING
2016-02-15 00:45:07 LZO-ASYM init swap=0 asym=0
2016-02-15 00:45:07 EVENT: RESOLVE
2016-02-15 00:45:17 Server poll timeout, trying next remote entry...
2016-02-15 00:45:17 EVENT: RECONNECTING
2016-02-15 00:45:17 LZO-ASYM init swap=0 asym=0
2016-02-15 00:45:17 EVENT: RESOLVE

[superdx]

Add to this, took my iPad to a restaurant that had free wifi. Was able to connect fine and get on Google and Facebook. OpenVPN Connect was not able to connect to my servers, but again switching to 3G, it immediately connected.

Seems like there's handling differences when the connection source is changed.

[Traffic]

Some free wifi block you from using VPN in order to steal your information ..

[superdx]

That's a reasonable assumption, though it was a small family restaurant so I doubt they have a "network admin" working on their payroll. It first happened on my home wifi which is not restricted either.

[Traffic]

Perhaps their ISP does not offer full services ..

[superdx]

I'm not sure you can buy those kinds of internet services in my city

[superdx]

My home internet I can connect fine on Mac using Tunnelblick as a client. The same configuration files imported verbatim fail on all iOS devices (iPad, iPhone, iPad Pro)

[Traffic]

Can you ping your duckdns-name without using openvpn from all your different devices ?

[superdx]

Yep I can, even downloaded a ping app for iOS

[Traffic]

Which means all of your devices have working DNS .. and can locate IP address for your DNS name.

Which probably indicates that some of the places you try to connect to your VPN from block you.

Try running your VPN server with:

Code: Select all

proto tcp
port 443

and try from those places again.

[superdx]

haha, I've repeated this a couple times, but I'll do it one more time!

My Macs & Windows PCs, on the same networks, can connect to OpenVPN servers fine.

Only iOS devices cannot. On the same networks.

So it's not the network blocking.

[superdx]

Let me also add, Android devices (I just tried this) can connect fine. iOS still stuck at resolving DNS.

[Traffic]

You really have not provided any details .. so .. check your DNS settings.

[superdx]

Here's my iOS log, all I've done is remove the hostname. You can see the 1st entry where it can connect and then where it cannot. That is when I switch from 3G to wifi.

I'll repeat. On those same wifi networks, my Macs and Android devices can connect fine.

Code: Select all

2016-02-15 00:42:00 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:42:00 EVENT: ASSIGN_IP 
2016-02-15 00:42:00 Connected via tun 
2016-02-15 00:42:00 EVENT: CONNECTED @****.duckdns.org:1194 (**.**.**.**) via /UDPv4 on tun/10.8.0.6/ 
2016-02-15 00:42:00 SetStatus Connected 
2016-02-15 00:42:50 TUN reset routes 
2016-02-15 00:42:50 EVENT: DISCONNECTED 
2016-02-15 00:42:50 Raw stats on disconnect: 
BYTES_IN : 5991 
BYTES_OUT : 17198 
PACKETS_IN : 56 
PACKETS_OUT : 185 
TUN_BYTES_IN : 6768 
TUN_BYTES_OUT : 1293 
TUN_PACKETS_IN : 141 
TUN_PACKETS_OUT : 13 
N_RECONNECT : 4 
2016-02-15 00:42:50 Performance stats on disconnect: 
CPU usage (microseconds): 122671 
Tunnel compression ratio (uplink): 2.54108 
Tunnel compression ratio (downlink): 4.63341 
Network bytes per CPU second: 189034 
Tunnel bytes per CPU second: 65712 
2016-02-15 00:42:50 ----- OpenVPN Stop ----- 
2016-02-15 00:44:47 ----- OpenVPN Start ----- 
OpenVPN core 3.0 ios arm64 64-bit 
2016-02-15 00:44:47 UNUSED OPTIONS 
4 [nobind] 
5 [persist-key] 
6 [persist-tun] 
13 [verb] [3] 

