| 1 |
Michael wrote: |
| 2 |
> On Tuesday, 7 March 2023 18:11:01 GMT Dale wrote: |
| 3 |
>> Michael wrote: |
| 4 |
>>> On Sunday, 5 March 2023 18:41:10 GMT Dale wrote: |
| 5 |
>>>> Howdy, |
| 6 |
>>>> |
| 7 |
>>>> I use Surfshark and every once in a while, my VPN loses its connection. |
| 8 |
>>>> I sent the info from messages to Surfshark but the info they sent back |
| 9 |
>>>> on how to set the nameserver info doesn't really work with Gentoo. I |
| 10 |
>>>> suspect they are used to systemd stuff. Anyway, I tried to follow in a |
| 11 |
>>>> more Gentoo way but it still didn't work. Then I googled, searched the |
| 12 |
>>>> Gentoo wiki and tried some of those things, still refuses to use the |
| 13 |
>>>> manually entered nameserver. I've tried resolv.conf, resolvconf.conf |
| 14 |
>>>> and resolv.conf-tun0.sv. I installed openresolv to see if that would |
| 15 |
>>>> help. Nope. |
| 16 |
>>> AFAIR, you're meant to pull down from the openvpn server the DNS resolvers |
| 17 |
>>> you're meant to use with their service, unless you have your own reasons |
| 18 |
>>> for wanting to override these and set up your own DNS resolvers. Have |
| 19 |
>>> you looked in /etc/openvpn/ for a suitable setting in the configuration |
| 20 |
>>> file? I'm sure it will be set to automatically pull down the DNS |
| 21 |
>>> resolvers and the Up script will set these up for your system when you |
| 22 |
>>> start openvpn. |
| 23 |
>> This started because I changed to doing OS updates every other weekend. |
| 24 |
>> That means two weeks of login, two weeks of the VPN being active etc |
| 25 |
>> etc. When doing that, the VPN would lose connection after a good |
| 26 |
>> while. Sometimes it would go the whole two weeks with no problems but |
| 27 |
>> on occasion it would lose connection. |
| 28 |
> When a connection goes down the openvpn client log would provide the reason |
| 29 |
> for it. It makes sense to start from there any troubleshooting effort. The |
| 30 |
> DNS resolvers used within the tunnel may be a symptom, rather than the cause. |
| 31 |
> |
| 32 |
|
| 33 |
This is from the messages file. I don't see it logged anywhere else. |
| 34 |
|
| 35 |
It starts at about 13:54. It seems to try to reconnect but can't. I got this by using tail -n and then grep openvpn on the end. |
| 36 |
|
| 37 |
|
| 38 |
Mar 1 13:53:32 fireball openvpn[27908]: |
| 39 |
[us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart), |
| 40 |
restarting |
| 41 |
Mar 1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500 |
| 42 |
1584 10.8.8.9 255.255.255.0 restart |
| 43 |
Mar 1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart] |
| 44 |
received, process restarting |
| 45 |
Mar 1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s) |
| 46 |
Mar 1 13:53:37 fireball openvpn[27908]: NOTE: the current |
| 47 |
--script-security setting may allow this configuration to call |
| 48 |
user-defined scripts |
| 49 |
Mar 1 13:53:37 fireball openvpn[27908]: Outgoing Control Channel |
| 50 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 51 |
Mar 1 13:53:37 fireball openvpn[27908]: Incoming Control Channel |
| 52 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 53 |
Mar 1 13:53:37 fireball openvpn[27908]: TCP/UDP: Preserving recently |
| 54 |
used remote address: [AF_INET]37.19.221.71:1194 |
| 55 |
Mar 1 13:53:37 fireball openvpn[27908]: Socket Buffers: |
| 56 |
R=[212992->425984] S=[212992->425984] |
| 57 |
Mar 1 13:53:37 fireball openvpn[27908]: UDP link local: (not bound) |
| 58 |
