Openvpn client DNS_PROBE_FINISHED_NXDOMAIN

acognard · March 18, 2020, 10:49pm

Hello guys, i am not able to solve my problem while trying to install a vpn client using openvpn.
if i activate the client, i have no internet access

OpenWrt 19.07.0 r10860-a3ffeb413b / LuCI openwrt-19.07 branch git-20.048.32085-85a6f07

openvpn.log

Wed Mar 18 23:25:18 2020 us=966631 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Mar 18 23:25:18 2020 us=970044 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Mar 18 23:25:18 2020 us=970333 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Mar 18 23:25:18 2020 us=970910 Control Channel MTU parms [ L:1654 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Wed Mar 18 23:25:18 2020 us=971182 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Wed Mar 18 23:25:18 2020 us=971465 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Wed Mar 18 23:25:18 2020 us=971576 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Wed Mar 18 23:25:18 2020 us=971731 TCP/UDP: Preserving recently used remote address: [AF_INET]45.152.181.131:1194
Wed Mar 18 23:25:18 2020 us=971883 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Mar 18 23:25:18 2020 us=971993 UDP link local: (not bound)
Wed Mar 18 23:25:18 2020 us=972119 UDP link remote: [AF_INET]45.152.181.131:1194
Wed Mar 18 23:25:18 2020 us=992545 TLS: Initial packet from [AF_INET]45.152.181.131:1194, sid=e533288a 1b71315f
Wed Mar 18 23:25:18 2020 us=993298 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Mar 18 23:25:19 2020 us=24162 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Wed Mar 18 23:25:19 2020 us=28243 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Wed Mar 18 23:25:19 2020 us=32548 VERIFY KU OK
Wed Mar 18 23:25:19 2020 us=32763 Validating certificate extended key usage
Wed Mar 18 23:25:19 2020 us=32876 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Mar 18 23:25:19 2020 us=32982 VERIFY EKU OK
Wed Mar 18 23:25:19 2020 us=33085 VERIFY OK: depth=0, CN=fr515.nordvpn.com
Wed Mar 18 23:25:19 2020 us=83276 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Mar 18 23:25:19 2020 us=83566 [fr515.nordvpn.com] Peer Connection Initiated with [AF_INET]45.152.181.131:1194
Wed Mar 18 23:25:20 2020 us=303032 SENT CONTROL [fr515.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Mar 18 23:25:25 2020 us=533281 SENT CONTROL [fr515.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Mar 18 23:25:25 2020 us=539881 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.4 255.255.255.0,peer-id 2,cipher AES-256-GCM'
Wed Mar 18 23:25:25 2020 us=540488 OPTIONS IMPORT: timers and/or timeouts modified
Wed Mar 18 23:25:25 2020 us=540610 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Mar 18 23:25:25 2020 us=540713 OPTIONS IMPORT: compression parms modified
Wed Mar 18 23:25:25 2020 us=540819 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Mar 18 23:25:25 2020 us=540939 Socket Buffers: R=[163840->327680] S=[163840->327680]
Wed Mar 18 23:25:25 2020 us=541043 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 18 23:25:25 2020 us=541182 OPTIONS IMPORT: route options modified
Wed Mar 18 23:25:25 2020 us=541287 OPTIONS IMPORT: route-related options modified
Wed Mar 18 23:25:25 2020 us=541391 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Mar 18 23:25:25 2020 us=541493 OPTIONS IMPORT: peer-id set
Wed Mar 18 23:25:25 2020 us=541596 OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Mar 18 23:25:25 2020 us=541733 OPTIONS IMPORT: data channel crypto options modified
Wed Mar 18 23:25:25 2020 us=541844 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Mar 18 23:25:25 2020 us=542006 Data Channel MTU parms [ L:1585 D:1450 EF:53 EB:411 ET:32 EL:3 ]
Wed Mar 18 23:25:25 2020 us=542635 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Mar 18 23:25:25 2020 us=542780 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Mar 18 23:25:25 2020 us=545285 TUN/TAP device tun1 opened
Wed Mar 18 23:25:25 2020 us=545940 TUN/TAP TX queue length set to 100
Wed Mar 18 23:25:25 2020 us=546141 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Mar 18 23:25:25 2020 us=546329 /sbin/ifconfig tun1 10.8.1.4 netmask 255.255.255.0 mtu 1500 broadcast 10.8.1.255
Wed Mar 18 23:25:25 2020 us=563936 /etc/openvpn/updns tun1 1500 1585 10.8.1.4 255.255.255.0 init
Wed Mar 18 23:25:25 2020 us=609791 /sbin/route add -net 45.152.181.131 netmask 255.255.255.255 gw 192.168.0.1
Wed Mar 18 23:25:25 2020 us=613755 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Wed Mar 18 23:25:25 2020 us=620403 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Wed Mar 18 23:25:25 2020 us=623296 Initialization Sequence Completed

