Can't resolve VPN with OpenVPN

marcelarie · February 23, 2022, 6:21pm

I created a config file and use it in the openvpn config like OpenVPN - NixOS Wiki shows.

Then I used the update-systemd-resolved package from nixpkgs and followed the steps that GitHub - jonathanio/update-systemd-resolved: Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus. shows. Normally thats enogh in arch but something is not working in Nixos. I tried to dowload the script manually too and haves the same result.

For some context this is my config now:

{
  services.resolved.enable = true;
  services.openvpn.servers = {
    soysuper = {
      config = ''
        config /root/nixos/openvpn/soysuper.conf

        script-security 2
        up ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved
        up-restart
        down ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved
        down-pre
      '';
      # autoStart = true;
      # updateResolvConf = true;
    };
  };
}

The script from /root/nixos/openvpn/soysuper.conf it’s the same that I used in arch.

systemctl status openvpn-soysuper.service shows this:

     Loaded: loaded (/etc/systemd/system/openvpn-soysuper.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-02-23 19:13:15 CET; 7min ago
   Main PID: 28920 (openvpn)
     Status: "Initialization Sequence Completed"
         IP: 206.6K in, 69.9K out
         IO: 0B read, 0B written
      Tasks: 1 (limit: 38428)
     Memory: 1.0M
        CPU: 48ms
     CGroup: /system.slice/openvpn-soysuper.service
             └─28920 openvpn --suppress-timestamps --config /nix/store/rmpf8mgxygss7lpsjm2xha9iliz1rdaw-openvpn-config-soysuper

Feb 23 19:13:16 nixos openvpn[29057]: <14>Feb 23 19:13:16 .update-systemd-resolved-wrapped: Adding IPv4 DNS Server 10.10.55.250
Feb 23 19:13:16 nixos .update-systemd-resolved-wrapped[29058]: Adding DNS Domain ss
Feb 23 19:13:16 nixos openvpn[29058]: <14>Feb 23 19:13:16 .update-systemd-resolved-wrapped: Adding DNS Domain ss
Feb 23 19:13:16 nixos .update-systemd-resolved-wrapped[29059]: SetLinkDNS(11 1 2 4 10 10 55 250)
Feb 23 19:13:16 nixos openvpn[29059]: <14>Feb 23 19:13:16 .update-systemd-resolved-wrapped: SetLinkDNS(11 1 2 4 10 10 55 250)
Feb 23 19:13:16 nixos openvpn[28920]: net_route_v4_add: 10.5.0.0/24 via 10.8.0.5 dev [NULL] table 0 metric -1
Feb 23 19:13:16 nixos openvpn[28920]: net_route_v4_add: 10.10.0.0/16 via 10.8.0.5 dev [NULL] table 0 metric -1
Feb 23 19:13:16 nixos openvpn[28920]: net_route_v4_add: 10.8.0.0/24 via 10.8.0.5 dev [NULL] table 0 metric -1
Feb 23 19:13:16 nixos openvpn[28920]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to preve>
Feb 23 19:13:16 nixos openvpn[28920]: Initialization Sequence Completed

I don’t know what else to do, hope someone can help me out here

peterhoeg · February 24, 2022, 1:19am

What do you mean by “Can’t connect”?) openvpn reports this which indicates all is good:

Feb 23 19:13:16 nixos openvpn[28920]: Initialization Sequence Completed

Do you mean that the DNS resolution doesn’t work? If so, what does resolvectl tell you?

marcelarie · February 24, 2022, 8:53am

Exaclty, thats what I mean:

resolvectl:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google

Link 2 (enp4s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1

Link 3 (wlo1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1

Link 4 (br-7abad74adbee)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported

Link 5 (docker0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported

Link 6 (tun0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 10.10.55.250
       DNS Servers: 10.10.55.250
        DNS Domain: ss

peterhoeg · February 24, 2022, 9:38am

Link 6 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 10.10.55.250
DNS Servers: 10.10.55.250
DNS Domain: ss

Again, what exactly is that goes wrong? This looks perfectly fine.

What happens when you try to resolve whatever_host.ss which is supposed to go to 10.10.55.250?
Can you ping that server?
Can you resolve hosts by using nslookup and connecting directly to it?

marcelarie · February 24, 2022, 9:58am

Thanks for the help.

If I try to resolve doc.ss it returns a server not found.

If I try ping doc.ss it returns a server returns a:
ping: doc.ss: Name or service not known

If I run ping -c 3 10.10.55.250 it returns:

PING 10.10.55.250 (10.10.55.250) 56(84) bytes of data.
64 bytes from 10.10.55.250: icmp_seq=1 ttl=63 time=32.2 ms
64 bytes from 10.10.55.250: icmp_seq=2 ttl=63 time=32.0 ms
64 bytes from 10.10.55.250: icmp_seq=3 ttl=63 time=32.0 ms

--- 10.10.55.250 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 31.969/32.057/32.234/0.124 ms

nslookup 10.10.55.250 returns:

;; connection timed out; no servers could be reached

That’s why I think that the VPN its not being resolved correctly. I can reach 10.10.55.250 but I can’t connect to it.

peterhoeg · February 24, 2022, 10:32am

Use nslookup to specify the server:

$ nslookup

server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
nixos.org
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: nixos.org
Address: 3.0.239.142
Name: nixos.org
Address: 178.128.104.229
Name: nixos.org
Address: 2400:6180:0:d1::62e:7001
Name: nixos.org
Address: 2400:6180:0:d1::583:1

Use 10.10.55.250 instead of 1.1.1.1 and see if it resolves anything for you and then try both resolving external and internal names.

If it does, that means you can resolve through that server over the VPN connection which means something strange is going on with your /etc/nsswitch.conf

If it doesn’t, it probably has something to do with firewall rules.

marcelarie · February 24, 2022, 10:39am

It seems to be /etc/nsswitch.conf then.

This is the result of nslookup:

> server 10.10.55.250
Default server: 10.10.55.250
Address: 10.10.55.250#53
> backup.ss
Server:		10.10.55.250
Address:	10.10.55.250#53

backup.ss	canonical name = backup-0.ss.
Name:	backup-0.ss
Address: 10.10.56.222
> doc.ss
Server:		10.10.55.250
Address:	10.10.55.250#53

Name:	doc.ss
Address: 10.10.55.10
> resque.ss
Server:		10.10.55.250
Address:	10.10.55.250#53

resque.ss	canonical name = app-resque-0.ss.
Name:	app-resque-0.ss
Address: 10.10.58.90

This is my /etc/nsswitch.conf:

passwd:    files systemd
group:     files systemd
shadow:    files

hosts:     mymachines resolve [!UNAVAIL=return] files myhostname dns
networks:  files

ethers:    files
services:  files
protocols: files
rpc:       files

peterhoeg · February 25, 2022, 8:08am

You’re going to have to try to mess around with resolvectl, host and nslookup to see why the lookups aren’t going to the right DNS server.