Mar 1 13:53:37 fireball openvpn[27908]: UDP link remote: |
| 59 |
[AF_INET]37.19.221.71:1194 |
| 60 |
Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS key negotiation |
| 61 |
failed to occur within 60 seconds (check your network connectivity) |
| 62 |
Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS handshake failed |
| 63 |
Mar 1 13:54:37 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500 |
| 64 |
1653 10.8.8.9 255.255.255.0 restart |
| 65 |
Mar 1 13:54:37 fireball openvpn[27908]: SIGUSR1[soft,tls-error] |
| 66 |
received, process restarting |
| 67 |
Mar 1 13:54:37 fireball openvpn[27908]: Restart pause, 5 second(s) |
| 68 |
Mar 1 13:54:42 fireball openvpn[27908]: NOTE: the current |
| 69 |
--script-security setting may allow this configuration to call |
| 70 |
user-defined scripts |
| 71 |
Mar 1 13:54:42 fireball openvpn[27908]: Outgoing Control Channel |
| 72 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 73 |
Mar 1 13:54:42 fireball openvpn[27908]: Incoming Control Channel |
| 74 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 75 |
Mar 1 13:54:42 fireball openvpn[27908]: TCP/UDP: Preserving recently |
| 76 |
used remote address: [AF_INET]107.179.20.179:1194 |
| 77 |
Mar 1 13:54:42 fireball openvpn[27908]: Socket Buffers: |
| 78 |
R=[212992->425984] S=[212992->425984] |
| 79 |
Mar 1 13:54:42 fireball openvpn[27908]: UDP link local: (not bound) |
| 80 |
Mar 1 13:54:42 fireball openvpn[27908]: UDP link remote: |
| 81 |
[AF_INET]107.179.20.179:1194 |
| 82 |
Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS key negotiation |
| 83 |
failed to occur within 60 seconds (check your network connectivity) |
| 84 |
Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS handshake failed |
| 85 |
Mar 1 13:55:42 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500 |
| 86 |
1653 10.8.8.9 255.255.255.0 restart |
| 87 |
Mar 1 13:55:42 fireball openvpn[27908]: SIGUSR1[soft,tls-error] |
| 88 |
received, process restarting |
| 89 |
Mar 1 13:55:42 fireball openvpn[27908]: Restart pause, 5 second(s) |
| 90 |
Mar 1 13:55:47 fireball openvpn[27908]: NOTE: the current |
| 91 |
--script-security setting may allow this configuration to call |
| 92 |
user-defined scripts |
| 93 |
Mar 1 13:55:47 fireball openvpn[27908]: Outgoing Control Channel |
| 94 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 95 |
Mar 1 13:55:47 fireball openvpn[27908]: Incoming Control Channel |
| 96 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 97 |
Mar 1 13:55:47 fireball openvpn[27908]: TCP/UDP: Preserving recently |
| 98 |
used remote address: [AF_INET]107.179.20.197:1194 |
| 99 |
Mar 1 13:55:47 fireball openvpn[27908]: Socket Buffers: |
| 100 |
R=[212992->425984] S=[212992->425984] |
| 101 |
Mar 1 13:55:47 fireball openvpn[27908]: UDP link local: (not bound) |
| 102 |
Mar 1 13:55:47 fireball openvpn[27908]: UDP link remote: |
| 103 |
[AF_INET]107.179.20.197:1194 |
| 104 |
Mar 1 13:56:47 fireball openvpn[27908]: TLS Error: TLS key negotiation |
| 105 |
failed to occur within 60 seconds (check your network connectivity) |
| 106 |
Mar 1 13:56:47 fireball openvpn[27908]: TLS Error: TLS handshake failed |
| 107 |
Mar 1 13:56:47 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500 |
| 108 |
1653 10.8.8.9 255.255.255.0 restart |
| 109 |
Mar 1 13:56:47 fireball openvpn[27908]: SIGUSR1[soft,tls-error] |
| 110 |
received, process restarting |
| 111 |
Mar 1 13:56:47 fireball openvpn[27908]: Restart pause, 5 second(s) |
| 112 |
Mar 1 13:56:52 fireball openvpn[27908]: NOTE: the current |
