Re: [Openvpn-users] Connection attempts to seemingly random IP addresses
On Mon, Feb 10, 2020 at 12:00:32 +0100, Reto Schneider wrote: > addresses it never should. The devices it is running on are Yocto based, > embedded, 32bit MIPS and deployed in remote networks which are not under > my control. [...] > 5) Optional: Wifi comes up again, interface gets IP address and route > assigned (dhcpcd logs): [...] > 6) OpenVPN suddenly tries to connect to a faulty IP: [...] > In this case there seems to be a correlation to the router IP address in > 5), but I have many more examples of unexplicable IP addresses (e.g. > 1.1.1.11, 212.27.38.252, 192.168.246.123, ...), all of which are > definitely not assigned to example.com. How much do you know about the remote (Wifi) networks these clients are connecting to? Is there a correlation between the different inexplicable IP addresses used and the particular remote network for that client? In particular I'm wondering if these are networks where when you first connect all traffic is directed to an "accept our terms of service" page (In this case, it would seem to involve overriding DNS responses from the networks local DNS server(s) so all domain names point to the local IP of the system hosting that page.) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Connection attempts to seemingly random IP addresses
Hi, On 11/02/20 12:06, Reto Schneider wrote: On 2/10/20 5:23 PM, Jan Just Keijser wrote: the line push "dhcp-option DNS 10.176.0.1" is the main suspect here... my guess as to what happens is this: 1) VPN is started 2) that line causes the local /etc/resolv.conf file to be overwritten with the new DNS setting I just verified this: resolv.conf does not get adapted I would also not have expected it because on the client side "route-nopull" is specified. if your clients would have an update-resolv-conf script then the file would have been updated, regardless of 'route-nopull' - pushing a DNS server is not overruled by 'route-nopull' Also, I see in the clients log twice the following line: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) (Guess I should do [1]...) My takeaway is that you think that this issue is because of funky DNS stuff going on. I will investigate some more in this area, but since I do not have access to the affected devices (only logs), actions like taking down OpenVPN to do analysis are pretty much impossible to do. there's two things I would try in your case, but for both you need access to a client device 1) replace 'remote example.com' with 'remote a.b.c.d' and see if that particular client is not making connection attempts to seemingly random IPs 2) add a flag 'bypass-dns' to the "redirect-gateway" directive if that is used on the client side to ensure that your DNS server is still reachable after the VPN comes up A short analysis of your problem is: - it works the first time a client connects - after a reconnect/wifi drop , the client resolves the remote host to the wrong IP conclusion: either the DNS server setting is modified OR the route to the DNS server is altered by the VPN. HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Connection attempts to seemingly random IP addresses
Hi Jan, Thanks for your answer. On 2/10/20 5:23 PM, Jan Just Keijser wrote: > > the line > push "dhcp-option DNS 10.176.0.1" > is the main suspect here... my guess as to what happens is this: > > 1) VPN is started > 2) that line causes the local /etc/resolv.conf file to be overwritten > with the new DNS setting I just verified this: resolv.conf does not get adapted I would also not have expected it because on the client side "route-nopull" is specified. Also, I see in the clients log twice the following line: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) (Guess I should do [1]...) My takeaway is that you think that this issue is because of funky DNS stuff going on. I will investigate some more in this area, but since I do not have access to the affected devices (only logs), actions like taking down OpenVPN to do analysis are pretty much impossible to do. [1] https://community.openvpn.net/openvpn/wiki/OverridingAPushedRouteInTheClientsConfigThrowsAndError Kind regards, Reto ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Connection attempts to seemingly random IP addresses