begining of /etc/openvpn/nordvpn_france.ovpn

client
dev tun
proto udp
remote 45.152.181.131 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /etc/openvpn/nordvpn_auth.txt
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
script-security 2
up /etc/openvpn/updns
down /etc/openvpn/downdns
verb 4
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option domain 'chtiloft'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option limit '254'
	option start '10'
	option force '1'
	option ra_management '1'
	option leasetime '5m'
	list dhcp_option '6,103.86.96.100,103.86.99.100'
	list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

tks for any help !
Take care...

Darius · March 19, 2020, 12:10am

logs
I can't see anything specific, but reading logs and interpreting them is not my forte. Maybe someone sees something there.

/etc/openvpn/nordvpn_france.ovpn
You added at least 2 entries: up /etc/openvpn/updns and down /etc/openvpn/downdns. These are not supplied by NordVPN as far as I know. I don't think this is needed.

/etc/config/dhcp
Your config dhcp 'lan' file contains NordVPN DNS servers and Google DNS servers. This isn't the right place for them. Also you should be fine with just the 2 NordVPN DNS servers.

Have a look at this: 5 steps guide to set up an OpenVPN client with NordVPN in Luci.
This is the easiest way I found to set NordVPN on my router as a client. It is basically the Luci version of the official guide from NordVPN to set a client in OpenWRT (minus the kill switch part).
In case you struggle with creating the network interface, have a look here.

trendy · March 19, 2020, 11:28am

What do the updns and downdns do?
I am not sure if you can add two lines with the same option. If you want all the nameservers to be advertised to the dhcpclients you need to have them in one line, comma separated.
The option limit 254 is wrong. It is not the last IP but the pool size. Use 244 instead.
OpenVPN seems to initialize properly Wed Mar 18 23:25:25 2020 us=623296 Initialization Sequence Completed

Darius · March 19, 2020, 12:51pm

I have seen 2 references about up and down DNS online: here and here.
I am not sure what they do...

mk24 · March 19, 2020, 1:16pm

What is in these updns and downdns scripts and where did you get them? OpenWrt tries to avoid up and down scripts by running through netifd / UCI as much as possible.

There really is a golden rule that the further you move away from a default configuration the less likely it is to work.

acognard · March 19, 2020, 1:56pm

hi all, thank you for your responses.

@trendy , what do you mean by 2 lines with the same option ?
@Darius, i had a look to your links (very intersting) but did not find a solution.
updns

#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo  | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo  | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo  | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto

downdns

#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto

/tmp/resolv.conf.auto

# Interface wan
nameserver 103.86.96.100
nameserver 103.86.99.100
nameserver 8.8.8.8
nameserver 8.8.4.4

trendy · March 19, 2020, 1:57pm

I mean this

list dhcp_option '6,103.86.96.100,103.86.99.100'
list dhcp_option '6,8.8.8.8,8.8.4.4'

acognard · March 19, 2020, 3:11pm

@trendy
I suppose it is correct.

Network >Interfaces >LAN >DHCP Server>Advanced Settings tab, the example defines as done

image901×157 9.85 KB

acognard · March 19, 2020, 3:12pm

I have deleted lines refering to up & down scripts, but same result.

trendy · March 19, 2020, 3:14pm

I am not sure it is, or which line the dhcpd will pickup to send to the users.
use: 6,103.86.96.100,103.86.99.100,8.8.8.8,8.8.4.4 if you must use all 4 of them.

Darius · March 19, 2020, 6:59pm

.opvn file

log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
script-security 2

Where are the lines coming from? Like the up and down dns, they are not part of the original NordVPN .opvn afaik. Let us know why you added them.

DNS servers
NordVPN advise to set the DNS servers in Network > Interfaces > WAN > Advanced Settings (5th step in my guide). Is there any specific reason why you want to set the DNS servers in the LAN interface? Let us know what you are trying to achieve here.

