Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-08 Thread Marcel Pennewiß 
On Thursday 08 April 2010 08:03:54 Johan Ymerson wrote:
> I have tried different values for route-delay and tap-sleep, but it doesn't
>  help.

AFAIR our clients use:
route-method exe
route-delay 2
ip-win32 dynamic

No one of our win7-users complained about this problem until now.

Marcel

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-08 Thread Heiko Hund 
On Wednesday 07 April 2010 22:52:22 Jan Just Keijser wrote:
> this could be a timing issue, which could be caused by changes to the
> userspace openvpn part; did you try playing with the
>   route-delay
>   tap-sleep
>   dhcp-renew
> flags ? did that have any affect?

We've tried all of those with no effect. I even hacked the driver so it 
responds to DHCP and ARP requests with a 500ms delay, nothing.

Heiko
-- 
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200
Astaro AG | An der RaumFabrik 33a | 76227 Karlsruhe | Germany

Executive Board: Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
Chairman of the Supervisory Board: Stanley J. Krasnow
Headquarter Location: Karlsruhe
Commercial Register: Mannheim HRB 108997

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-08 Thread Johan Ymerson 


Jan Just Keijser  wrote on 2010-04-07 22:52:22:
> what exactly do you mean with 'nslookup always works' ?
nslookup always seem to use the correct dns server. For example, we have an 
internal website called 'intranet'.
I can do `nslookup intrnet`, and it will return the correct internal ip 
address. But `ping intranet` will fail with:
Ping request could not find host intranet. Please check the name and try again.

> > I bet this actually is a change in the behavior of the userspace part, not
> the driver. Something userspace did after configuring the interface, but it
> doesn't do anymore. Something that made Windows re-examine the DNS order.
> >
> this could be a timing issue, which could be caused by changes to the
> userspace openvpn part; did you try playing with the
>   route-delay
>   tap-sleep
>   dhcp-renew
> flags ? did that have any affect?

dhcp-renew fails with:
Thu Apr 08 07:37:12 2010 WARNING: Failed to renew DHCP IP address lease on 
TAP-Win32 adapter: The system cannot find the file specified.   (code=2)
Does dhcp-renew apply even when using the openvpn internal "dhcp" (ie. 'dev 
tun' and 'server 192.168.105.0 255.255.255.128' on the server side)?

I have tried different values for route-delay and tap-sleep, but it doesn't 
help.

/Johan

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Johan Ymerson 
Heiko Hund  wrote on 2010-04-07 15:26:05:
> > Then I don't think we see the same problem. We have been using 2.0.9 on
> > ~100 machines for a couple of years now without these problems. We
> > upgraded 3 of them to 2.1.1, and they all instantly got this problem. We
> > downgraded them to 2.0.9, and all problems gone. Then started switching
> > between 2.0.9 and 2.1_rcX to determine when this problem started, but all
> > 2.1_rcX seems to suffer from it, but 2.0.9 does _not_! So something must
> > have changed between 2.0.9 and 2.1 that at least makes this a lot worse.
>
> Strange, we tested with 2.1_rc22 and the driver from 2.0.9 and ran into the
> problem within ten attempts. I can't image that the problem is related to
> userspace openvpn. Do you have the problem every time you connect and do you
> see the DNS servers in the output of `ipconfig /all`?

I have not tested with 2.1.1 and tap driver from 2.0.9. Vanilla 2.0.9 does not 
have this problem (at least not in the thousands of connect attempts I have 
made by now). Vanilla 2.1.1 (and all rc versions I have found) does have the 
problem. It shows up in 1-2 attempts.

`ipconfig /all` shows all the correct values.
And, this is funny, nslookup always work.

I bet this actually is a change in the behavior of the userspace part, not the 
driver. Something userspace did after configuring the interface, but it doesn't 
do anymore. Something that made Windows re-examine the DNS order.