2016-02-15 00:44:47 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:44:47 EVENT: RESOLVE 
2016-02-15 00:44:57 Server poll timeout, trying next remote entry... 
2016-02-15 00:44:57 EVENT: RECONNECTING 
2016-02-15 00:44:57 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:44:57 EVENT: RESOLVE 
2016-02-15 00:45:07 Server poll timeout, trying next remote entry... 
2016-02-15 00:45:07 EVENT: RECONNECTING 
2016-02-15 00:45:07 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:45:07 EVENT: RESOLVE 
2016-02-15 00:45:17 Server poll timeout, trying next remote entry... 
2016-02-15 00:45:17 EVENT: RECONNECTING 
2016-02-15 00:45:17 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:45:17 EVENT: RESOLVE 
2016-02-15 00:45:27 Server poll timeout, trying next remote entry... 
2016-02-15 00:45:27 EVENT: RECONNECTING 
2016-02-15 00:45:27 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:45:27 EVENT: RESOLVE 
2016-02-15 00:45:37 Server poll timeout, trying next remote entry... 
2016-02-15 00:45:37 EVENT: RECONNECTING 
2016-02-15 00:45:37 LZO-ASYM init swap=0 asym=0 
2016-02-15 00:45:37 EVENT: RESOLVE 
2016-02-15 00:45:47 EVENT: CONNECTION_TIMEOUT [ERR] 
2016-02-15 00:45:47 EVENT: DISCONNECTED 
2016-02-15 00:45:48 Raw stats on disconnect: 
CONNECTION_TIMEOUT : 1 
N_RECONNECT : 5 
2016-02-15 00:45:48 Performance stats on disconnect: 
CPU usage (microseconds): 19070 
Network bytes per CPU second: 0 
Tunnel bytes per CPU second: 0 
2016-02-15 00:45:48 EVENT: DISCONNECT_PENDING 
2016-02-15 00:45:48 ----- OpenVPN Stop ----- 
2016-02-16 08:49:51 ----- OpenVPN Start ----- 
OpenVPN core 3.0 ios arm64 64-bit 
2016-02-16 08:49:51 UNUSED OPTIONS 
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
13 [verb] [3] 

2016-02-16 08:49:51 LZO-ASYM init swap=0 asym=0 
2016-02-16 08:49:51 EVENT: RESOLVE 
2016-02-16 08:50:01 Server poll timeout, trying next remote entry... 
2016-02-16 08:50:01 EVENT: RECONNECTING 
2016-02-16 08:50:01 LZO-ASYM init swap=0 asym=0 
2016-02-16 08:50:01 EVENT: RESOLVE 
2016-02-16 08:50:11 Server poll timeout, trying next remote entry... 
2016-02-16 08:50:11 EVENT: RECONNECTING 
2016-02-16 08:50:11 LZO-ASYM init swap=0 asym=0 
2016-02-16 08:50:11 EVENT: RESOLVE 
2016-02-16 08:50:22 Server poll timeout, trying next remote entry... 
2016-02-16 08:50:22 EVENT: RECONNECTING 
2016-02-16 08:50:22 LZO-ASYM init swap=0 asym=0 
2016-02-16 08:50:22 EVENT: RESOLVE 
2016-02-16 08:50:32 Server poll timeout, trying next remote entry... 
2016-02-16 08:50:32 EVENT: RECONNECTING 
2016-02-16 08:50:32 LZO-ASYM init swap=0 asym=0 
2016-02-16 08:50:32 EVENT: RESOLVE 
2016-02-16 08:50:42 Server poll timeout, trying next remote entry... 
2016-02-16 08:50:42 EVENT: RECONNECTING 
2016-02-16 08:50:42 LZO-ASYM init swap=0 asym=0 
2016-02-16 08:50:42 EVENT: RESOLVE 
2016-02-16 08:50:51 EVENT: CONNECTION_TIMEOUT [ERR] 
2016-02-16 08:50:51 EVENT: DISCONNECTED 
2016-02-16 08:50:52 Raw stats on disconnect: 
CONNECTION_TIMEOUT : 1 
N_RECONNECT : 5 
2016-02-16 08:50:52 Performance stats on disconnect: 
CPU usage (microseconds): 24300 
Network bytes per CPU second: 0 
Tunnel bytes per CPU second: 0 
2016-02-16 08:50:52 EVENT: DISCONNECT_PENDING 
2016-02-16 08:50:52 ----- OpenVPN Stop ----- 
2016-02-16 08:50:54 ----- OpenVPN Start ----- 
OpenVPN core 3.0 ios arm64 64-bit 
2016-02-16 08:50:54 UNUSED OPTIONS 
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
13 [verb] [3] 

[superdx]

Here's a Tunneblick log on the same wifi network which can connect fine.

Code: Select all

2016-02-17 09:43:38 *Tunnelblick: openvpnstart starting OpenVPN
2016-02-17 09:43:38 *Tunnelblick: OS X 10.11.3; Tunnelblick 3.5.5 (build 4270.4461); prior version 3.5.3 (build 4270.4371)
2016-02-17 09:43:38 *Tunnelblick: Attempting connection with ****; Set nameserver = 1; monitoring connection
2016-02-17 09:43:38 *Tunnelblick: openvpnstart start ****.tblk 1339 1 0 3 0 16688 -ptADGNWradsgnw 2.3.6
2016-02-17 09:43:39 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-S****.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_16688.1339.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Shared/****.tblk/Contents/Resources
          --config
          /Library/Application Support/Tunnelblick/Shared/****.tblk/Contents/Resources/config.ovpn
          --cd
          /Library/Application Support/Tunnelblick/Shared/****.tblk/Contents/Resources
          --management
          127.0.0.1
          1339
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw

