0

Currently I am trying to route my traffic through a gateway running Debian Linux which forwards all incoming traffic thorugh a VPN connection (Client -> Gateway with OpenVPN client -> VPN server -> Internet). This works fine exept it loses the connection from time to time and is unable to reconnect ifself due to nslookup timeouts. This happens every few days, mostly at night (as far as I know, some servers are terminating the session if no traffic was sent for a long time).

When happening, I'll try to connect through SSH but after entering the username the server waits about 20 seconds before asking for the password which is also strange. Normally it askes for the password immediately.

When looking into the syslog this one comes up:

Jul 20 00:50:11 gateway ovpn-cyberghost[23893]: RESOLVE: Cannot resolve host address: 5-nl.cg-dialup.net: Temporary failure in name resolution

ifconfig and route shows, that the VPN interface is still up but seems to be hung up.

root@gateway:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.129.57.169   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth2
10.129.57.169   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
93.190.138.125  192.168.0.1     255.255.255.255 UGH   0      0        0 eth2
128.0.0.0       10.129.57.169   128.0.0.0       UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
217.23.12.229   192.168.0.1     255.255.255.255 UGH   0      0        0 eth2

Heres my OpenVPN config:

client
remote 5-nl.cg-dialup.net 443
dev tun 
proto udp
auth-user-pass /etc/openvpn/auth.txt
route-nopull

resolv-retry infinite 
redirect-gateway def1
persist-key
persist-tun
writepid /run/openvpn.pid
nobind
cipher AES-256-CBC
auth MD5
ping 5
ping-restart 20
persist-local-ip
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500 
fragment 1300
mssfix 1300
verb 1
comp-lzo

Heres my resolv.conf:

 root@gateway:~# cat /etc/resolv.conf
 nameserver 85.214.20.141
 nameserver 213.73.91.35

Changing the nameservers, for example to 127.0.0.1 (bind9 correctly installed as a dns resolver), did not solve anything but I do not expect to find the problem here.

I guess, the following is the reason: The server closed the session due inactivity of the client so the client tries to reconnect. In the process of reconnecting OpenVPN resolves the hostname of the VPN server but it uses the broken VPN interface which is set as the default gateway instead of the correct default gateway. No cleanup is made (remove tun0 interface and deleting the routes), which would perhaps solve the problem. Also I think there could be an issue having two default gateways but I am not sure.

After terminating the OpenVPN process manually and starting it again everything works fine like nothing ever happend.

I don't know how either tell OpenVPN to use the eth2 interface for that initial nslookup or to get OpenVPN to cleanup the routes. Did I forgot to add something in the config file (I didn't found any helpful commands in the manpage)?

user2626702
  • 113
  • 2
  • 2
  • 9

1 Answers1

0

https://askubuntu.com/questions/28733/how-do-i-run-a-script-after-openvpn-has-connected-successfully tells how you can execute custom scripts after connection going up or down.

So, you should create a down script, which would clean up the routes and make OpenVPN execute that when connection goes down.

Community
  • 1
Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • I created such a script and append `down /etc/openvpn/down.sh` in the config. The script only contains the command `route del -net 0.0.0.0 gw $5 netmask 128.0.0.0 dev tun0`. I know this is a little bit dirty, but while testing it seems to work. But OpenVPN does not execute the script when restarting as there is no verbose log as like in the up.sh script. – user2626702 Jul 21 '15 at 15:02