Hallo,
ich habe OpenVPN eingerichtet und bekomme beim Kontakt zum Server immer folgende Fehlermeldung:
Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Die Meldung erscheint, nachdem die VPN-Verbindung eingerichtet wurde, der Server eine IP zugewiesen hat und ifconfig mir das Device tun0 anzeigt. Ein Ping an den Server oder gar ein Verbindungsaufbau über das VPN funktionieren aber nicht.
Hier meine /etc/openvpn/client.conf:
dev tun0 proto udp remote <domain> 1194 ;remote my-server-2 1194 resolv-retry infinite nobind persist-key persist-tun ca ./keys/ca.crt cert ./keys/mykey.crt key ./keys/mykey.key remote-cert-tls server verb 3
ifconfig tun0 liefert das:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.14 netmask 255.255.255.255 destination 10.8.0.13 inet6 fe80::8819:4f74:b199:db65 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 111 overruns 0 frame 0 TX packets 18 bytes 1188 (1.1 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Und dann noch /var/log/syslog:
Jul 28 15:22:07 sf4 systemd[1]: Starting OpenVPN service... Jul 28 15:22:07 sf4 systemd[1]: Started OpenVPN service. Jul 28 15:22:07 sf4 systemd[1]: Starting OpenVPN connection to client... Jul 28 15:22:07 sf4 ovpn-client[10455]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019 Jul 28 15:22:07 sf4 ovpn-client[10455]: library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10 Jul 28 15:22:07 sf4 systemd[1]: Started OpenVPN connection to client. Jul 28 15:22:07 sf4 dbus-daemon[907]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.18' (uid=0 pid=912 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined") Jul 28 15:22:07 sf4 systemd[1]: Starting Network Manager Script Dispatcher Service... Jul 28 15:22:07 sf4 dbus-daemon[907]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Jul 28 15:22:07 sf4 systemd[1]: Started Network Manager Script Dispatcher Service. Jul 28 15:22:07 sf4 nm-dispatcher: req:1 'down' [tun0]: new request (1 scripts) Jul 28 15:22:07 sf4 nm-dispatcher: req:1 'down' [tun0]: start running ordered scripts... Jul 28 15:22:07 sf4 systemd-resolved[880]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Jul 28 15:22:07 sf4 ovpn-client[10455]: TCP/UDP: Preserving recently used remote address: [AF_INET]****:1194 Jul 28 15:22:07 sf4 ovpn-client[10455]: Socket Buffers: R=[212992->212992] S=[212992->212992] Jul 28 15:22:07 sf4 ovpn-client[10455]: UDP link local: (not bound) Jul 28 15:22:07 sf4 ovpn-client[10455]: UDP link remote: [AF_INET]****:1194 Jul 28 15:22:08 sf4 ovpn-client[10455]: TLS: Initial packet from [AF_INET]****:1194, sid=5a9ef9f5 a86a82b5 Jul 28 15:22:08 sf4 ovpn-client[10455]: VERIFY OK: depth=1, C=*, L=*, OU=changeme, CN=changeme, name=changeme, emailAddress=* Jul 28 15:22:08 sf4 ovpn-client[10455]: VERIFY KU OK Jul 28 15:22:08 sf4 ovpn-client[10455]: Validating certificate extended key usage Jul 28 15:22:08 sf4 ovpn-client[10455]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Jul 28 15:22:08 sf4 ovpn-client[10455]: VERIFY EKU OK Jul 28 15:22:08 sf4 ovpn-client[10455]: VERIFY OK: depth=0, C=*, L=*, OU=changeme, CN=changeme, name=changeme, emailAddress=* Jul 28 15:22:08 sf4 ovpn-client[10455]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1542' Jul 28 15:22:08 sf4 ovpn-client[10455]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' Jul 28 15:22:08 sf4 ovpn-client[10455]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128' Jul 28 15:22:08 sf4 ovpn-client[10455]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Jul 28 15:22:08 sf4 ovpn-client[10455]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA Jul 28 15:22:08 sf4 ovpn-client[10455]: [changeme] Peer Connection Initiated with [AF_INET]****:1194 Jul 28 15:22:09 sf4 ovpn-client[10455]: SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1) Jul 28 15:22:10 sf4 