-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-ID: <alpine.LSU.2.21.2006091303320.11364@Telcontar.valinor>


On Tuesday, 2020-06-09 at 09:33 +0200, Martin Caj wrote:

> HI,
>
> I checked it and I think you are missing a small part for DNSmasq with the 
> internal DNs servers.
>
> I'm using dnsmas as well and so far it was working very well.
>
>
> I hope my comment bellow will help you
>
>
> Martin
>
>
>
> On 08. 06. 20 23:12, Carlos E. R. wrote:
>> 
>>
>>  Hi,

...

>>  Jun 08 22:19:22 Telcontar openvpn[6990]: heroes/client.up tun0 1500 1553
>>  192.168.252.185 192.168.252.1 init
>>  Jun 08 22:19:22 Telcontar openvpn[6990]: WARNING: External program may not
>>  be called unless '--script-security 2' or higher is enabled. See --h>
>>  Jun 08 22:19:22 Telcontar openvpn[6990]: WARNING: Failed running command
>>  (--up/--down): external program fork failed
> - This means that an external program did not work - probably some fork in 
> the up script.....

This one I found out what it was and corrected it. The file 
"/etc/openvpn/heroes.conf" needs this line:

script-security 2

Maybe this has to be added on the wiki example file.

...


>>  The clue is in the log:
...

>>  <1.5> 2020-06-08T22:25:55.800899+02:00 Telcontar root - - -  client-up
>>  starts for tun0, found DNS servers 192.168.47.101 192.168.47.102 and wrote
>>  them into /etc/dnsmasq.servers.conf
>>  <3.6> 2020-06-08T22:25:55.832258+02:00 Telcontar systemd 1 - -  Stopping
>>  DNS caching server....
>>  <3.6> 2020-06-08T22:25:55.832516+02:00 Telcontar dnsmasq 23896 - - 
>>  exiting on receipt of SIGTERM
> This part point to dnsmasq service.

Yes.


>>
>>  Notice it says:
>>
>>  ... client-up starts for tun0, found DNS servers 192.168.47.101
>>  192.168.47.102 and wrote them into /etc/dnsmasq.servers.conf
>> 
> you need to create that file : /etc/dnsmasq.servers.conf ,

No, that file should be created automatically. That's the point, the 
"/etc/openvpn/heroes/client.up" (copied from the VPN wiki page) creates 
one file, then writes to the log that it created another file, which does 
not exist.


Look, this is the file, copied from our VPN wiki page:

#!/bin/bash
#dnsmasq version
shopt -o -s noglob
dev=$1
if test -x /sbin/netconfig -a -n "${dev}" ; then
      dns_server=()
      for fopt in ${!foreign_option_*} ; do
        test -n "${!fopt}" || continue
        data=(${!fopt})
        test "${data[0]}" = "dhcp-option" && \
        case "${data[1]}" in
          DNS)          dns_server+=("${data[2]}")  ;;
        esac
      done
      for server in ${dns_server[*]}; do
        echo "server=/infra.opensuse.org/$server"
        echo "server=/.47.168.192.in-addr.arpa/$server"
      done >/etc/dnsmasq.opensuseservers.conf
   # for the debug enable this:
   #cat /etc/dnsmasq.servers.conf |logger
fi
echo "client-up starts for "${dev}", found DNS servers "${dns_server[*]}" and wrote them into /etc/dnsmasq.servers.conf" |logger
if [ -e /etc/init.d/dnsmasq ] ; then
     /etc/init.d/dnsmasq restart
else
     /bin/systemctl restart dnsmasq.service
fi
exit 0



You see, it writes the file "/etc/dnsmasq.opensuseservers.conf", but then
says in the log that it wrote "/etc/dnsmasq.servers.conf" file instead -
which does not exist.


That file contains the same as your file:

Telcontar:/etc/openvpn # cat /etc/dnsmasq.opensuseservers.conf
server=/infra.opensuse.org/192.168.47.101
server=/.47.168.192.in-addr.arpa/192.168.47.101
server=/infra.opensuse.org/192.168.47.102
server=/.47.168.192.in-addr.arpa/192.168.47.102
Telcontar:/etc/openvpn #


>
> in my case it looks like this:
>
> server=/infra.opensuse.org/192.168.47.101
> server=/.47.168.192.in-addr.arpa/192.168.47.101
> server=/infra.opensuse.org/192.168.47.102
> server=/.47.168.192.in-addr.arpa/192.168.47.102


However, I think that is just a typo in the client.up with no effect but
wrong log entry.  The problem why I don't get name solving must be something
else.



