[heroes] VPN help

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.21.2006082312380.11364@Telcontar.valinor> Hi, I'm trying to setup the heroes VPN setup per instructions on <https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN>. It is the first time I setup an VPN connection, and I stuck a problem. My computer was using named; seeing no instructions for named, I migrated the named server to another computer, and setup dnsmasq instead. I can connect, but I get no name resolution of the heroes network. But first I had to add "script-security 2" to /etc/openvpn/heroes.conf or I get this error: ● openvpn@heroes.service - OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2020-06-08 22:19:22 CEST; 18s ago Process: 6829 ExecStart=/usr/sbin/openvpn --daemon --suppress-timestamps --writepid /run/openvpn/heroes.pid --cd /etc/openvpn/ --config heroe> Main PID: 6990 (code=exited, status=1/FAILURE) Jun 08 22:19:21 Telcontar openvpn[6990]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Jun 08 22:19:21 Telcontar openvpn[6990]: /bin/ip link set dev tun0 up mtu 1500 Jun 08 22:19:21 Telcontar openvpn[6990]: /bin/ip addr add dev tun0 local 192.168.252.185 peer 192.168.252.1 Jun 08 22:19:22 Telcontar openvpn[6990]: heroes/client.up tun0 1500 1553 192.168.252.185 192.168.252.1 init Jun 08 22:19:22 Telcontar openvpn[6990]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --h> Jun 08 22:19:22 Telcontar openvpn[6990]: WARNING: Failed running command (--up/--down): external program fork failed Jun 08 22:19:22 Telcontar openvpn[6990]: Exiting due to fatal error Jun 08 22:19:22 Telcontar systemd[1]: openvpn@heroes.service: Main process exited, code=exited, status=1/FAILURE Jun 08 22:19:22 Telcontar systemd[1]: openvpn@heroes.service: Unit entered failed state. Jun 08 22:19:22 Telcontar systemd[1]: openvpn@heroes.service: Failed with result 'exit-code'. Perhaps that tidbit can be added to the wiki, or I did something wrong? :-? Current result is this: Telcontar:/etc/openvpn # systemctl start openvpn@heroes Enter Auth Username: ***** Enter Auth Password: *********** Telcontar:/etc/openvpn # systemctl status openvpn@heroes ● openvpn@heroes.service - OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-06-08 22:25:54 CEST; 2s ago Process: 7303 ExecStart=/usr/sbin/openvpn --daemon --suppress-timestamps --writepid /run/openvpn/heroes.pid --cd /etc/openvpn/ --config heroe> Main PID: 7327 (openvpn) Tasks: 1 CGroup: /system.slice/system-openvpn.slice/openvpn@heroes.service └─7327 /usr/sbin/openvpn --daemon --suppress-timestamps --writepid /run/openvpn/heroes.pid --cd /etc/openvpn/ --config heroes.conf Jun 08 22:25:54 Telcontar openvpn[7327]: [scar.opensuse.org] Peer Connection Initiated with [AF_INET]195.135.221.151:1194 Jun 08 22:25:55 Telcontar openvpn[7327]: TUN/TAP device tun0 opened Jun 08 22:25:55 Telcontar openvpn[7327]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Jun 08 22:25:55 Telcontar openvpn[7327]: /bin/ip link set dev tun0 up mtu 1500 Jun 08 22:25:55 Telcontar openvpn[7327]: /bin/ip addr add dev tun0 local 192.168.252.185 peer 192.168.252.1 Jun 08 22:25:55 Telcontar openvpn[7327]: heroes/client.up tun0 1500 1553 192.168.252.185 192.168.252.1 init Jun 08 22:25:55 Telcontar root[7336]: client-up starts for tun0, found DNS servers 192.168.47.101 192.168.47.102 and wrote them into /etc/dnsma> Jun 08 22:25:55 Telcontar openvpn[7327]: GID set to nobody Jun 08 22:25:55 Telcontar openvpn[7327]: UID set to nobody Jun 08 22:25:55 Telcontar openvpn[7327]: Initialization Sequence Completed Telcontar:/etc/openvpn # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default router.valinor 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.47.0 192.168.252.1 255.255.255.0 UG 0 0 0 tun0 192.168.67.0 192.168.252.1 255.255.255.0 UG 0 0 0 tun0 192.168.252.0 192.168.252.1 255.255.255.0 UG 0 0 0 tun0 192.168.252.