/Johan

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Heiko Hund 
On Wednesday 07 April 2010 14:04:18 Johan Ymerson wrote:
> "Heiko Hund"  wrote on 2010-04-07 09:59:08:
> > We also tried 2.0.9 but were able to reproduce the bug with it as well,
> > so it has nothing to do with the openvpn driver version involved. I came
> > to the conclusion that it's rather some kind of race condition in the
> > Windows XP DNS resolver. At least I haven't seen this problem on Vista
> > or 7 personally.
> 
> Then I don't think we see the same problem. We have been using 2.0.9 on
> ~100 machines for a couple of years now without these problems. We
> upgraded 3 of them to 2.1.1, and they all instantly got this problem. We
> downgraded them to 2.0.9, and all problems gone. Then started switching
> between 2.0.9 and 2.1_rcX to determine when this problem started, but all
> 2.1_rcX seems to suffer from it, but 2.0.9 does _not_! So something must
> have changed between 2.0.9 and 2.1 that at least makes this a lot worse.

Strange, we tested with 2.1_rc22 and the driver from 2.0.9 and ran into the 
problem within ten attempts. I can't image that the problem is related to 
userspace openvpn. Do you have the problem every time you connect and do you 
see the DNS servers in the output of `ipconfig /all`?

Heiko
-- 
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200
Astaro AG | An der RaumFabrik 33a | 76227 Karlsruhe | Germany

Executive Board: Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
Chairman of the Supervisory Board: Stanley J. Krasnow
Headquarter Location: Karlsruhe
Commercial Register: Mannheim HRB 108997

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Heiko Hund 
On Wednesday 07 April 2010 13:52:22 Jan Just Keijser wrote:
> > We've contacted Microsoft tech support about this issue. If anything
> > like a
> > fix comes out of that I'll post an update here. If not we'll have to
> > consider
> > a workaround of some kind, but let's wait with that discussion until
> > we're
> > sure it's not fixable the right way.
> 
> isn't
>   ipconfig /flushdns

No, that doesn't do it.

> or
>   net stop dnscache
>   net start dnscache

That works as well as `ipconfig /renew`. Even `ipconfig /registerdns` helps 
because it does an implicit /renew.

> enough? This might be related to
>  http://support.microsoft.com/kb/311218

Sadly it's not. Seems to have effect on MS RAS protocols only. PPTP and L2TP 
get their DNS settings via PPP IPCP, so it's kind of clear that this fix does 
not apply to the ones from openvpn via DHCP.

> I've recommended to people on the -users list to use an 'up' script with
>   net stop dnscache
>   net start dnscache
> this has worked in 99% of the cases.

True, but it's not the solution I'm looking for, but a rather high level 
workaround.

Heiko
-- 
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200
Astaro AG | An der RaumFabrik 33a | 76227 Karlsruhe | Germany

Executive Board: Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
Chairman of the Supervisory Board: Stanley J. Krasnow
Headquarter Location: Karlsruhe
Commercial Register: Mannheim HRB 108997

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Johan Ymerson 


Jan Just Keijser  wrote on 2010-04-07 13:52:22:
> isn't
>   ipconfig /flushdns
No, doesn't help in this case.

> or
>   net stop dnscache
>   net start dnscache
I hadn't tested this before, but yes, it does seem to help (only done limited 
testing so far).

> enough? This might be related to
>  http://support.microsoft.com/kb/311218
Related maybe, but at least that work around does not work in my case.

>
> I've recommended to people on the -users list to use an 'up' script with
>   net stop dnscache
>   net start dnscache
> this has worked in 99% of the cases.
For me, it doesn't work in the 'up' script, I must put it in the 'route-up' 
script. Maybe that is the last 1% :-)

/Johan

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Johan Ymerson 


"Heiko Hund"  wrote on 2010-04-07 09:59:08:
>
> Hi,
> On Tuesday 06 April 2010 22:36:31 Johan Ymerson wrote:
> > I have tested on 3 PC's with Windows XP, all 3 show the same problem, at
> > almost 100% of my connection attempts. OpenVPN 2.0.9 does not have this
> > issue (ie. reverting back to 2.0.9 on the same machines with the same
> > config never show the problem).
> We also tried 2.0.9 but were able to reproduce the bug with it as well, so it
> has nothing to do with the openvpn driver version involved. I came to the
> conclusion that it's rather some kind of race condition in the Windows XP DNS
> resolver. At least I haven't seen this problem on Vista or 7 personally.

