Openvpn problem: DNS leak fix causes: Failed running command (--up/--down): could not execute external program

wasabimasochist · January 28, 2023, 2:38pm

Hi everyone

I am encountering numerous errors attempting to use my OVPN openvpn configuration file in conjunction with the openvpn client installed on my router.

From the system logs this is what I am encountering

Sat Jan 28 14:07:11 2023 daemon.err openvpn(samopenvpn)[25359]: WARNING: Failed running command (--up/--down): could not execute external program
Sat Jan 28 14:07:11 2023 daemon.notice openvpn(samopenvpn)[25359]: Exiting due to fatal error

Here are some salient points about this (note, point number four (4) is very important as it pertains to a slight modification of my ovpn config)

My equipment MR8300 Linksys router installed with openwrt (no issues with luci)
I have followed this guide which includes installation of openvpn client on openwrt. This has been tested with other OVPN files and it is working.
I have tested my current ovpn config on numerous desktop machines using openvpn as a client software without issue.
My current ovpn file was modified to include the following lines of code beneath script-security-2

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

This was done according to the widely circulated recommendation to resolve DNS requests bypassing the VPN and causing DNS leaks. This fixed the DNS leaks for the windows and apple openvpn clients that I tested; but not the openwrt client.

Does anyone have any recommendations on how to debug this? I have SSH access to the server in which the openvpn server is installed. What is most puzzling about this is the DNS leaks are effectively fixed with the above amendments to the code (including the 'up' and 'down' commands inside the config.) Just.. the fix doesn't work for openwrt.

trendy · January 28, 2023, 6:22pm

What is the output of

ls -la /etc/openvpn/update-resolv-conf
cat /etc/openvpn/update-resolv-conf

wasabimasochist · January 28, 2023, 6:47pm

do you mean the client (openwrt router) or the server? Neither the server nor client have this file

trendy · January 28, 2023, 8:46pm

Problem solved

wasabimasochist · January 28, 2023, 10:07pm

I am not sure what is required as a fix for this.

I see a wide range of threads on this subject, including some openwrt guides such as this one.

But the link to the guide above doesn't make it clear what needs changed on the OpenVPN server versus client. Which one needs changed? I am interpreting the guide referring to the openvpn server being on openwrt itself, which is not the case for me since my plan is for the entire router itself and all subsequent traffic downstream of it to be shrouded as a client of a remove linux server which has the VPN server which I have already configured.

psherman · January 28, 2023, 10:13pm

Since the file doesn't exist on your device, it cannot be launched. Therefore, the fix is to either remove the up/down script call directives from the OpenVPN config file, or to find the file and make sure it is available to be launched when the tunnel is brought up/down.

wasabimasochist · January 28, 2023, 10:14pm

But the up/down script: is it supposed to be located on the router or on the remote server?

psherman · January 28, 2023, 10:17pm

The up/down script files must be on whichever device has a config file that calls for them... I don't know if that is the server or client in your case.... but whichever one had the error in the log.

wasabimasochist · January 28, 2023, 10:20pm

Oh, in that case, it would be my openwrt router.