2016-02-17 09:43:39 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec  4 2015
2016-02-17 09:43:39 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.08
2016-02-17 09:43:39 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1339
2016-02-17 09:43:39 Need hold release from management interface, waiting...
2016-02-17 09:43:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1339
2016-02-17 09:43:39 MANAGEMENT: CMD 'pid'
2016-02-17 09:43:39 MANAGEMENT: CMD 'state on'
2016-02-17 09:43:39 MANAGEMENT: CMD 'state'
2016-02-17 09:43:39 MANAGEMENT: CMD 'bytecount 1'
2016-02-17 09:43:39 MANAGEMENT: CMD 'hold release'
2016-02-17 09:43:40 *Tunnelblick: Established communication with OpenVPN
2016-02-17 09:43:40 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-02-17 09:43:40 Socket Buffers: R=[196724->65536] S=[9216->65536]
2016-02-17 09:43:40 MANAGEMENT: >STATE:1455673420,RESOLVE,,,
2016-02-17 09:43:40 UDPv4 link local: [undef]
2016-02-17 09:43:40 UDPv4 link remote: [AF_INET]121.202.54.165:1194
2016-02-17 09:43:40 MANAGEMENT: >STATE:1455673420,WAIT,,,
2016-02-17 09:43:41 MANAGEMENT: >STATE:1455673421,AUTH,,,
2016-02-17 09:43:41 TLS: Initial packet from [AF_INET]121.202.54.165:1194, sid=eecdd8ff 2b1f17a0
2016-02-17 09:43:42 VERIFY OK: depth=1, C=CN, ST=NA, L=****, O=FT, OU=Software, CN=****.ddns.net, name=Name, emailAddress=***@***.com
2016-02-17 09:43:42 VERIFY OK: nsCertType=SERVER
2016-02-17 09:43:42 VERIFY OK: depth=0, C=CN, ST=NA, L=****, O=FT, OU=Software, CN=****.ddns.net, name=Name, emailAddress=***@***.com
2016-02-17 09:43:43 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-02-17 09:43:43 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-02-17 09:43:43 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-02-17 09:43:43 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-02-17 09:43:43 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2016-02-17 09:43:43 [****.ddns.net] Peer Connection Initiated with [AF_INET]121.202.54.165:1194
2016-02-17 09:43:44 MANAGEMENT: >STATE:1455673424,GET_CONFIG,,,
2016-02-17 09:43:45 SENT CONTROL [****.ddns.net]: 'PUSH_REQUEST' (status=1)
2016-02-17 09:43:45 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
2016-02-17 09:43:45 OPTIONS IMPORT: timers and/or timeouts modified
2016-02-17 09:43:45 OPTIONS IMPORT: --ifconfig/up options modified
2016-02-17 09:43:45 OPTIONS IMPORT: route options modified
2016-02-17 09:43:45 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2016-02-17 09:43:45 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2016-02-17 09:43:45 Opened utun device utun2
2016-02-17 09:43:45 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-02-17 09:43:45 MANAGEMENT: >STATE:1455673425,ASSIGN_IP,,10.8.0.10,
2016-02-17 09:43:45 /sbin/ifconfig utun2 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2016-02-17 09:43:45 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2016-02-17 09:43:45 /sbin/ifconfig utun2 10.8.0.10 10.8.0.9 mtu 1500 netmask 255.255.255.255 up
2016-02-17 09:43:45 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw utun2 1500 1558 10.8.0.10 10.8.0.9 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        No network configuration changes need to be made.
                                        Will NOT monitor for other network configuration changes.
                                        DNS servers '10.0.1.1' will be used for DNS queries when the VPN is active
                                        The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2016-02-17 09:43:47 MANAGEMENT: >STATE:1455673427,ADD_ROUTES,,,
2016-02-17 09:43:47 /sbin/route add -net 10.8.0.1 10.8.0.9 255.255.255.255
                                        add net 10.8.0.1: gateway 10.8.0.9
2016-02-17 09:43:47 Initialization Sequence Completed
2016-02-17 09:43:47 MANAGEMENT: >STATE:1455673427,CONNECTED,SUCCESS,10.8.0.10,121.202.54.165
2016-02-17 09:43:48 *Tunnelblick: No 'connected.sh' script to execute

[Traffic]

That is when I switch from 3G to wifi

check your DNS settings when you switch ..

[superdx]

I use Google DNS on wifi, 3G uses the carrier DNS.

Surely Google DNS is not blocking OpenVPN.

[Traffic]

Check your DNS setting when you switch ..

OpenVPN relies on your DNS server to resolve the host name.
Your DNS is not working when you switch ..

* If anybody else can offer some words of wisdom .. take it away *

[superdx]

What am I looking for exactly?

Here's the DNS on my iPhone which is pointing to my router:



And here's the DNS on my router:

[Traffic]

Your DNS server is 10.0.1.1 ..

but you cannot contact 10.0.1.1 because you are not connected to your VPN.