>  # Include all files in a directory which end in .conf
>  conf-dir=/etc/dnsmasq.d/,*.conf
>
>
> once  you start the vpn there should be new file like this one:
>
> cat /etc/dnsmasq.d/opensuse.conf
>
> domain-needed
> # Resolve VPN gates by well known nameservers to avoid problems
> server=/scar.opensuse.org/8.8.8.8
> # These servers will be always resolved by original name servers. You can add 
> more here...
> except-interface=virbr0,tun0,br0
> no-dhcp-interface=
> bind-interfaces
> # In this file we specify what domains to resolve with SUSE nameservers
> conf-file=/etc/dnsmasq.opensuseservers.conf


Yes, I have:

/etc/dnsmasq.d/opensuse.conf 
#server=/scar.opensuse.org/8.8.8.8
server=/scar.opensuse.org/192.168.1.16
except-interface=virbr0,tun0,br0
no-dhcp-interface=
bind-interfaces
# In this file we specify what domains to resolve with SUSE nameservers
conf-file=/etc/dnsmasq.opensuseservers.conf


I have changed:

server=/scar.opensuse.org/8.8.8.8

with:

server=/scar.opensuse.org/192.168.1.16


Because I don't like using google, and I have my own local named server in my LAN. And it works, apparently:


Telcontar:/etc/openvpn # host scar.opensuse.org 192.168.1.16
Using domain server:
Name: 192.168.1.16
Address: 192.168.1.16#53
Aliases:

scar.opensuse.org has address 195.135.221.151
scar.opensuse.org has IPv6 address 2001:67c:2178:8::28
Telcontar:/etc/openvpn # 
elcontar:/etc/openvpn # host scar.opensuse.org
scar.opensuse.org has address 195.135.221.151
scar.opensuse.org has IPv6 address 2001:67c:2178:8::28
Telcontar:/etc/openvpn #




>
>
> And also please check you down script.
>
> It can looks like this example:
>
> # !/bin/bash
> # Remove Heroes internal name servers
>
>> /etc/dnsmasq.servers.conf
> /bin/systemctl try-restart dnsmasq.service
> echo "client-down set empty file etc/dnsmasq.servers.conf and reload the 
> dnsmasq service" |logger
> exit 0


I have the sample file in our wiki, with some changes I did minutes ago:

#!/bin/bash
# Remove internal name servers
echo > /etc/dnsmasq.opensuseservers.conf
/bin/systemctl try-restart dnsmasq.service
echo "client-down set empty file /etc/dnsmasq.opensuseservers.conf and reload the dnsmasq service" | logger -t openvpn-client-down -p daemon.info
exit 0


Notice that you have:

> /etc/dnsmasq.servers.conf

a file that does not exist in my case. I have:

echo > /etc/dnsmasq.opensuseservers.conf

The wiki has:

  >/etc/dnsmasq.opensuseservers.conf

I just added the echo for my clarity (I prefer code to be verbose ;-) )


Still, I noticed yesterday problems in the shutdown of the tunnel:

Jun 09 02:44:08 Telcontar systemd[1]: Removed slice User Slice of UID 9.
Jun 09 02:45:02 Telcontar openvpn[7327]: event_wait : Interrupted system call (code=4)
Jun 09 02:45:02 Telcontar openvpn[7327]: ERROR: Linux route delete command failed: external program exited with error status: 2
Jun 09 02:45:02 Telcontar systemd[1]: Stopping OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf...
Jun 09 02:45:02 Telcontar openvpn[7327]: ERROR: Linux route delete command failed: external program exited with error status: 2
Jun 09 02:45:02 Telcontar openvpn[7327]: ERROR: Linux route delete command failed: external program exited with error status: 2
Jun 09 02:45:02 Telcontar openvpn[7327]: /bin/ip addr del dev tun0 local 192.168.252.185 peer 192.168.252.1
Jun 09 02:45:02 Telcontar openvpn[7327]: Linux ip addr del failed: external program exited with error status: 2
Jun 09 02:45:02 Telcontar wickedd[1619]: error retrieving tun attribute from sysfs
Jun 09 02:45:02 Telcontar openvpn[7327]: heroes/client.down tun0 1500 1553 192.168.252.185 192.168.252.1 init
Jun 09 02:45:02 Telcontar nobody[16075]: client-down set empty file /etc/dnsmasq.opensuseservers.conf and reload the dnsmasq service
Jun 09 02:45:02 Telcontar openvpn[7327]: SIGTERM[hard,] received, process exiting
Jun 09 02:45:02 Telcontar systemd[1]: Stopped OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf.