| 113 |
--script-security setting may allow this configuration to call |
| 114 |
user-defined scripts |
| 115 |
Mar 1 13:56:52 fireball openvpn[27908]: Outgoing Control Channel |
| 116 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 117 |
Mar 1 13:56:52 fireball openvpn[27908]: Incoming Control Channel |
| 118 |
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
| 119 |
Mar 1 13:56:52 fireball openvpn[27908]: TCP/UDP: Preserving recently |
| 120 |
used remote address: [AF_INET]107.179.20.203:1194 |
| 121 |
Mar 1 13:56:52 fireball openvpn[27908]: Socket Buffers: |
| 122 |
R=[212992->425984] S=[212992->425984] |
| 123 |
Mar 1 13:56:52 fireball openvpn[27908]: UDP link local: (not bound) |
| 124 |
Mar 1 13:56:52 fireball openvpn[27908]: UDP link remote: |
| 125 |
[AF_INET]107.179.20.203:1194 |
| 126 |
|
| 127 |
|
| 128 |
The weird thing, I can stop openvpn, then start it again just seconds later and it works fine for a good long while. |
| 129 |
|
| 130 |
>> I wrote a email to make them |
| 131 |
>> aware to see if this is expected behavior, if I had bad settings or |
| 132 |
>> something was wrong on their end. That's when I got the info in the |
| 133 |
>> original post, to change DNS servers. I'm not sure what that has to do |
| 134 |
>> with anything but . . . |
| 135 |
> Heh! Same here, unless the server side logs indicated this was where the |
| 136 |
> problem actually occurred with your connection. |
| 137 |
> |
| 138 |
> |
| 139 |
>> You know how awful I am with scripts. Still, I read through the up |
| 140 |
>> script and even to me, it looks like it is set up to get DNS servers |
| 141 |
>> during the connection setup. This is the part I see. |
| 142 |
>> |
| 143 |
>> |
| 144 |
>> elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then |
| 145 |
>> NS="${NS}nameserver ${opt#dhcp-option DNS *}\n" |
| 146 |
>> |
| 147 |
>> |
| 148 |
>> To me, it seems like it is getting the DNS info and putting it |
| 149 |
>> somewhere. It appears that wherever it puts it, it is the only place it |
| 150 |
>> looks because nothing I change changes where it goes for DNS info. To |
| 151 |
>> be honest, I don't know why it should have to be changed. One would |
| 152 |
>> think that the DNS info they send should work fine otherwise why set it |
| 153 |
>> up that way. |
| 154 |
> DNS resolvers will be added to your resolv.conf when the tunnel comes up. |
| 155 |
> |
| 156 |
> Instead of messing up with the scripts and hardcoding nameserver IP addresses, |
| 157 |
> have you done any troubleshooting to find out what part of the connection goes |
| 158 |
> down? Is the tunnel still up? Can you ping IP addresses through the tunnel? |
| 159 |
> etc. |
| 160 |
> |
| 161 |
|
| 162 |
When it stops working, nothing goes through. My cell phone, which |
| 163 |
connects directly to the router and doesn't use the VPN, does work so I |
| 164 |
know my internet is working. Everything else just shows it is trying to |
| 165 |
connect, which is usually very fast. I'm loving this fiber internet. |
| 166 |
|
| 167 |
|
| 168 |
>>>> This is what I got from Surfshark: |
| 169 |
>>>>> I would recommend changing the DNS addresses on your Linux device. You |
| 170 |
>>>>> can simply do that by following the steps below. |
| 171 |
>>>>> |
| 172 |
>>>>> First, you need to open the terminal with the CTRL + ALT + T |
| 173 |
>>>>> combination and type in the following commands: |
| 174 |
>>>>> sudo rm -r /etc/resolv.conf |
| 175 |
>>>>> sudo nano /etc/resolv.conf |
| 176 |
