9 Jun
2020
9 Jun
'20
07:33
HI,
I checked it and I think you are missing a small part for DNSmasq with
the internal DNs servers.
I'm using dnsmas as well and so far it was working very well.
I hope my comment bellow will help you
Martin
On 08. 06. 20 23:12, Carlos E. R. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Content-ID: <alpine.LSU.2.21.2006082312380.11364@Telcontar.valinor>
>
>
> Hi,
>
> I'm trying to setup the heroes VPN setup per instructions on
> <https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN>. It
> is the first time I setup an VPN connection, and I stuck a problem.
>
> My computer was using named; seeing no instructions for named, I
> migrated the named server to another computer, and setup dnsmasq instead.
>
> I can connect, but I get no name resolution of the heroes network.
>
> But first I had to add "script-security 2" to /etc/openvpn/heroes.conf
> or I get this error:
>
>
> ● openvpn@heroes.service - OpenVPN tunneling daemon instance using
> /etc/openvpn/heroes.conf
> Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled;
> vendor preset: disabled)
> Active: failed (Result: exit-code) since Mon 2020-06-08 22:19:22
> CEST; 18s ago
> Process: 6829 ExecStart=/usr/sbin/openvpn --daemon
> --suppress-timestamps --writepid /run/openvpn/heroes.pid --cd
> /etc/openvpn/ --config heroe>
> Main PID: 6990 (code=exited, status=1/FAILURE)
>
> Jun 08 22:19:21 Telcontar openvpn[6990]: do_ifconfig,
> tt->did_ifconfig_ipv6_setup=0
> Jun 08 22:19:21 Telcontar openvpn[6990]: /bin/ip link set dev tun0 up
> mtu 1500
> Jun 08 22:19:21 Telcontar openvpn[6990]: /bin/ip addr add dev tun0
> local 192.168.252.185 peer 192.168.252.1
> Jun 08 22:19:22 Telcontar openvpn[6990]: heroes/client.up tun0 1500
> 1553 192.168.252.185 192.168.252.1 init
> Jun 08 22:19:22 Telcontar openvpn[6990]: WARNING: External program may
> not be called unless '--script-security 2' or higher is enabled. See --h>
> Jun 08 22:19:22 Telcontar openvpn[6990]: WARNING: Failed running
> command (--up/--down): external program fork failed
- This means that an external program did not work - probably some fork
in the up script.....
> Jun 08 22:19:22 Telcontar openvpn[6990]: Exiting due to fatal error
> Jun 08 22:19:22 Telcontar systemd[1]: openvpn@heroes.service: Main
> process exited, code=exited, status=1/FAILURE
> Jun 08 22:19:22 Telcontar systemd[1]: openvpn@heroes.service: Unit
> entered failed state.
> Jun 08 22:19:22 Telcontar systemd[1]: openvpn@heroes.service: Failed
> with result 'exit-code'.
>
>
> Perhaps that tidbit can be added to the wiki, or I did something
> wrong? :-?
>
>
>
> Current result is this:
>
>
>
> Telcontar:/etc/openvpn # systemctl start openvpn@heroes
> Enter Auth Username: *****
> Enter Auth Password: ***********
> Telcontar:/etc/openvpn # systemctl status openvpn@heroes
> ● openvpn@heroes.service - OpenVPN tunneling daemon instance using
> /etc/openvpn/heroes.conf
> Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled;
> vendor preset: disabled)
> Active: active (running) since Mon 2020-06-08 22:25:54 CEST; 2s ago
> Process: 7303 ExecStart=/usr/sbin/openvpn --daemon
> --suppress-timestamps --writepid /run/openvpn/heroes.pid --cd
> /etc/openvpn/ --config heroe>
> Main PID: 7327 (openvpn)
> Tasks: 1
> CGroup: /system.slice/system-openvpn.slice/openvpn@heroes.service
> └─7327 /usr/sbin/openvpn --daemon --suppress-timestamps
> --writepid /run/openvpn/heroes.pid --cd /etc/openvpn/ --config
> heroes.conf
>
> Jun 08 22:25:54 Telcontar openvpn[7327]: [scar.opensuse.org] Peer
> Connection Initiated with [AF_INET]195.135.221.151:1194
> Jun 08 22:25:55 Telcontar openvpn[7327]: TUN/TAP device tun0 opened
> Jun 08 22:25:55 Telcontar openvpn[7327]: do_ifconfig,
> tt->did_ifconfig_ipv6_setup=0