ovpn-client[10455]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 0,cipher AES-256-GCM' Jul 28 15:22:10 sf4 ovpn-client[10455]: OPTIONS IMPORT: timers and/or timeouts modified Jul 28 15:22:10 sf4 ovpn-client[10455]: OPTIONS IMPORT: --ifconfig/up options modified Jul 28 15:22:10 sf4 ovpn-client[10455]: OPTIONS IMPORT: route options modified Jul 28 15:22:10 sf4 ovpn-client[10455]: OPTIONS IMPORT: peer-id set Jul 28 15:22:10 sf4 ovpn-client[10455]: OPTIONS IMPORT: adjusting link_mtu to 1624 Jul 28 15:22:10 sf4 ovpn-client[10455]: OPTIONS IMPORT: data channel crypto options modified Jul 28 15:22:10 sf4 ovpn-client[10455]: Data Channel: using negotiated cipher 'AES-256-GCM' Jul 28 15:22:10 sf4 ovpn-client[10455]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 28 15:22:10 sf4 ovpn-client[10455]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 28 15:22:10 sf4 ovpn-client[10455]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp2s0 HWADDR=**** Jul 28 15:22:10 sf4 ovpn-client[10455]: TUN/TAP device tun0 opened Jul 28 15:22:10 sf4 ovpn-client[10455]: TUN/TAP TX queue length set to 100 Jul 28 15:22:10 sf4 ovpn-client[10455]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Jul 28 15:22:10 sf4 ovpn-client[10455]: /sbin/ip link set dev tun0 up mtu 1500 Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2100] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/7) Jul 28 15:22:10 sf4 systemd-udevd[10445]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Jul 28 15:22:10 sf4 ovpn-client[10455]: /sbin/ip addr add dev tun0 local 10.8.0.14 peer 10.8.0.13 Jul 28 15:22:10 sf4 ovpn-client[10455]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.13 Jul 28 15:22:10 sf4 ovpn-client[10455]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.13 Jul 28 15:22:10 sf4 openvpn[10455]: RTNETLINK answers: File exists Jul 28 15:22:10 sf4 ovpn-client[10455]: ERROR: Linux route add command failed: external program exited with error status: 2 Jul 28 15:22:10 sf4 ovpn-client[10455]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Jul 28 15:22:10 sf4 ovpn-client[10455]: Initialization Sequence Completed Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2207] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2239] keyfile: add connection /run/NetworkManager/system-connections/tun0.nmconnection (1b5c221d-31bb-4649-802e-ed8dc48ddc0e,"tun0") Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2243] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2251] device (tun0): Activation: starting connection 'tun0' (1b5c221d-31bb-4649-802e-ed8dc48ddc0e) Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2253] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2260] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2263] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2267] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2274] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2276] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external') Jul 28 15:22:10 sf4 NetworkManager[912]: <info> [1564298530.2610] device (tun0): Activation: successful, device activated. Jul 28 15:22:10 sf4 nm-dispatcher: req:2 'up' [tun0]: new request (1 scripts) Jul 28 15:22:10 sf4 nm-dispatcher: req:2 'up' [tun0]: start running ordered scripts... Jul 28 15:22:10 sf4 systemd-resolved[880]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. Jul 28 15:22:20 sf4 systemd-resolved[880]: message repeated 2 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.] Jul 28 15:22:20 sf4 ovpn-client[10455]: write to TUN/TAP : Invalid argument (code=22) Jul 28 15:22:21 sf4 systemd[1]: NetworkManager-dispatcher.service: Succeeded. Jul 28 15:22:30 sf4 ovpn-client[10455]: write to TUN/TAP : Invalid argument (code=22)
Liest sich nach einem DNS-Fehler. Der tritt aber nur in Verbindung mit dem VPN auf.