I don't have a clue of what external program it is talking about, and what
is error status 2.  maybe it is the "route" command itself?  I don't see a
table of output status errors in its man page :-?


So, I try to connect now. Log:


<3.6> 2020-06-09T13:56:11.725997+02:00 Telcontar systemd 1 - -  Starting OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf...
<3.5> 2020-06-09T13:56:11.762866+02:00 Telcontar openvpn 22285 - -  OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
<3.5> 2020-06-09T13:56:11.763117+02:00 Telcontar openvpn 22285 - -  library versions: OpenSSL 1.1.0i-fips  14 Aug 2018, LZO 2.10
<3.4> 2020-06-09T13:56:32.059152+02:00 Telcontar openvpn 22299 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.6> 2020-06-09T13:56:32.059602+02:00 Telcontar systemd 1 - -  Started OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf.
<3.5> 2020-06-09T13:56:32.149427+02:00 Telcontar openvpn 22299 - -  TCP/UDP: Preserving recently used remote address: [AF_INET]195.135.221.151:1194
<3.5> 2020-06-09T13:56:32.149579+02:00 Telcontar openvpn 22299 - -  UDP link local: (not bound)
<3.5> 2020-06-09T13:56:32.149637+02:00 Telcontar openvpn 22299 - -  UDP link remote: [AF_INET]195.135.221.151:1194
<3.5> 2020-06-09T13:56:32.149692+02:00 Telcontar openvpn 22299 - -  NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
<3.4> 2020-06-09T13:56:32.199750+02:00 Telcontar openvpn 22299 - -  WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
<3.5> 2020-06-09T13:56:32.387877+02:00 Telcontar openvpn 22299 - -  [scar.opensuse.org] Peer Connection Initiated with [AF_INET]195.135.221.151:1194
<3.5> 2020-06-09T13:56:33.546114+02:00 Telcontar openvpn 22299 - -  TUN/TAP device tun0 opened
<3.5> 2020-06-09T13:56:33.546376+02:00 Telcontar openvpn 22299 - -  do_ifconfig, tt->did_ifconfig_ipv6_setup=0
<3.5> 2020-06-09T13:56:33.546525+02:00 Telcontar openvpn 22299 - -  /bin/ip link set dev tun0 up mtu 1500
<3.6> 2020-06-09T13:56:33.546781+02:00 Telcontar systemd-udevd 22301 - -  link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
<3.5> 2020-06-09T13:56:33.554816+02:00 Telcontar openvpn 22299 - -  /bin/ip addr add dev tun0 local 192.168.252.185 peer 192.168.252.1
<3.5> 2020-06-09T13:56:33.555840+02:00 Telcontar openvpn 22299 - -  heroes/client.up tun0 1500 1553 192.168.252.185 192.168.252.1 init
<3.6> 2020-06-09T13:56:33.585407+02:00 Telcontar openvpn-client-up - - -  client-up starts for tun0, found DNS servers 192.168.47.101 192.168.47.102 and wrote them into /etc/dnsmasq.opensuseservers.conf
<3.6> 2020-06-09T13:56:33.618892+02:00 Telcontar dnsmasq 20030 - -  exiting on receipt of SIGTERM
<3.6> 2020-06-09T13:56:33.619118+02:00 Telcontar systemd 1 - -  Stopping DNS caching server....
<3.6> 2020-06-09T13:56:33.619441+02:00 Telcontar systemd 1 - -  Stopped DNS caching server..
<3.6> 2020-06-09T13:56:33.620221+02:00 Telcontar systemd 1 - -  Starting DNS caching server....
<3.6> 2020-06-09T13:56:33.653372+02:00 Telcontar dnsmasq 22310 - -  dnsmasq: syntax check OK.