> Jun 08 22:25:55 Telcontar openvpn[7327]: /bin/ip link set dev tun0 up
> mtu 1500
> Jun 08 22:25:55 Telcontar openvpn[7327]: /bin/ip addr add dev tun0
> local 192.168.252.185 peer 192.168.252.1
> Jun 08 22:25:55 Telcontar openvpn[7327]: heroes/client.up tun0 1500
> 1553 192.168.252.185 192.168.252.1 init
> Jun 08 22:25:55 Telcontar root[7336]: client-up starts for tun0, found
> DNS servers 192.168.47.101 192.168.47.102 and wrote them into /etc/dnsma>
> Jun 08 22:25:55 Telcontar openvpn[7327]: GID set to nobody
> Jun 08 22:25:55 Telcontar openvpn[7327]: UID set to nobody
> Jun 08 22:25:55 Telcontar openvpn[7327]: Initialization Sequence
> Completed
> Telcontar:/etc/openvpn # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> default router.valinor 0.0.0.0 UG 0 0 0 eth0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 192.168.47.0 192.168.252.1 255.255.255.0 UG 0 0 0 tun0
> 192.168.67.0 192.168.252.1 255.255.255.0 UG 0 0 0 tun0
> 192.168.252.0 192.168.252.1 255.255.255.0 UG 0 0 0 tun0
> 192.168.252.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> Telcontar:/etc/openvpn # host freeipa.infra.opensuse.org
> Host freeipa.infra.opensuse.org not found: 2(SERVFAIL)
> Telcontar:/etc/openvpn # host -v freeipa.infra.opensuse.org
> Trying "freeipa.infra.opensuse.org"
> Host freeipa.infra.opensuse.org not found: 2(SERVFAIL)
> Received 44 bytes from 127.0.0.1#53 in 1770 ms
> Telcontar:/etc/openvpn # host opensuse.org
> opensuse.org has address 195.135.221.140
> opensuse.org has IPv6 address 2001:67c:2178:8::16
> opensuse.org mail is handled by 42 mx1.suse.de.
> opensuse.org mail is handled by 42 mx2.suse.de.
> Telcontar:/etc/openvpn #
>
>
> The clue is in the log:
>
> <3.6> 2020-06-08T22:25:19.166052+02:00 Telcontar systemd 1 - -
> Starting OpenVPN tunneling daemon instance using
> /etc/openvpn/heroes.conf...
> <3.5> 2020-06-08T22:25:19.207636+02:00 Telcontar openvpn 7303 - -
> OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
> [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
> <3.5> 2020-06-08T22:25:19.207862+02:00 Telcontar openvpn 7303 - -
> library versions: OpenSSL 1.1.0i-fips 14 Aug 2018, LZO 2.10
> <3.4> 2020-06-08T22:25:54.471881+02:00 Telcontar openvpn 7327 - -
> NOTE: the current --script-security setting may allow this
> configuration to call user-defined scripts
> <3.6> 2020-06-08T22:25:54.472307+02:00 Telcontar systemd 1 - -
> Started OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf.
> <3.5> 2020-06-08T22:25:54.473074+02:00 Telcontar openvpn 7327 - -
> TCP/UDP: Preserving recently used remote address:
> [AF_INET]195.135.221.151:1194
> <3.5> 2020-06-08T22:25:54.473228+02:00 Telcontar openvpn 7327 - - UDP
> link local: (not bound)
> <3.5> 2020-06-08T22:25:54.473354+02:00 Telcontar openvpn 7327 - - UDP
> link remote: [AF_INET]195.135.221.151:1194
> <3.5> 2020-06-08T22:25:54.473469+02:00 Telcontar openvpn 7327 - -
> NOTE: UID/GID downgrade will be delayed because of --client, --pull,
> or --up-delay
> <3.4> 2020-06-08T22:25:54.523161+02:00 Telcontar openvpn 7327 - -
> WARNING: this configuration may cache passwords in memory -- use the
> auth-nocache option to prevent this
> <3.5> 2020-06-08T22:25:54.711623+02:00 Telcontar openvpn 7327 - -
> [scar.opensuse.org] Peer Connection Initiated with
> [AF_INET]195.135.221.151:1194
> <3.5> 2020-06-08T22:25:55.764114+02:00 Telcontar openvpn 7327 - -
> TUN/TAP device tun0 opened
> <3.5> 2020-06-08T22:25:55.764383+02:00 Telcontar openvpn 7327 - -
> do_ifconfig, tt->did_ifconfig_ipv6_setup=0
> <3.5> 2020-06-08T22:25:55.764557+02:00 Telcontar openvpn 7327 - -
> /bin/ip link set dev tun0 up mtu 1500
> <3.6> 2020-06-08T22:25:55.764774+02:00 Telcontar systemd-udevd 7331 -
> - link_config: autonegotiation is unset or enabled, the speed and
> duplex are not writable.
