I’m having what appears to be a DNS issue with a VPN connection. Using TurrisOS 4.0.1.
According to this:
Every VPN server acts as their own DNS server. ProtonVPN does not use third-party DNS servers.
When not connected to the VPN:
$ nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.8.206
$ nslookup google.com 206.55.176.52 <-- ISP's DNS
Server: 206.55.176.52
Address: 206.55.176.52#53
Non-authoritative answer:
Name: google.com
Address: 172.217.8.206
$ nslookup google.com 8.8.8.8 <-- Google's DNS
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: google.com
Address: 172.217.4.78
$ nslookup google.com 69.10.63.243 <--- VPN server
;; connection timed out; no servers could be reached
The connection seems to work:
# openvpn --cd /etc/openvpn/com.protonvpn/ --config us.protonvpn.com.udp.ovpn
Sat Oct 26 17:49:05 2019 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Oct 26 17:49:05 2019 library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Sat Oct 26 17:49:05 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Oct 26 17:49:05 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Oct 26 17:49:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]69.10.63.243:80
Sat Oct 26 17:49:05 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Oct 26 17:49:05 2019 UDP link local: (not bound)
Sat Oct 26 17:49:05 2019 UDP link remote: [AF_INET]69.10.63.243:80
Sat Oct 26 17:49:05 2019 TLS: Initial packet from [AF_INET]69.10.63.243:80, sid=b5d02bff 7bad9a39
Sat Oct 26 17:49:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Oct 26 17:49:05 2019 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Sat Oct 26 17:49:05 2019 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Sat Oct 26 17:49:05 2019 VERIFY KU OK
Sat Oct 26 17:49:05 2019 Validating certificate extended key usage
Sat Oct 26 17:49:05 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Oct 26 17:49:05 2019 VERIFY EKU OK
Sat Oct 26 17:49:05 2019 VERIFY OK: depth=0, CN=us-nj-09.protonvpn.com
Sat Oct 26 17:49:05 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Oct 26 17:49:05 2019 [us-nj-09.protonvpn.com] Peer Connection Initiated with [AF_INET]69.10.63.243:80
Sat Oct 26 17:49:07 2019 SENT CONTROL [us-nj-09.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Oct 26 17:49:12 2019 SENT CONTROL [us-nj-09.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Oct 26 17:49:12 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 4,cipher AES-256-GCM'
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: timers and/or timeouts modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: explicit notify parm(s) modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: compression parms modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Oct 26 17:49:12 2019 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: --ifconfig/up options modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: route options modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: route-related options modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: peer-id set
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: adjusting link_mtu to 1657
Sat Oct 26 17:49:12 2019 OPTIONS IMPORT: data channel crypto options modified
Sat Oct 26 17:49:12 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Oct 26 17:49:12 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 26 17:49:12 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 26 17:49:12 2019 TUN/TAP device tun0 opened
Sat Oct 26 17:49:12 2019 TUN/TAP TX queue length set to 100
Sat Oct 26 17:49:12 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Oct 26 17:49:12 2019 /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sat Oct 26 17:49:12 2019 /sbin/route add -net 69.10.63.243 netmask 255.255.255.255 gw 72.50.209.209
Sat Oct 26 17:49:12 2019 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Sat Oct 26 17:49:12 2019 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Sat Oct 26 17:49:12 2019 Initialization Sequence Completed
When connected to the VPN:
$ nslookup google.com
;; Got SERVFAIL reply from 192.168.1.1, trying next server
;; connection timed out; no servers could be reached
$ nslookup google.com 206.55.176.52 <-- ISP's DSN
;; connection timed out; no servers could be reached
$ nslookup google.com 8.8.8.8 <-- Google's DNS
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: google.com
Address: 172.217.12.142
$ nslookup google.com 69.10.63.243 <-- VPN server
;; connection timed out; no servers could be reached
What am I missing?