<3.6> 2020-06-09T13:56:33.687298+02:00 Telcontar systemd 1 - -  Started DNS caching server..
<3.6> 2020-06-09T13:56:33.687626+02:00 Telcontar dnsmasq 22311 - -  started, version 2.78 cachesize 2000
<3.6> 2020-06-09T13:56:33.687835+02:00 Telcontar dnsmasq 22311 - -  compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
<3.6> 2020-06-09T13:56:33.687957+02:00 Telcontar dnsmasq 22311 - -  DBus support enabled: connected to system bus
<3.6> 2020-06-09T13:56:33.688093+02:00 Telcontar dnsmasq 22311 - -  asynchronous logging enabled, queue limit is 5 messages
<3.6> 2020-06-09T13:56:33.688208+02:00 Telcontar dnsmasq 22311 - -  using local addresses only for domain valinor
<3.6> 2020-06-09T13:56:33.688319+02:00 Telcontar dnsmasq 22311 - -  using nameserver 192.168.1.16#53 for domain valinor
<3.6> 2020-06-09T13:56:33.688427+02:00 Telcontar dnsmasq 22311 - -  using nameserver 1.0.0.1#53
<3.6> 2020-06-09T13:56:33.688532+02:00 Telcontar dnsmasq 22311 - -  using nameserver 1.1.1.1#53
<3.6> 2020-06-09T13:56:33.688645+02:00 Telcontar dnsmasq 22311 - -  using nameserver 80.58.61.254#53
<3.6> 2020-06-09T13:56:33.688782+02:00 Telcontar dnsmasq 22311 - -  using nameserver 80.58.61.250#53
<3.6> 2020-06-09T13:56:33.688896+02:00 Telcontar dnsmasq 22311 - -  reading /etc/resolv.conf
<3.6> 2020-06-09T13:56:33.688992+02:00 Telcontar dnsmasq 22311 - -  using local addresses only for domain valinor
<3.6> 2020-06-09T13:56:33.689086+02:00 Telcontar dnsmasq 22311 - -  using nameserver 192.168.1.16#53 for domain valinor
<3.6> 2020-06-09T13:56:33.689183+02:00 Telcontar dnsmasq 22311 - -  using nameserver 1.0.0.1#53
<3.6> 2020-06-09T13:56:33.689279+02:00 Telcontar dnsmasq 22311 - -  using nameserver 1.1.1.1#53
<3.6> 2020-06-09T13:56:33.689374+02:00 Telcontar dnsmasq 22311 - -  using nameserver 80.58.61.254#53
<3.6> 2020-06-09T13:56:33.689468+02:00 Telcontar dnsmasq 22311 - -  using nameserver 80.58.61.250#53
<3.4> 2020-06-09T13:56:33.689580+02:00 Telcontar dnsmasq 22311 - -  ignoring nameserver 127.0.0.1 - local interface
<3.6> 2020-06-09T13:56:33.689699+02:00 Telcontar dnsmasq 22311 - -  read /etc/hosts - 38 addresses
<3.5> 2020-06-09T13:56:33.690627+02:00 Telcontar openvpn 22299 - -  GID set to nobody
<3.5> 2020-06-09T13:56:33.690799+02:00 Telcontar openvpn 22299 - -  UID set to nobody
<3.5> 2020-06-09T13:56:33.696264+02:00 Telcontar openvpn 22299 - -  Initialization Sequence Completed



As you can see, dnsmasq does not report it is using the internal VPN name servers.
And name check fails:


Telcontar:/etc/openvpn # host -v freeipa.infra.opensuse.org
Trying "freeipa.infra.opensuse.org"
Host freeipa.infra.opensuse.org not found: 2(SERVFAIL)
Received 44 bytes from 127.0.0.1#53 in 1582 ms
Telcontar:/etc/openvpn #


Telcontar:/etc/openvpn # cat /etc/dnsmasq.opensuseservers.conf
server=/infra.opensuse.org/192.168.47.101
server=/.47.168.192.in-addr.arpa/192.168.47.101
server=/infra.opensuse.org/192.168.47.102
server=/.47.168.192.in-addr.arpa/192.168.47.102
Telcontar:/etc/openvpn #


The log doesn't mention usage of "/etc/dnsmasq.d/opensuse.conf" :-?

