WTware not applying DNS server addresses pushed by OpenVPN server?

Topics that doesn't fall into the categories above
Post Reply
Bitey
Posts: 2
Joined: Tue Oct 17, 2017 3:45 pm

WTware not applying DNS server addresses pushed by OpenVPN server?

Post by Bitey » Tue Oct 17, 2017 4:03 pm

Hi WTware team,

I have recently got into WTware in a big way and think it's a fantastic product—many thanks for your work on it and the excellent supporting documentation.

I've run into a problem with OpenVPN connections. My OpenVPN server pushes DNS server addresses and a domain name to clients, and enables force tunnelling. This works on all other (iOS/MacOS/Windows) clients, but on my WTware terminal, the DNS server addresses are not being applied. This means that the terminal cannot access internal resources by name.

The terminal is configured as follows:
- OS (5.6.16) stored on USB
- Config file stored on USB
- Connecting over wi-fi
- OpenVPN config file with embedded keys/certs stored in /configs
- Second screen launches Chrome

The config file contains three entries that use domain names (not IP addresses) for the destination, plus one --new-- entry.
When I click on any of the first three entries, I get the error:

Code: Select all

Failed to convert <hostname> to IP address.
Possibly, DNS-server doesn't work or is not specified.
If I click "Enter server address" and specify a hostname, I get the same error.
However, if I click "Enter server address" and specify an IP address, it connects just fine.

I know that force-tunnelling is working properly because if I go to Chrome and access whatismyip.com, I see the external address of the VPN endpoint.
I can also use Chrome to examine the logs of the client. Here's what I get:

Code: Select all

[           WPA] [   65.847252] eth0: SME: Trying to authenticate with b2:48:1a:1f:9d:94 (SSID='SSID' freq=2412 MHz)
[        KERNEL] [   65.847270] eth0: authenticate with b2:48:1a:1f:9d:94
[        KERNEL] [   65.915834] eth0: send auth to b2:48:1a:1f:9d:94 (try 1/3)
[        KERNEL] [   65.918832] eth0: authenticated
[           WPA] [   65.918914] eth0: Trying to associate with b2:48:1a:1f:9d:94 (SSID='SSID' freq=2412 MHz)
[        initrd] [   65.925938] State ASSOCIATING before handshake, do nothing.
[        KERNEL] [   65.924025] eth0: associate with b2:48:1a:1f:9d:94 (try 1/3)
[        KERNEL] [   65.927334] eth0: RX AssocResp from b2:48:1a:1f:9d:94 (capab=0x411 status=0 aid=1)
[        KERNEL] [   65.933952] eth0: associated
[           WPA] [   65.934049] eth0: Associated with b2:48:1a:1f:9d:94
[        KERNEL] [   65.992724] eth0: Limiting TX power to 20 (20 - 0) dBm as advertised by b2:48:1a:1f:9d:94
[           WPA] [   66.055859] eth0: WPA: Key negotiation completed with b2:48:1a:1f:9d:94 [PTK=CCMP GTK=CCMP]
[           WPA] [   66.055884] eth0: CTRL-EVENT-CONNECTED - Connection to b2:48:1a:1f:9d:94 completed [id=0 id_str=]
[        initrd] [   66.227051] wpa_state=COMPLETED
[        initrd] [   66.227068] WTpassword empty.
[        initrd] [   68.344046] dhcp: 328 bytes from 172.20.10.1.
[        initrd] [   68.344071] 00000000:000001340000000000110000AC140A01AC140A08004300440134000002010600  ...4..............C.D.4......
...
[        initrd] [   68.344201] 000000e0:0000000000000000000000000000000000000000000000000000000000000000  ................................
[        initrd] [   70.451982] dhcp: 328 bytes from 172.20.10.1.
[        initrd] [   70.452016] 00000000:000001340000000000110000AC140A01AC140A08004300440134000002010600  ...4..............C.D.4......
...
[        initrd] [   70.452140] 000000e0:0000000000000000000000000000000000000000000000000000000000000000  ................................
[        initrd] [   70.468033] dhcp: server address 172.20.10.1.
[        initrd] [   70.468054] dhcp: 172.20.10.8/255.255.255.240.
[        initrd] [   70.468073] dhcp: default gateway 172.20.10.1.
[        initrd] [   70.468092] dhcp: DNS 172.20.10.1.
[        initrd] [   70.468111] dhcp: TFTP from siaddr 172.20.10.1.
[        initrd] [   70.468129] dhcp: TFTP 172.20.10.1.
[        initrd] [   70.468148] No boot file from DHCP.
[        initrd] [   70.468167] TFTP binary "", configs prefix "", using "/" slash.
WTC listener is active.
WTC broadcast listener is active.
Send broadcast WTCU discover.
[        initrd] [   70.468883] Run OpenVPN with user config configs/openvpn.cfg.
[        initrd] [   70.468905] +--- Executing "/sbin/modprobe tun"
[        initrd] [   70.470004] +- Errorlevel: 0, output:
[        KERNEL] [   70.469860] tun: Universal TUN/TAP device driver, 1.6
[        KERNEL] [   70.469861] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
File is empty.
[        initrd] [   70.470117] +------------------------
[        initrd] [   70.470132] +--- Executing "/usr/sbin/openvpn /etc/client.conf"
[SYSLOG] <29>Oct 17 20:49:38 openvpn[1000]: OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
[SYSLOG] <29>Oct 17 20:49:38 openvpn[1000]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
[        initrd] [   70.474344] +- Errorlevel: 0, output:
File is empty.
[        initrd] [   70.474395] +------------------------
[SYSLOG] <28>Oct 17 20:49:38 openvpn[1001]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
[SYSLOG] <29>Oct 17 20:49:38 openvpn[1001]: Control Channel Authentication: tls-auth using INLINE static key file
[SYSLOG] <29>Oct 17 20:49:38 openvpn[1001]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
[SYSLOG] <29>Oct 17 20:49:38 openvpn[1001]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
[SYSLOG] <29>Oct 17 20:49:38 openvpn[1001]: Socket Buffers: R=[163840->163840] S=[163840->163840]
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: UDPv4 link local: [undef]
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: UDPv4 link remote: [AF_INET]<ip address>:1194
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: TLS: Initial packet from [AF_INET]<ip address>:1194, sid=330c4b50 58063d66
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: VERIFY OK: depth=1, C=JP, ST=<ca details>
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: VERIFY OK: depth=0, C=JP, ST=<ca details>
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
[SYSLOG] <28>Oct 17 20:49:39 openvpn[1001]: WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
[SYSLOG] <28>Oct 17 20:49:39 openvpn[1001]: WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
[SYSLOG] <29>Oct 17 20:49:39 openvpn[1001]: [server] Peer Connection Initiated with [AF_INET]<ip address>:1194
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,dhcp-option DOMAIN <domain name>,dhcp-option DNS 192.168.2.203,dhcp-option DNS 192.168.2.204,register-dns,redirect-gateway def1,route-gateway 192.168.20.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.20.3 255.255.255.0'
[SYSLOG] <27>Oct 17 20:49:41 openvpn[1001]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.3.10)
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: OPTIONS IMPORT: timers and/or timeouts modified
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: OPTIONS IMPORT: --ifconfig/up options modified
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: OPTIONS IMPORT: route options modified
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: OPTIONS IMPORT: route-related options modified
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: ROUTE_GATEWAY 172.20.10.1/255.255.255.240 IFACE=eth0 HWADDR=<mac address>
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: TUN/TAP device tun0 opened
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: TUN/TAP TX queue length set to 100
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: /sbin/ip link set dev tun0 up mtu 1500
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: /sbin/ip addr add dev tun0 192.168.20.3/24 broadcast 192.168.20.255
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: /sbin/ip route add <ip address>/32 via 172.20.10.1
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: /sbin/ip route add 0.0.0.0/1 via 192.168.20.1
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: /sbin/ip route add 128.0.0.0/1 via 192.168.20.1
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: /sbin/ip route add 192.168.2.0/24 via 192.168.20.1
[SYSLOG] <29>Oct 17 20:49:41 openvpn[1001]: Initialization Sequence Completed
You can see that first, the wireless access point pushes its own DNS server (172.20.10.1), then the OpenVPN server pushes two DNS dhcp-options (192.168.2.203/192.168.2.204).

If I visit the DNS log of the terminal, I see:

Code: Select all

WTware 5.6.16

nameserver 172.20.10.1
It looks like WTware is not applying the new DNS server options from the OpenVPN server.

Could you tell me if there is something I can do to fix this, or if you would like more information or testing?