Then I don't think we see the same problem. We have been using 2.0.9 on ~100 
machines for a couple of years now without these problems. We upgraded 3 of 
them to 2.1.1, and they all instantly got this problem. We downgraded them to 
2.0.9, and all problems gone. Then started switching between 2.0.9
and 2.1_rcX to determine when this problem started, but all 2.1_rcX seems to 
suffer from it, but 2.0.9 does _not_! So something must have changed between 
2.0.9 and 2.1 that at least makes this a lot worse.

/Johan

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Jan Just Keijser 

Heiko Hund wrote:


Hi,

On Tuesday 06 April 2010 22:36:31 Johan Ymerson wrote:
> I have tested on 3 PC's with Windows XP, all 3 show the same 
problem, at

> almost 100% of my connection attempts. OpenVPN 2.0.9 does not have this
> issue (ie. reverting back to 2.0.9 on the same machines with the same
> config never show the problem).

We also tried 2.0.9 but were able to reproduce the bug with it as 
well, so it

has nothing to do with the openvpn driver version involved. I came to the
conclusion that it's rather some kind of race condition in the Windows 
XP DNS

resolver. At least I haven't seen this problem on Vista or 7 personally.
 
> Is this problem known, and is someone working on it?

> I can of course help debugging this, but I don't have the development
> environment needed to compile the Windows binaries.

Not much to debug anyway. The DNS servers get passed correctly via 
DHCP and

Windows actually takes notice of them as they show up in `ipconfig /all`.
Problem is that XP resolver somehow forgets to reprioritize the DNS 
servers
list after an DHCP update sometimes and sticks with the old preferred 
name

server until the scheduled reprioritization. At least that's my personal
conclusion. And it would explain why a /renew fixes it.

We've contacted Microsoft tech support about this issue. If anything 
like a
fix comes out of that I'll post an update here. If not we'll have to 
consider
a workaround of some kind, but let's wait with that discussion until 
we're

sure it's not fixable the right way.


isn't
 ipconfig /flushdns
or
 net stop dnscache
 net start dnscache
enough? This might be related to
http://support.microsoft.com/kb/311218

I've recommended to people on the -users list to use an 'up' script with
 net stop dnscache
 net start dnscache
this has worked in 99% of the cases.

cheers,

JJK

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

2010-04-07 Thread Heiko Hund 
Title: Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows






Hi,


On Tuesday 06 April 2010 22:36:31 Johan Ymerson wrote:

> I have tested on 3 PC's with Windows XP, all 3 show the same problem, at

> almost 100% of my connection attempts. OpenVPN 2.0.9 does not have this

> issue (ie. reverting back to 2.0.9 on the same machines with the same

> config never show the problem).


We also tried 2.0.9 but were able to reproduce the bug with it as well, so it 

has nothing to do with the openvpn driver version involved. I came to the 

conclusion that it's rather some kind of race condition in the Windows XP DNS 

resolver. At least I haven't seen this problem on Vista or 7 personally.

 

> Is this problem known, and is someone working on it?

> I can of course help debugging this, but I don't have the development

> environment needed to compile the Windows binaries.


Not much to debug anyway. The DNS servers get passed correctly via DHCP and 

Windows actually takes notice of them as they show up in `ipconfig /all`. 

Problem is that XP resolver somehow forgets to reprioritize the DNS servers 

list after an DHCP update sometimes and sticks with the old preferred name 

server until the scheduled reprioritization. At least that's my personal 

conclusion. And it would explain why a /renew fixes it.


We've contacted Microsoft tech support about this issue. If anything like a 

fix comes out of that I'll post an update here. If not we'll have to consider 

a workaround of some kind, but let's wait with that discussion until we're 

sure it's not fixable the right way.


Regards

Heiko

-- 

Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200

Astaro AG | An der RaumFabrik 33a | 76227 Karlsruhe | Germany


Executive Board: Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen

Chairman of the Supervisory Board: Stanley J. Krasnow

Headquarter Location: Karlsruhe

Commercial Register: Mannheim HRB 108997