Found it! Dnsmasq doesn't include that directory in the default config.

# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d


No go:

Telcontar:/etc/openvpn # host -v freeipa.infra.opensuse.org
Trying "freeipa.infra.opensuse.org"
;; connection timed out; no servers could be reached
Telcontar:/etc/openvpn #


Now the error is:

<3.6> 2020-06-09T14:06:42.256927+02:00 Telcontar dnsmasq 22895 - -  dnsmasq: cannot read /etc/dnsmasq.opensuseservers.conf: Permission denied
<3.2> 2020-06-09T14:06:42.257140+02:00 Telcontar dnsmasq 22895 - -  cannot read /etc/dnsmasq.opensuseservers.conf: Permission denied

Telcontar:/etc/openvpn # l /etc/dnsmasq.opensuseservers.conf
- -rw-r--r-- 1 root root 180 Jun  9 14:06 /etc/dnsmasq.opensuseservers.conf
Telcontar:/etc/openvpn #


Huh? It has read permission to all. No apparnmor errors, either.

etc/apparmor.d/local/usr.sbin.dnsmasq
# Site-specific additions and overrides for 'usr.sbin.dnsmasq'
/etc/dnsmasq.opensuseservers.conf r,


Maybe restart aa?

Now I don't have connection:

Telcontar:/etc/openvpn # systemctl stop openvpn@heroes
Telcontar:/etc/openvpn # systemctl start openvpn@heroes
Enter Auth Username: robin_listas
Enter Auth Password: ****************************************
Telcontar:/etc/openvpn # ping 192.168.47.102
PING 192.168.47.102 (192.168.47.102) 56(84) bytes of data.
^C
- --- 192.168.47.102 ping statistics ---
21 packets transmitted, 0 received, 100% packet loss, time 20349ms

Telcontar:/etc/openvpn #



<3.6> 2020-06-09T14:16:40.610113+02:00 Telcontar systemd 1 - -  Starting OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf...
<3.5> 2020-06-09T14:16:40.644124+02:00 Telcontar openvpn 23731 - -  OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
<3.5> 2020-06-09T14:16:40.644372+02:00 Telcontar openvpn 23731 - -  library versions: OpenSSL 1.1.0i-fips  14 Aug 2018, LZO 2.10
<3.4> 2020-06-09T14:16:54.034893+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.6> 2020-06-09T14:16:54.035228+02:00 Telcontar systemd 1 - -  Started OpenVPN tunneling daemon instance using /etc/openvpn/heroes.conf.
<3.3> 2020-06-09T14:16:54.036003+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:16:54.036324+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:16:54.036466+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:16:54.036609+02:00 Telcontar openvpn 23741 - -  NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
<3.5> 2020-06-09T14:16:54.036781+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting
<3.4> 2020-06-09T14:16:59.036490+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.3> 2020-06-09T14:16:59.036827+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:16:59.037018+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:16:59.037135+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:16:59.037246+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting
<3.4> 2020-06-09T14:17:04.037187+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.3> 2020-06-09T14:17:04.037515+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:17:04.037718+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:17:04.037823+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:17:04.037930+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting
<3.4> 2020-06-09T14:17:09.037902+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.3> 2020-06-09T14:17:09.038232+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:17:09.038468+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:17:09.038631+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:17:09.038755+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting
<3.4> 2020-06-09T14:17:14.038640+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.3> 2020-06-09T14:17:14.039045+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:17:14.039204+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:17:14.039326+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:17:14.039431+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting
<3.4> 2020-06-09T14:17:24.039348+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.3> 2020-06-09T14:17:24.039650+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:17:24.039868+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:17:24.039998+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:17:24.040112+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting
<3.4> 2020-06-09T14:17:44.040052+02:00 Telcontar openvpn 23741 - -  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<3.3> 2020-06-09T14:17:44.040466+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.3> 2020-06-09T14:17:44.040626+02:00 Telcontar openvpn 23741 - -  RESOLVE: Cannot resolve host address: gate.opensuse.org:1194 (Name or service not known)
<3.4> 2020-06-09T14:17:44.040763+02:00 Telcontar openvpn 23741 - -  Could not determine IPv4/IPv6 protocol
<3.5> 2020-06-09T14:17:44.040872+02:00 Telcontar openvpn 23741 - -  SIGUSR1[soft,init_instance] received, process restarting