Thanks very much for your time.

aka
SUPPORT
SUPPORT
Posts: 715
Joined: Fri Dec 03, 2004 2:05 pm
Contact:

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by aka » Tue Oct 24, 2017 11:29 am

Bitey wrote:...works on all other (iOS/MacOS/Windows)...
Do you have any Linux clients?

Try this build:

http://pxe.ru/files/testing/201710241227.zip

And you should add two lines to client openvpn config:

Code: Select all

script-security 2
up /etc/openvpn/update-resolv-conf

Homer
Posts: 4
Joined: Tue Apr 16, 2019 11:28 am

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by Homer » Tue Apr 16, 2019 11:31 am

We have the same problem. Did you find a solution?

aka
SUPPORT
SUPPORT
Posts: 715
Joined: Fri Dec 03, 2004 2:05 pm
Contact:

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by aka » Tue Apr 16, 2019 11:49 am

I think yes. Show me your log after error: https://wtware.com/logs.html

Homer
Posts: 4
Joined: Tue Apr 16, 2019 11:28 am

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by Homer » Tue Apr 16, 2019 1:28 pm

I send the log file on support email.

akatik
SUPPORT
SUPPORT
Posts: 417
Joined: Mon Jan 17, 2005 6:30 pm
Contact:

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by akatik » Wed Apr 17, 2019 6:24 am

1. Replace "pi2-xnet" file in "packages" folder on SD with this one: http://wtware.com/testing/201904161636.zip

2. Add "verb 6" line to openvpn.cfg

3. Remove all "push route" lines from server openvpn configuration. One of them is incorrect.

And show me new log.

Homer
Posts: 4
Joined: Tue Apr 16, 2019 11:28 am

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by Homer » Wed Apr 17, 2019 2:08 pm

The log file is on the support email.

akatik
SUPPORT
SUPPORT
Posts: 417
Joined: Mon Jan 17, 2005 6:30 pm
Contact:

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by akatik » Wed Apr 17, 2019 3:00 pm

From log:

Code: Select all

openvpn[710]: ERROR: Linux route add command failed: external program exited with error status: 2
This is not related to subject "not applying DNS server addresses" and looks like your openvpn config error, not wtware error. Did you test your openvpn config on other linuxes?

Homer
Posts: 4
Joined: Tue Apr 16, 2019 11:28 am

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by Homer » Thu Apr 18, 2019 10:10 am

You are right, this error was a problem on our OpenVPN server. Now everything is working normally after your fix. Thanks for the excellent support!

gbsinformatica

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by gbsinformatica » Tue Oct 01, 2019 6:11 pm

akatik wrote:
> 1. Replace "pi2-xnet" file in "packages" folder on SD
> with this one: http://wtware.com/testing/201904161636.zip

The link is broken

akatik
SUPPORT
SUPPORT
Posts: 417
Joined: Mon Jan 17, 2005 6:30 pm
Contact:

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by akatik » Wed Oct 02, 2019 8:37 pm

Use the latest wtware version instead of this link.

teamyamaha91

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by teamyamaha91 » Sat Nov 30, 2019 5:03 am

This is still happening, we have added "up /etc/openvpn/update-resolv-conf" but it just appends the pushed dns from openvpn server to the end of the wtware network config. DNS requests do not use those nameservers and instead use the first in line that was acquired from DHCP .

akatik
SUPPORT
SUPPORT
Posts: 417
Joined: Mon Jan 17, 2005 6:30 pm
Contact:

Re: WTware not applying DNS server addresses pushed by OpenVPN server?

Post by akatik » Sun Dec 01, 2019 12:46 pm

teamyamaha91 wrote:
Sat Nov 30, 2019 5:03 am
This is still happening, we have added "up /etc/openvpn/update-resolv-conf" but it just appends the pushed dns from openvpn server to the end of the wtware network config.
Appends to the end, yes. Should it replace DNS addresses from local DHCP?

Here is an example of wtware "extra=" option: viewtopic.php?t=48783

You can write whatever you want to /etc/resolv.conf by creating "myresolv.zip" with single file named "runme" in it with following content:

Code: Select all

#!/bin/sh
echo "nameserver 8.8.8.8" >  /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf
"> /etc/resolv.conf" replace existing file, ">> /etc/resolv.conf" add second line to file.

Post Reply