> <3.5> 2020-06-08T22:25:55.765377+02:00 Telcontar openvpn 7327 - -
> /bin/ip addr add dev tun0 local 192.168.252.185 peer 192.168.252.1
> <3.5> 2020-06-08T22:25:55.766533+02:00 Telcontar openvpn 7327 - -
> heroes/client.up tun0 1500 1553 192.168.252.185 192.168.252.1 init
> <1.5> 2020-06-08T22:25:55.800899+02:00 Telcontar root - - - client-up
> starts for tun0, found DNS servers 192.168.47.101 192.168.47.102 and
> wrote them into /etc/dnsmasq.servers.conf
> <3.6> 2020-06-08T22:25:55.832258+02:00 Telcontar systemd 1 - -
> Stopping DNS caching server....
> <3.6> 2020-06-08T22:25:55.832516+02:00 Telcontar dnsmasq 23896 - -
> exiting on receipt of SIGTERM
This part point to dnsmasq service.
> <3.6> 2020-06-08T22:25:55.837409+02:00 Telcontar systemd 1 - -
> Stopped DNS caching server..
> <3.6> 2020-06-08T22:25:55.838505+02:00 Telcontar systemd 1 - -
> Starting DNS caching server....
> <3.6> 2020-06-08T22:25:55.874424+02:00 Telcontar dnsmasq 7339 - -
> dnsmasq: syntax check OK.
> <3.6> 2020-06-08T22:25:55.904044+02:00 Telcontar systemd 1 - -
> Started DNS caching server..
> <3.6> 2020-06-08T22:25:55.904671+02:00 Telcontar dnsmasq 7341 - -
> started, version 2.78 cachesize 2000
> <3.6> 2020-06-08T22:25:55.904843+02:00 Telcontar dnsmasq 7341 - -
> compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 Lua
> TFTP conntrack ipset auth DNSSEC loop-detect inotify
> <3.6> 2020-06-08T22:25:55.904955+02:00 Telcontar dnsmasq 7341 - -
> DBus support enabled: connected to system bus
> <3.6> 2020-06-08T22:25:55.905060+02:00 Telcontar dnsmasq 7341 - -
> asynchronous logging enabled, queue limit is 5 messages
> <3.6> 2020-06-08T22:25:55.905167+02:00 Telcontar dnsmasq 7341 - -
> using local addresses only for domain valinor
> <3.6> 2020-06-08T22:25:55.905288+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 192.168.1.16#53 for domain valinor
> <3.6> 2020-06-08T22:25:55.905434+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 1.0.0.1#53
> <3.6> 2020-06-08T22:25:55.905574+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 1.1.1.1#53
> <3.6> 2020-06-08T22:25:55.905723+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 80.58.61.254#53
> <3.6> 2020-06-08T22:25:55.905868+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 80.58.61.250#53
> <3.6> 2020-06-08T22:25:55.906010+02:00 Telcontar dnsmasq 7341 - -
> reading /etc/resolv.conf
> <3.6> 2020-06-08T22:25:55.906139+02:00 Telcontar dnsmasq 7341 - -
> using local addresses only for domain valinor
> <3.6> 2020-06-08T22:25:55.906240+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 192.168.1.16#53 for domain valinor
> <3.6> 2020-06-08T22:25:55.906351+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 1.0.0.1#53
> <3.6> 2020-06-08T22:25:55.906455+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 1.1.1.1#53
> <3.6> 2020-06-08T22:25:55.906574+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 80.58.61.254#53
> <3.6> 2020-06-08T22:25:55.906687+02:00 Telcontar dnsmasq 7341 - -
> using nameserver 80.58.61.250#53
> <3.4> 2020-06-08T22:25:55.906798+02:00 Telcontar dnsmasq 7341 - -
> ignoring nameserver 127.0.0.1 - local interface
> <3.6> 2020-06-08T22:25:55.906922+02:00 Telcontar dnsmasq 7341 - -
> read /etc/hosts - 38 addresses
> <3.5> 2020-06-08T22:25:55.907041+02:00 Telcontar openvpn 7327 - - GID
> set to nobody
> <3.5> 2020-06-08T22:25:55.907181+02:00 Telcontar openvpn 7327 - - UID
> set to nobody
> <3.5> 2020-06-08T22:25:55.913284+02:00 Telcontar openvpn 7327 - -