I'm baffled. Now the VPN doesn't start. Maybe the system doesn't like retries?

gate.opensuse.org  is external, can not be resolved. Huh? My entire name 
solving is failing, even when I stop the VPN, because:

Jun 09 14:06:42 Telcontar systemd[1]: Starting DNS caching server....
Jun 09 14:06:42 Telcontar dnsmasq[22895]: dnsmasq: cannot read /etc/dnsmasq.opensuseservers.conf: Permission denied
Jun 09 14:06:42 Telcontar dnsmasq[22895]: cannot read /etc/dnsmasq.opensuseservers.conf: Permission denied
Jun 09 14:06:42 Telcontar dnsmasq[22895]: FAILED to start up
Jun 09 14:06:42 Telcontar systemd[1]: dnsmasq.service: Control process exited, code=exited status=3
Jun 09 14:06:42 Telcontar systemd[1]: Failed to start DNS caching server..
Jun 09 14:06:42 Telcontar systemd[1]: dnsmasq.service: Unit entered failed state.
Jun 09 14:06:42 Telcontar systemd[1]: dnsmasq.service: Failed with result 'exit-code'.



Question on apparmor:

/etc/apparmor.d/usr.sbin.dnsmasq:

...

   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.dnsmasq>
}

Should I remove the '#' before the include?


- -- 
Cheers,
        Carlos E. R.
        (from openSUSE 15.1 x86_64 at Telcontar)
-----BEGIN PGP SIGNATURE-----

iHYEARECADYWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXt+AJxgcY2FybG9zLmUu
ckBvcGVuc3VzZS5vcmcACgkQtTMYHG2NR9UUpgCfbPCA8d3eMqJ0GmbmFTrSXS2x
hssAn3Bt2Lm1IIaRn6AyJNkZY6dLc220
=ZFte
-----END PGP SIGNATURE-----

On 09/06/2020 14.44, Christian Boltz wrote:

Hello,

I can't really comment on dnsmasq (I use unbound), but I wonder if you really need all the script magic, or if you could simply have permanent config entries saying "for *.infra.opensuse.org, ask 192.168.47.101 and 192.168.47.102" (+ similar entries for the reverse DNS).

Well, not knowing the ground, I just follow the instructions in the wiki ;-)

Oh, and the admin wiki is a wiki, so if you see an error, just fix it ;-)

I was going to ask just that. I certainly intend to add the corrections when I get this working :-D

That said:

Am Dienstag, 9. Juni 2020, 14:27:19 CEST schrieb Carlos E. R.:

...

Question on apparmor:

/etc/apparmor.d/usr.sbin.dnsmasq:

...

# Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.dnsmasq> }

Should I remove the '#' before the include?

"#include" and "include" have the same meaning in AppArmor profiles, they both include another file.

The only difference is that "#include" might be mis-interpreted as comment in case of syntax errors (instead of causing an error), but the line you quoted looks correct, and matches the upstream dnsmasq profile.

Bummer. I was going to try that now... Telcontar:~ # l /etc/dnsmasq.* -rw-r--r-- 1 root root 26973 Jun 9 14:06 /etc/dnsmasq.conf -rw-r--r-- 1 root root 26975 May 8 2019 /etc/dnsmasq.conf.isengard -rw-r--r-- 1 root root 26707 Dec 5 2019 /etc/dnsmasq.conf.pre.20200606 -rw-r--r-- 1 root root 180 Jun 9 14:06 /etc/dnsmasq.opensuseservers.conf /etc/dnsmasq.d: total 28 drwxr-xr-x 2 root root 4096 Jun 8 22:03 ./ drwxr-xr-x 233 root root 16384 Jun 9 14:06 ../ -rw-r--r-- 1 root root 259 Jun 8 22:03 opensuse.conf -rw-r--r-- 1 root root 391 Dec 5 2019 trust-anchors.conf Telcontar:~ # The permissions are the same on all files, yet it says: Jun 09 14:06:42 Telcontar dnsmasq[22895]: cannot read /etc/dnsmasq.opensuseservers.conf: Permission denied If it is not apparmor, I'm out of ideas. [...] I'll try anyway... BINGO! It was AA. I removed the comment symbol, and now I have connectivity. Telcontar:/etc/openvpn # host freeipa.infra.opensuse.org freeipa.infra.opensuse.org has address 192.168.47.65 Telcontar:/etc/openvpn # It occurs to me whether I might have forgotten to restart aa, bu the log says I did. Before: <3.6> 2020-06-09T14:13:36.362507+02:00 Telcontar apparmor.systemd 23247 - - Restarting AppArmor and now, after the edit: <3.6> 2020-06-09T15:06:24.508661+02:00 Telcontar apparmor.systemd 26101 - - Restarting AppArmor Ok. Time to have lunch. Later I will update the wiki :-) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)