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 Telcontar:/etc/openvpn # host freeipa.infra.opensuse.org Host freeipa.infra.opensuse.org not found: 2(SERVFAIL) Telcontar:/etc/openvpn # host -v freeipa.infra.opensuse.org Trying "freeipa.infra.opensuse.org" Host freeipa.infra.opensuse.org not found: 2(SERVFAIL) Received 44 bytes from 127.0.0.1#53 in 1770 ms Telcontar:/etc/openvpn # host opensuse.org opensuse.org has address 195.135.221.140 opensuse.org has IPv6 address 2001:67c:2178:8::16 opensuse.org mail is handled by 42 mx1.suse.de. opensuse.org mail is handled by 42 mx2.suse.de. Telcontar:/etc/openvpn # The clue is in the log: <3.6> 2020-06-08T22:25:19.166052+02:00 Telcontar systemd 1 - - Starting OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf... <3.5> 2020-06-08T22:25:19.207636+02:00 Telcontar openvpn 7303 - - OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017 <3.5> 2020-06-08T22:25:19.207862+02:00 Telcontar openvpn 7303 - - library versions: OpenSSL 1.1.0i-fips 14 Aug 2018, LZO 2.10 <3.4> 2020-06-08T22:25:54.471881+02:00 Telcontar openvpn 7327 - - NOTE: the current --script-security setting may allow this configuration to call user-defined scripts <3.6> 2020-06-08T22:25:54.472307+02:00 Telcontar systemd 1 - - Started OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf. <3.5> 2020-06-08T22:25:54.473074+02:00 Telcontar openvpn 7327 - - TCP/UDP: Preserving recently used remote address: [AF_INET]195.135.221.151:1194 <3.5> 2020-06-08T22:25:54.473228+02:00 Telcontar openvpn 7327 - - UDP link local: (not bound) <3.5> 2020-06-08T22:25:54.473354+02:00 Telcontar openvpn 7327 - - UDP link remote: [AF_INET]195.135.221.151:1194 <3.5> 2020-06-08T22:25:54.473469+02:00 Telcontar openvpn 7327 - - NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay <3.4> 2020-06-08T22:25:54.523161+02:00 Telcontar openvpn 7327 - - WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this <3.5> 2020-06-08T22:25:54.711623+02:00 Telcontar openvpn 7327 - - [scar.opensuse.org] Peer Connection Initiated with [AF_INET]195.135.221.151:1194 <3.5> 2020-06-08T22:25:55.764114+02:00 Telcontar openvpn 7327 - - TUN/TAP device tun0 opened <3.5> 2020-06-08T22:25:55.764383+02:00 Telcontar openvpn 7327 - - do_ifconfig, tt->did_ifconfig_ipv6_setup=0 <3.5> 2020-06-08T22:25:55.764557+02:00 Telcontar openvpn 7327 - - /bin/ip link set dev tun0 up mtu 1500 <3.6> 2020-06-08T22:25:55.764774+02:00 Telcontar systemd-udevd 7331 - - link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. <3.5> 2020-06-08T22:25:55.765377+02:00 Telcontar openvpn 7327 - - /bin/ip addr add dev tun0 local 192.168.252.185 peer 192.168.252.1 <3.5> 2020-06-08T22:25:55.766533+02:00 Telcontar openvpn 7327 - - heroes/client.up tun0 1500 1553 192.168.252.185 192.168.252.1 init <1.5> 2020-06-08T22:25:55.800899+02:00 Telcontar root - - - client-up starts for tun0, found DNS servers 192.168.47.101 192.168.47.102 and wrote them into /etc/dnsmasq.servers.conf <3.6> 2020-06-08T22:25:55.832258+02:00 Telcontar systemd 1 - - Stopping DNS caching server.... <3.6> 2020-06-08T22:25:55.832516+02:00 Telcontar dnsmasq 23896 - - exiting on receipt of SIGTERM <3.6> 2020-06-08T22:25:55.837409+02:00 Telcontar systemd 1 - - Stopped DNS caching server.. <3.6> 2020-06-08T22:25:55.838505+02:00 Telcontar systemd 1 - - Starting DNS caching server.... <3.6> 2020-06-08T22:25:55.874424+02:00 Telcontar dnsmasq 7339 - - dnsmasq: syntax check OK. <3.6> 2020-06-08T22:25:55.904044+02:00 Telcontar systemd 1 - - Started DNS caching server.. <3.6> 2020-06-08T22:25:55.904671+02:00 Telcontar dnsmasq 7341 - - started, version 2.78 cachesize 2000 <3.6> 2020-06-08T22:25:55.904843+02:00 Telcontar dnsmasq 7341 - - compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify <3.6> 