Hi, On 10/02/20 12:00, Reto Schneider wrote: Hello, I am observing the behavior of OpenVPN 2.4.7 trying to connect to IP addresses it never should. The devices it is running on are Yocto based, embedded, 32bit MIPS and deployed in remote networks which are not under my control. 1) OpenVPN connects successfully to server (example.com, TCP, Port 443) TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP connection established with [AF_INET]a.b.c.d:443 TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET]a.b.c.d:443 [server] Peer Connection Initiated with [AF_INET]a.b.c.d:443 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) TUN/TAP device vpn0 opened /sbin/ip link set dev vpn0 up mtu 1500 /sbin/ip addr add dev vpn0 local 10.176.x.y peer 10.176.x.z Initialization Sequence Completed Hint: - example.com is put in place if the real domain of the servers - a.b.c.d refers to one out of multiple IPv4 addresses assigned to example.com 2) Internet connectivity lost because wifi/ethernet/upstream connectivity got bad/lost: [server] Inactivity timeout (--ping-restart), restarting /sbin/ip addr del dev vpn0 local 10.176.x.y peer 10.176.x.z SIGUSR1[soft,ping-restart] received, process restarting 3) OpenVPN tries to reconnect: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP: connect to [AF_INET]a.b.c.d:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting 4) After a while, tries to resolve the domain again (and fails): RESOLVE: Cannot resolve host address: example.com:443 (Temporary failure in name resolution) RESOLVE: Cannot resolve host address: example.com:443 (Temporary failure in name resolution) Could not determine IPv4/IPv6 protocol SIGUSR1[soft,init_instance] received, process restarting 5) Optional: Wifi comes up again, interface gets IP address and route assigned (dhcpcd logs): wlan0: offered 192.168.0.2 from 192.168.0.1 wlan0: probing address 192.168.0.2/24 wlan0: leased 192.168.0.2 for 120 seconds wlan0: adding route to 192.168.0.0/24 wlan0: changing default route via 192.168.0.1 wlan0: deleting route to 169.254.0.0/16 6) OpenVPN suddenly tries to connect to a faulty IP: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.1:443 Attempting to establish TCP connection with [AF_INET]192.168.0.1:443 [nonblock] TCP: connect to [AF_INET]192.168.0.1:443 failed: Connection refused SIGUSR1[connection failed(soft),init_instance] received, process restarting In this case there seems to be a correlation to the router IP address in 5), but I have many more examples of unexplicable IP addresses (e.g. 1.1.1.11, 212.27.38.252, 192.168.246.123, ...), all of which are definitely not assigned to example.com. A log where I have absolutely now indication why a strange IP addres (not the routers one) suddenly shows up: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP: connect to [AF_INET]a.b.c.d:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.246.123:443 Attempting to establish TCP connection with [AF_INET]192.168.246.123:443 [nonblock] TCP: connect to [AF_INET]192.168.246.123:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting Use client (2.4.7) configuration: client dev vpn0 dev-type tun remote example.com 443 tcp nobind persist-key ca /path/to/ca cert /path/to/client-cert key /path/to/client-key remote-cert-tls server comp-lzo ping-restart 0 route-nopull route 10.x.y.z route 10.a.b.c connect-retry 5 30 Server configuration (Running 2.4.6): port 443 proto tcp dev tun ca /path/to/ca cert /path/to/server-cert key /path/to/server-key crl-verify /path/to/crl.pem dh /path/to/dh2048.pem server 10.x.0.0 255.255.0.0 push "route 10.x.x.x 255.255.255.0" push "redirect-gateway" push "dhcp-option DNS 10.176.0.1" push "dhcp-option WINS 10.176.0.1" keepalive 10 120 comp-lzo max-clients 16380 persist-key persist-tun status /path/to/openvpn-status.log 5 status-version 2 log-append /path/to/openvpn.log verb 0 tun-mtu 1500 script-security 2 client-connect "/path/to/script.sh" management 0.0.0.0 2194 /path/to/management-password the line push "dhcp-option DNS 10.176.0.1" is the main suspect he