> Initialization Sequence Completed
> <3.6> 2020-06-08T22:28:31.643404+02:00 Telcontar smartd 1375 - -
> Device: /dev/sda [SAT], SMART Usage Attribute: 190
> Airflow_Temperature_Cel changed from 62 to 63
>
>
>
> Notice it says:
>
> ... client-up starts for tun0, found DNS servers 192.168.47.101
> 192.168.47.102 and wrote them into /etc/dnsmasq.servers.conf
>
you need to create that file : /etc/dnsmasq.servers.conf ,
in my case it looks like this:
server=/infra.opensuse.org/192.168.47.101
server=/.47.168.192.in-addr.arpa/192.168.47.101
server=/infra.opensuse.org/192.168.47.102
server=/.47.168.192.in-addr.arpa/192.168.47.102
> but that file does not exist:
>
> Telcontar:/etc/openvpn # l /etc/dnsmasq.servers.conf
> ls: cannot access '/etc/dnsmasq.servers.conf': No such file or directory
> Telcontar:/etc/openvpn #
>
>
> There are no aa-logprof entries.
>
>
>
> I have connectivity:
>
> Telcontar:/etc/openvpn # ping 192.168.47.101
> PING 192.168.47.101 (192.168.47.101) 56(84) bytes of data.
> 64 bytes from 192.168.47.101: icmp_seq=1 ttl=63 time=49.7 ms
> 64 bytes from 192.168.47.101: icmp_seq=2 ttl=63 time=50.0 ms
> ^C
> - --- 192.168.47.101 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 49.712/49.884/50.057/0.282 ms
> Telcontar:/etc/openvpn #
>
>
> Where do I look? Clues, ideas, errors? :-)
>
>
>
> I see something confusing in /etc/openvpn/heroes/client.up
>
>
> ...
> for server in ${dns_server[*]}; do
> echo "server=/infra.opensuse.org/$server"
> echo "server=/.47.168.192.in-addr.arpa/$server"
> done >/etc/dnsmasq.opensuseservers.conf
> # for the debug enable this:
> #cat /etc/dnsmasq.servers.conf |logger
- looks fine I have the same.
after this line (that just a logging)
echo "client-up starts for "${dev}", found DNS servers
"${dns_server[*]}" and wrote them into /etc/dnsmasq.servers.conf" |logger
there should be restart dnsmasq like this:
/bin/systemctl restart dnsmasq.service
It the file /etc/dnsmasq.conf check if you have the include set like:
# Include all files in a directory which end in .conf
conf-dir=/etc/dnsmasq.d/,*.conf
once you start the vpn there should be new file like this one:
cat /etc/dnsmasq.d/opensuse.conf
domain-needed
# Resolve VPN gates by well known nameservers to avoid problems
server=/scar.opensuse.org/8.8.8.8
# These servers will be always resolved by original name servers. You
can add more here...
except-interface=virbr0,tun0,br0
no-dhcp-interface=
bind-interfaces
# In this file we specify what domains to resolve with SUSE nameservers
conf-file=/etc/dnsmasq.opensuseservers.conf
And also please check you down script.
It can looks like this example:
#!/bin/bash
# Remove Heroes internal name servers
>/etc/dnsmasq.servers.conf
/bin/systemctl try-restart dnsmasq.service
echo "client-down set empty file etc/dnsmasq.servers.conf and reload the
dnsmasq service" |logger
exit 0
Martin
>
>
>
> It writes to /etc/dnsmasq.opensuseservers.conf, then mentions
> /etc/dnsmasq.servers.conf? :-?
>
>
>
>
>
> Another unrelated question: should I close the tunnel when sending the
> machine on suspend/hibernation?
>
>
>
> - --
> Cheers.
> -----BEGIN PGP SIGNATURE-----
>
> iHYEARECADYWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXt6p0xgcY2FybG9zLmUu
> ckBvcGVuc3VzZS5vcmcACgkQtTMYHG2NR9UWNACfdexuXyIpQG/wE8bhewMyRNtJ
> wEkAnRM7jeqM0cV2yZ8HrDgjOa5eZdIB
> =h3XB
> -----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org
To contact the owner, e-mail: heroes+owner@opensuse.org