Although it is your choice, I don't see a point using Google DNS if you have already set NordVPN DNS.
The NordVPN guide say either, not both. Again, let us know what you are trying to achieve, because, maybe, in your case, my advice is not the right one.

Like mk24 said, you may have tweaked too many things now for it to work properly. If I were you, I'd start over again with VPN install.

acognard · March 19, 2020, 10:07pm

about ovpn file, my entry point was a tuto https://lecrabeinfo.net/installer-configurer-client-openvpn-sur-routeur-wi-fi-openwrt.html (sorry, in french).
so i have removed

log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
script-security 2

ok, i am going to work again regarding nordvpn guide.
it indicates that google dns is an option. Also removed from my file.

==>same failed result.

Maybe something not correct here ??

trendy · March 19, 2020, 11:37pm

Do a traceroute (or mtr) from the router and a host in LAN towards 8.8.8.8 Does it reach the destination?
Do a nslookup from the router and a host in the LAN nslookup www.openwrt.org
Post here the results.

Darius · March 20, 2020, 12:42am

Thanks for sharing the tutorial from Le Crabe, I will have to read it thoroughly tomorrow.
While it seems to be detailed and has clear instructions, it was written in 2018 and last updated in early 2019.
The OpenVPN client in OpenWRT changed a bit since and install instructions can be simplified.

Are you looking to use command lines or would you rather use the Luci WebUI?
I'll try provide instructions accordingly.

acognard · March 20, 2020, 1:32pm

from a machine on lan

 nslookup www.openwrt.org
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
www.openwrt.org canonical name = wiki-01.infra.openwrt.org.
Name:   wiki-01.infra.openwrt.org
Address: 139.59.209.225
Name:   wiki-01.infra.openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

from openwrt

Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
*** Can't find openwrt.org: No answer

oups !!!

trendy · March 20, 2020, 2:15pm

It's working fine. The nameserver that you have configured in OpenWrt is not resolving the the IPv6 address though.

acognard · March 23, 2020, 5:28pm

hello @Darius. Hope all is fine for you & community !

i am easy with command lines.
It would be fine if you can find what is wrong. I tryed many thing, but not able to solve it.

take care.
Sincerly

Darius · March 26, 2020, 10:23am

Hi Arnaud,

SET UP
Follow this guide to set up your VPN client with Luci.
In Le Crabe's guide:

2 - this is the 2nd instruction of my stage 2. With NordVPN, no need to modify the .ovpn you download.
3.1 - this is my stage 1
3.2 - this is the 3rd and 4th instruction of my stage 2. No need to rename any file or replace any path.
3.3 - this is 5th, 6th, 7th, 8th and 9th instruction of my stage 2
3.4 - this is my stage 3
3.5 - this is my stage 5, I don't think the updns and downdns scripts are required.
3.6 - not included in my guide, but OpenVPN logs will appear in System Logs anyway.
3.7 - this is my stage 4
3.8 - I don't see a point setting DNS servers other than NordVPN's. If you are already trusting NordVPN over your ISP with your internet traffic, then there is no reason not to trust their DNS servers too. You could argue that, often, you actually reduce your risk of leaking DNS if you stick with your VPN DNS servers, but that's another topic. From my experience, NordVPN DNS servers are fast and don't create issues.
4 - it's the very final step of my guide
5 - not in my guide yet, this is a good practice obviously.

VERIFICATIONS
Once you have gone through the 5 steps of my guide, your VPN client is hopefully working.
If not, share the following with us again:
/etc/config/openvpn
/etc/config/firewall
/etc/config/network
Make sure to redact or change personal information like username or password if there is any.
Everything you set up should appear in these files.

OTHER CONSIDERATIONS

in step 3, I had to edit the vpn interface section in /etc/config/network to make sure the proto option was listed first. On my Linksys WRT32X router I found that, using Luci, the proto option was listed after the ifname option. That prevented the VPN client to work for some reason. I don't know if it is a problem with my router model or an issue with Luci or... with me!
sometimes, if you tweaked a system too much, you are better off reinstalling everything from scratch. It may take less time than trying to troubleshoot your problems.
for the time being, I haven't included instructions for setting a kill switch, I can cover this once your set up is working
if you want to double check you got the instructions right, you can send me personal messages in either French or English.