On 10/06/2020 22.08, Christian Boltz wrote:

Hello,

Am Dienstag, 9. Juni 2020, 15:17:00 CEST schrieb Carlos E. R.:

...

On 09/06/2020 14.44, Christian Boltz wrote:

...

Am Dienstag, 9. Juni 2020, 14:27:19 CEST schrieb Carlos E. R.:

...

Question on apparmor:

/etc/apparmor.d/usr.sbin.dnsmasq:

...

...

...

#include <local/usr.sbin.dnsmasq> }

Should I remove the '#' before the include?

"#include" and "include" have the same meaning in AppArmor profiles, they both include another file.

The only difference is that "#include" might be mis-interpreted as comment in case of syntax errors (instead of causing an error), but the line you quoted looks correct, and matches the upstream dnsmasq profile.

...

I'll try anyway... BINGO! It was AA. I removed the comment symbol, and now I have connectivity.

That's more than strange, and I'm sure that the # is/was not the cause (please re-add it and try again ;-)

Ok, will do. Is there a way to obtain a dump of the actual profile AA has loaded? If not, I can simply try to connect. Just not this minute. Another guess: maybe the white space before the '#' confuses the parser?

Wild guess: Maybe the real change was the timestamp of the profile - now it's newer than your previous cache file, and therefore the cache got rebuilt. (If you have a backup of the "broken" /etc/apparmor.d/ and /var/cache/apparmor/ with original timestamps, I'd be happy to debug this - but better off-list, it would be OT here.)

I don't know if I have. I did not make a backup, but if something takes one automatically it will be there.

As a somewhat unrelated sidenote: future AppArmor versions will default to "include" (without the "#") - but that's just a cosmetic change, there are no known bugs around the "#include" variant. Oh, and the local/* files will be included as "include if exists".

...

It occurs to me whether I might have forgotten to restart aa, bu the log says I did.

Before: <3.6> 2020-06-09T14:13:36.362507+02:00 Telcontar apparmor.systemd 23247 - - Restarting AppArmor

and now, after the edit: <3.6> 2020-06-09T15:06:24.508661+02:00 Telcontar apparmor.systemd 26101 - - Restarting AppArmor

If you want to further debug this, ping me off-list or (maybe better) on IRC. The audit.log entries about reloading the profiles might be helpful.

...

Ok. Time to have lunch. Later I will update the wiki :-)

Unless you can reproduce the permission problem after re-adding the "#", please remove that note from the wiki again. I would be *very* surprised if that really caused your problem.

Ok, will retest and tell you. Just not now, it is 00 hours here, I just arrived home ;-) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)

On 11/06/2020 10.11, Carlos E. R. wrote:

On 10/06/2020 23.51, Carlos E. R. wrote:

...

On 10/06/2020 22.08, Christian Boltz wrote:

...

Hello,

...

...

...

...

I'll try anyway... BINGO! It was AA. I removed the comment symbol, and now I have connectivity.

That's more than strange, and I'm sure that the # is/was not the cause (please re-add it and try again ;-)

Ok, will do. Is there a way to obtain a dump of the actual profile AA has loaded? If not, I can simply try to connect. Just not this minute.

Well, I did now (and restarted AA) and it is working. Paint me confused.

...

...

Wild guess: Maybe the real change was the timestamp of the profile - now it's newer than your previous cache file, and therefore the cache got rebuilt. (If you have a backup of the "broken" /etc/apparmor.d/ and /var/cache/apparmor/ with original timestamps, I'd be happy to debug this - but better off-list, it would be OT here.)