>>> Normally, you would not have to do this manually. The Up script will |
| 177 |
>>> enter |
| 178 |
>>> the resolver IP addresses in your resolv.conf. If it doesn't, then check |
| 179 |
>>> your configuration and your openvpn script. |
| 180 |
>> I tried to edit the openvpn.conf file to manually set the nameserver but |
| 181 |
>> it puked on my keyboard and refused to even connect. I think we are |
| 182 |
>> back to the server I connect to requires its info to be used and if it |
| 183 |
>> isn't, it refuses to complete the connection. Everything I try results |
| 184 |
>> in a error and connection refused. It could even be a security setting |
| 185 |
>> that requires this. |
| 186 |
> I recall the openvpn.conf has an entry to specify pulling down the DNS |
| 187 |
> resolvers from the server as it is establishing the tunnel. Here's some |
| 188 |
> troubleshooting to confirm if this is the problem, after you reset to defaults |
| 189 |
> everything you interfered with in the openvpn.conf settings. |
| 190 |
> |
| 191 |
|
| 192 |
I got this config file from Surfshark. I think it's public so I guess |
| 193 |
there's no harm posting as is. |
| 194 |
|
| 195 |
|
| 196 |
client |
| 197 |
dev tun |
| 198 |
proto udp |
| 199 |
remote us-hou.prod.surfshark.com 1194 |
| 200 |
resolv-retry infinite |
| 201 |
remote-random |
| 202 |
nobind |
| 203 |
tun-mtu 1500 |
| 204 |
tun-mtu-extra 32 |
| 205 |
mssfix 1450 |
| 206 |
persist-key |
| 207 |
persist-tun |
| 208 |
ping 15 |
| 209 |
ping-restart 0 |
| 210 |
ping-timer-rem |
| 211 |
reneg-sec 0 |
| 212 |
|
| 213 |
remote-cert-tls server |
| 214 |
|
| 215 |
auth-user-pass /etc/openvpn/login.conf |
| 216 |
mute-replay-warnings |
| 217 |
|
| 218 |
#comp-lzo |
| 219 |
verb 3 |
| 220 |
pull |
| 221 |
fast-io |
| 222 |
cipher AES-256-CBC |
| 223 |
|
| 224 |
auth SHA512 |
| 225 |
|
| 226 |
|
| 227 |
I don't see anything about DNS/nameserver/resolv.conf there but I may be missing it. When I tried to add that detail, it refused to start at all and puked on my keyboard. It was very unhappy with me telling it what DNS IP to use. That up script it runs is pretty complicated looking. I'm kinda nervous about messing with it. |
| 228 |
|
| 229 |
|
| 230 |
>> Either way, either this can't be changed and the VPN connect or there is |
| 231 |
>> a setting somewhere that we are not aware of. I've googled, asked here |
| 232 |
>> plus looked everywhere I can think of, even some places I couldn't |
| 233 |
>> imagine having anything to do with it, and had no luck finding where it |
| 234 |
>> stores the info or how to change it. |
| 235 |
>> |
| 236 |
>> Unless someone comes up with a idea, I'm fresh out. I have no clue what |
| 237 |
>> to do. Hey, it does work almost all the time. It's not the end of the |
| 238 |
>> world. |
| 239 |
>> |
| 240 |
>> Thanks. |
| 241 |
>> |
| 242 |
>> Dale |
| 243 |
>> |
| 244 |
>> :-) :-) |
| 245 |
>> |
| 246 |
>> P. S. Getting close to garden time. :-D |
| 247 |
> I suggest you test for one thing at a time when the connection fails and start |
| 248 |
> with the logs. Hardcoding the DNS resolver addresses may not be the problem |
| 249 |
> you're facing here. |
| 250 |
|
| 251 |
|
| 252 |
I posted basically the same info I sent to Surfshark above. Maybe you |
| 253 |
will see something they didn't. If you need me to check or post |
| 254 |
something else, just let me know. As for testing when it dies on me, |
| 255 |
that could involve some wait time. ;-) |
| 256 |
|
| 257 |
Thanks. |
| 258 |
|
| 259 |
Dale |
| 260 |
|
| 261 |
:-) :-) |
Archives