2020-06-08T22:25:55.904955+02:00 Telcontar dnsmasq 7341 - - DBus support enabled: connected to system bus <3.6> 2020-06-08T22:25:55.905060+02:00 Telcontar dnsmasq 7341 - - asynchronous logging enabled, queue limit is 5 messages <3.6> 2020-06-08T22:25:55.905167+02:00 Telcontar dnsmasq 7341 - - using local addresses only for domain valinor <3.6> 2020-06-08T22:25:55.905288+02:00 Telcontar dnsmasq 7341 - - using nameserver 192.168.1.16#53 for domain valinor <3.6> 2020-06-08T22:25:55.905434+02:00 Telcontar dnsmasq 7341 - - using nameserver 1.0.0.1#53 <3.6> 2020-06-08T22:25:55.905574+02:00 Telcontar dnsmasq 7341 - - using nameserver 1.1.1.1#53 <3.6> 2020-06-08T22:25:55.905723+02:00 Telcontar dnsmasq 7341 - - using nameserver 80.58.61.254#53 <3.6> 2020-06-08T22:25:55.905868+02:00 Telcontar dnsmasq 7341 - - using nameserver 80.58.61.250#53 <3.6> 2020-06-08T22:25:55.906010+02:00 Telcontar dnsmasq 7341 - - reading /etc/resolv.conf <3.6> 2020-06-08T22:25:55.906139+02:00 Telcontar dnsmasq 7341 - - using local addresses only for domain valinor <3.6> 2020-06-08T22:25:55.906240+02:00 Telcontar dnsmasq 7341 - - using nameserver 192.168.1.16#53 for domain valinor <3.6> 2020-06-08T22:25:55.906351+02:00 Telcontar dnsmasq 7341 - - using nameserver 1.0.0.1#53 <3.6> 2020-06-08T22:25:55.906455+02:00 Telcontar dnsmasq 7341 - - using nameserver 1.1.1.1#53 <3.6> 2020-06-08T22:25:55.906574+02:00 Telcontar dnsmasq 7341 - - using nameserver 80.58.61.254#53 <3.6> 2020-06-08T22:25:55.906687+02:00 Telcontar dnsmasq 7341 - - using nameserver 80.58.61.250#53 <3.4> 2020-06-08T22:25:55.906798+02:00 Telcontar dnsmasq 7341 - - ignoring nameserver 127.0.0.1 - local interface <3.6> 2020-06-08T22:25:55.906922+02:00 Telcontar dnsmasq 7341 - - read /etc/hosts - 38 addresses <3.5> 2020-06-08T22:25:55.907041+02:00 Telcontar openvpn 7327 - - GID set to nobody <3.5> 2020-06-08T22:25:55.907181+02:00 Telcontar openvpn 7327 - - UID set to nobody <3.5> 2020-06-08T22:25:55.913284+02:00 Telcontar openvpn 7327 - - Initialization Sequence Completed <3.6> 2020-06-08T22:28:31.643404+02:00 Telcontar smartd 1375 - - Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 62 to 63 Notice it says: ... client-up starts for tun0, found DNS servers 192.168.47.101 192.168.47.102 and wrote them into /etc/dnsmasq.servers.conf but that file does not exist: Telcontar:/etc/openvpn # l /etc/dnsmasq.servers.conf ls: cannot access '/etc/dnsmasq.servers.conf': No such file or directory Telcontar:/etc/openvpn # There are no aa-logprof entries. I have connectivity: Telcontar:/etc/openvpn # ping 192.168.47.101 PING 192.168.47.101 (192.168.47.101) 56(84) bytes of data. 64 bytes from 192.168.47.101: icmp_seq=1 ttl=63 time=49.7 ms 64 bytes from 192.168.47.101: icmp_seq=2 ttl=63 time=50.0 ms ^C - --- 192.168.47.101 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 49.712/49.884/50.057/0.282 ms Telcontar:/etc/openvpn # Where do I look? Clues, ideas, errors? :-) I see something confusing in /etc/openvpn/heroes/client.up ... for server in ${dns_server[*]}; do echo "server=/infra.opensuse.org/$server" echo "server=/.47.168.192.in-addr.arpa/$server" done >/etc/dnsmasq.opensuseservers.conf # for the debug enable this: #cat /etc/dnsmasq.servers.conf |logger fi echo "client-up starts for "${dev}", found DNS servers "${dns_server[*]}" and wrote them into /etc/dnsmasq.servers.conf" |logger It writes to /etc/dnsmasq.opensuseservers.conf, then mentions /etc/dnsmasq.servers.conf? :-? Another unrelated question: should I close the tunnel when sending the machine on suspend/hibernation? - -- Cheers. -----BEGIN PGP SIGNATURE----- iHYEARECADYWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXt6p0xgcY2FybG9zLmUu ckBvcGVuc3VzZS5vcmcACgkQtTMYHG2NR9UWNACfdexuXyIpQG/wE8bhewMyRNtJ wEkAnRM7jeqM0cV2yZ8HrDgjOa5eZdIB =h3XB -----END PGP SIGNATURE-----