I don't know if I have. I did not make a backup, but if something takes one automatically it will be there.

During sleep (yeah, I dream with computers, it seems!) I thought about the editor backup. No, not even that. I did the operation with 'mc' (Midnight Commander) and by default it does not makes backups of edited files. I just changed that. For completeness, it is not in mc config options, but instead I found it once I edit a file with the internal editor, that it has its own config menu. One never ends learning. Not the first time I wonder about the edit backup file with 'mc', this time I found out why there wasn't.

...

...

If you want to further debug this, ping me off-list or (maybe better) on IRC. The audit.log entries about reloading the profiles might be helpful.

Thanks. I will concoct a private mail with logs and send them off list, if you have the curiosity to find out what happened.

For completeness and my shame, I found that the error was that I forgot to reload AA just after creating the local file. I thought I did, but after perusing in detail the messages log I'm certain that I did not initially reload it. I needed help to interpret the audit log, Christian did that. Without that part I would not have seen the rest. Thanks :-) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)

On 09/06/2020 15.49, Per Jessen wrote:

Christian Boltz wrote:

...

Hello,

I can't really comment on dnsmasq (I use unbound), but I wonder if you really need all the script magic, or if you could simply have permanent config entries saying "for *.infra.opensuse.org, ask 192.168.47.101 and 192.168.47.102" (+ similar entries for the reverse DNS).

Yup, that's what I do.

I suspect that when the tunnel is not active and you search for a problem site, it will time out with server not found. That's the reason to add/remove the vpn servers. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)

On 09/06/2020 20.41, Per Jessen wrote:

Carlos E. R. wrote:

...

On 09/06/2020 15.49, Per Jessen wrote:

...

Christian Boltz wrote:

...

Hello,

I can't really comment on dnsmasq (I use unbound), but I wonder if you really need all the script magic, or if you could simply have permanent config entries saying "for *.infra.opensuse.org, ask 192.168.47.101 and 192.168.47.102" (+ similar entries for the reverse DNS).

Yup, that's what I do.

I suspect that when the tunnel is not active and you search for a problem site, it will time out with server not found.

No, that's not a problem - the openSUSE nameservers are only used for infra.o.o

Then, dunno. Perhaps whoever wrote those instructions thought that the DNS could change eventually, so better generate the list dynamically. I just edited the wiki with the changes I had to do to get it working. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)

On Wed, 2020-06-10 at 15:01 +0200, Carlos E. R. wrote:

On 08/06/2020 23.12, Carlos E. R. wrote:

Now that I have the VPN setup and changed the password on <https://freeipa.infra.opensuse.org/> (Comment: Firefox warns about its certificate, I guess there is some authority certificate I can add from somewhere :-?), the next step is to upload my ssh key. I'm about to generate it with "ssh-kyegen", but there are many types of keys: “dsa”, “ecdsa”, “ed25519”, or “rsa”. There are also several format types. Well this is a bit like throwing chum to sharks and asking someone to jump in the water. I assume you have already used google and found many differing opinions? First off I'm not an encryption expert. I would not use DSA as you cannot generate a key larger than 1024...

ssh-keygen -b 4096 -t dsa Invalid DSA key length: must be 1024 bits There are differences in the length of time it takes to encrypt information using each of these key types and lengths. I think 2048 is a minimum length by today's standards, with many electing to use 4096. There is a time vs strength trade off. IF you are using the key to scp large files, to a locked down environment, you may choose time over strength. If you are using the key for a shell you may want to choose strength over time. Nothing is stopping you from having more than 1 key either. Like passphrases I personally have several. Yes, I've been purposely vague, as I don't think this is a question/decision that you should offload to someone else. I hope I provided enough information to prompt you to find better answers.

Then I suppose I have to upload the public key file.

This usually means adding the key, or having the key added to /home/USER/.ssh/authorized_keys On FreeIPA I believe it is stored in the 389 directory server. Though I'm not all that familiar with FreeIPA.

Sorry if I ask many questions, but as it is not my own system I do not want to make many mistakes ;-)

N�����r��y隊X^�����칻�&ޢ��������'��-���w�zf�����>� ޮ�^�ˬz��