/etc/openvpn/com.protonvpn/us.protonvpn.com.udp.ovpn (from the vendor):
client
dev tun
proto udp
remote us.protonvpn.com 80
remote us.protonvpn.com 443
remote us.protonvpn.com 4569
remote us.protonvpn.com 1194
remote us.protonvpn.com 5060
remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
compress
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass '/etc/openvpn/com.protonvpn/auth_user_pass.auth'
pull
fast-io
#script-security 2
#up /etc/openvpn/com.protonvpn/up.sh
#down /etc/openvpn/com.protonvpn/down.sh
<ca>removed for brevity</ca>
key-direction 1
<tls-auth>removed for brevity</tls-auth>
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7d:8ec7:84fd::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option bridge_empty '1'
list ifname 'lan0'
list ifname 'lan1'
list ifname 'lan2'
list ifname 'lan3'
list ifname 'lan4'
config interface 'wan'
option ifname 'eth2'
option ipv6 '1'
option proto 'static'
option ipaddr 'XXX.XXX.XXX.XXX'
option netmask '255.255.255.252'
option gateway 'XXX.XXX.XXX.XXX'
list dns '206.55.176.52'
list dns '206.55.176.53'
config interface 'guest_turris'
option enabled '1'
option type 'bridge'
option proto 'static'
option ipaddr '10.111.222.1'
option netmask '255.255.255.0'
option bridge_empty '1'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config interface 'vpn_interface'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest_turris'
option enabled '1'
option name 'guest_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest_turris'
config forwarding 'guest_turris_forward_wan'
option enabled '1'
option name 'guest to wan forward'
option src 'guest_turris'
option dest 'wan'
config rule 'guest_turris_dns_rule'
option enabled '1'
option name 'guest dns rule'
option src 'guest_turris'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
config rule 'guest_turris_dhcp_rule'
option enabled '1'
option name 'guest dhcp rule'
option src 'guest_turris'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'vpn_zone'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'vpn_interface'
config forwarding
option dest 'vpn_zone'
option src 'lan'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest_turris'
option interface 'guest_turris'
option ignore '0'
option start '100'
option limit '150'
option leasetime '3600'
list dhcp_option '6,10.111.222.1'
config domain
option ip '192.168.1.1'
option name 'turris'
** edit 1 **
I tried connecting to another VPN provider:
# openvpn --cd /etc/openvpn/net.torguard/ --config TorGuard.Canada.Toronto.ovpn
Tue Oct 29 12:04:55 2019 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Oct 29 12:04:55 2019 library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Tue Oct 29 12:04:55 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Oct 29 12:04:55 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Oct 29 12:04:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.220.138:1912
Tue Oct 29 12:04:55 2019 Socket Buffers: R=[163840->327680] S=[163840->327680]
Tue Oct 29 12:04:55 2019 UDP link local: (not bound)
Tue Oct 29 12:04:55 2019 UDP link remote: [AF_INET]184.75.220.138:1912
Tue Oct 29 12:04:55 2019 TLS: Initial packet from [AF_INET]184.75.220.138:1912, sid=7e8f1cb4 f3335be0
Tue Oct 29 12:04:55 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 29 12:04:55 2019 VERIFY OK: depth=1, CN=TG-VPN-CA
Tue Oct 29 12:04:55 2019 VERIFY KU OK
Tue Oct 29 12:04:55 2019 Validating certificate extended key usage
Tue Oct 29 12:04:55 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 29 12:04:55 2019 VERIFY EKU OK
Tue Oct 29 12:04:55 2019 VERIFY OK: depth=0, CN=server
Tue Oct 29 12:04:56 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1569'
Tue Oct 29 12:04:56 2019 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Tue Oct 29 12:04:56 2019 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Oct 29 12:04:56 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Oct 29 12:04:56 2019 [server] Peer Connection Initiated with [AF_INET]184.75.220.138:1912
Tue Oct 29 12:04:57 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 29 12:04:58 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,sndbuf 524288,rcvbuf 524288,route 10.35.0.1,topology net30,ping 5,ping-restart 30,compress,ifconfig 10.35.0.26 10.35.0.25,peer-id 38,cipher AES-256-GCM'
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: compression parms modified
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Tue Oct 29 12:04:58 2019 Socket Buffers: R=[327680->327680] S=[327680->327680]
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: route options modified
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: peer-id set
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: adjusting link_mtu to 1657
Tue Oct 29 12:04:58 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 29 12:04:58 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 29 12:04:58 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 29 12:04:58 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 29 12:04:58 2019 TUN/TAP device tun0 opened
Tue Oct 29 12:04:58 2019 TUN/TAP TX queue length set to 100
Tue Oct 29 12:04:58 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 29 12:04:58 2019 /sbin/ifconfig tun0 10.35.0.26 pointopoint 10.35.0.25 mtu 1500
Tue Oct 29 12:04:58 2019 /sbin/route add -net 184.75.220.138 netmask 255.255.255.255 gw 72.50.209.209
Tue Oct 29 12:04:58 2019 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.35.0.25
Tue Oct 29 12:04:58 2019 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.35.0.25
Tue Oct 29 12:04:58 2019 /sbin/route add -net 10.35.0.1 netmask 255.255.255.255 gw 10.35.0.25
Tue Oct 29 12:04:58 2019 Initialization Sequence Completed
With similar results:
# dig google.com
; <<>> DiG 9.11.10 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61308
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 29 12:06:25 CDT 2019
;; MSG SIZE rcvd: 39
# nslookup google.com 1.0.0.1
Server: 1.0.0.1
Address: 1.0.0.1#53
Name: google.com
Address 1: 172.217.0.238
Address 2: 2607:f8b0:400b:80f::200e
Is this somehow related to kresd?
I didn’t have these issues when using TOS 3 with kresd and dnsmasq (on port 5353).