[Openvpn-users] Connection attempts to seemingly random IP addresses
Hello, I am observing the behavior of OpenVPN 2.4.7 trying to connect to IP addresses it never should. The devices it is running on are Yocto based, embedded, 32bit MIPS and deployed in remote networks which are not under my control. 1) OpenVPN connects successfully to server (example.com, TCP, Port 443) TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP connection established with [AF_INET]a.b.c.d:443 TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET]a.b.c.d:443 [server] Peer Connection Initiated with [AF_INET]a.b.c.d:443 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) TUN/TAP device vpn0 opened /sbin/ip link set dev vpn0 up mtu 1500 /sbin/ip addr add dev vpn0 local 10.176.x.y peer 10.176.x.z Initialization Sequence Completed Hint: - example.com is put in place if the real domain of the servers - a.b.c.d refers to one out of multiple IPv4 addresses assigned to example.com 2) Internet connectivity lost because wifi/ethernet/upstream connectivity got bad/lost: [server] Inactivity timeout (--ping-restart), restarting /sbin/ip addr del dev vpn0 local 10.176.x.y peer 10.176.x.z SIGUSR1[soft,ping-restart] received, process restarting 3) OpenVPN tries to reconnect: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP: connect to [AF_INET]a.b.c.d:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting 4) After a while, tries to resolve the domain again (and fails): RESOLVE: Cannot resolve host address: example.com:443 (Temporary failure in name resolution) RESOLVE: Cannot resolve host address: example.com:443 (Temporary failure in name resolution) Could not determine IPv4/IPv6 protocol SIGUSR1[soft,init_instance] received, process restarting 5) Optional: Wifi comes up again, interface gets IP address and route assigned (dhcpcd logs): wlan0: offered 192.168.0.2 from 192.168.0.1 wlan0: probing address 192.168.0.2/24 wlan0: leased 192.168.0.2 for 120 seconds wlan0: adding route to 192.168.0.0/24 wlan0: changing default route via 192.168.0.1 wlan0: deleting route to 169.254.0.0/16 6) OpenVPN suddenly tries to connect to a faulty IP: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.1:443 Attempting to establish TCP connection with [AF_INET]192.168.0.1:443 [nonblock] TCP: connect to [AF_INET]192.168.0.1:443 failed: Connection refused SIGUSR1[connection failed(soft),init_instance] received, process restarting In this case there seems to be a correlation to the router IP address in 5), but I have many more examples of unexplicable IP addresses (e.g. 1.1.1.11, 212.27.38.252, 192.168.246.123, ...), all of which are definitely not assigned to example.com. A log where I have absolutely now indication why a strange IP addres (not the routers one) suddenly shows up: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:443 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock] TCP: connect to [AF_INET]a.b.c.d:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.246.123:443 Attempting to establish TCP connection with [AF_INET]192.168.246.123:443 [nonblock] TCP: connect to [AF_INET]192.168.246.123:443 failed: Network is unreachable SIGUSR1[connection failed(soft),init_instance] received, process restarting Use client (2.4.7) configuration: client dev vpn0 dev-type tun remote example.com 443 tcp nobind persist-key ca /path/to/ca cert /path/to/client-cert key /path/to/client-key remote-cert-tls server comp-lzo ping-restart 0 route-nopull route 10.x.y.z route 10.a.b.c connect-retry 5 30 Server configuration (Running 2.4.6): port 443 proto tcp dev tun ca /path/to/ca cert /path/to/server-cert key /path/to/server-key crl-verify /path/to/crl.pem dh /path/to/dh2048.pem server 10.x.0.0 255.255.0.0 push "route 10.x.x.x 255.255.255.0" push "redirect-gateway" push "dhcp-option DNS 10.176.0.1" push "dhcp-option WINS 10.176.0.1" keepalive 10 120 comp-lzo max-clients 16380 persist-key persist-tun status /path/to/openvpn-status.log 5 status-version 2 log-append /path/to/openvpn.log verb 0 tun-mtu 1500 script-security 2 client-connect "/path/to/script.sh" management 0.0.0.0 2194 /path/to/management-password I'd be very grateful for ideas on how I can investigate this. Kind regards, Reto __
