Jump to content
Not connected, Your IP: 34.204.198.73
Greyzy

ANSWERED Can't connect via WireGuard anymore

Recommended Posts

@Greyzy

Hello!

The domain name included in the configuration file generated by the Configuration Generator is fully qualified, as you can verify independently.

The problem is always the same as you can see even from nslookup: poisoned/wrong resolution (into a non-routable address). The problem is not in domain names or configuration files.

Specific example for de3.vpn.airdns.org: note how Quad9 (9.9.9.9) resolves correctly and this adds another strange piece to the puzzle because nslookup said that it queried Quad9 to resolve de3.vpn.airdns.org, but gets an answer that surely does not come from Quad9. This suggests some worrying scenario, but don't let us jump to conclusions too early: just switch to DNS over TLS (supported by Quad9). Configuration needs a little bit of documentation, please check (while you are in the VPN): https://www.elevenforum.com/t/enable-dns-over-tls-dot-in-windows-11.9012/

DNS over TLS will ensure that your DNS queries will not be tampered by your ISP or any MITM (when you are in the VPN you are already protected as the DNS is inside the VPN, but when you're not connected to the VPN you're not protected).


$ drill @9.9.9.9 de3.vpn.airdns.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 27288
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0  
;; QUESTION SECTION:
;; de3.vpn.airdns.org.  IN      A

;; ANSWER SECTION:
de3.vpn.airdns.org.     300     IN      A       37.120.217.245

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 151 msec
;; SERVER: 9.9.9.9
;; WHEN: Wed Jun 26 20:58:14 2024
;; MSG SIZE  rcvd: 52



Also, please answer to the relevant question by @go558a83nk

Kind regards
 

Share this post


Link to post
1 hour ago, go558a83nk said:

Do you get this same result when you're connected to the VPN using the config that works?

Things definitely seem wrong in the test above.  Are you running a proxy on your local network?  Seems you've got something proxying your traffic so it replies with a local IP in order to tunnel traffic through the proxy to the real final destination.  But that won't work for VPNs trying to connect.

Thanks for trying to help me! Unfortunately I have no idea how to answer your question correctly, because it's too technical for me.
I don't know how "running a proxy" works, so I guess I am not running one, but I'd prefer to verify, if you can tell me what to do.

Maybe it helps to describe my general setup:
- Modem "Connectbox" by Vodafone (formerly Unitymedia) is connected to the plug in the wall at 192.168.9.1
- Fritzbox connected to Modem at 192.168.0.1
- several PC (incl. the WIN-7 PC I use for AirVPN) connected via LAN to the Fritzbox

Can you tell me where to look and how to perform the checks?

Thanks,
Tom

Share this post


Link to post
1 hour ago, Staff said:
The problem is always the same as you can see even from nslookup: poisoned/wrong resolution (into a non-routable address). The problem is not in domain names or configuration files.

Specific example for de3.vpn.airdns.org: note how Quad9 (9.9.9.9) resolves correctly and this adds another strange piece to the puzzle because nslookup said that it queried Quad9 to resolve de3.vpn.airdns.org, but gets an answer that surely does not come from Quad9. This suggests some worrying scenario, but don't let us jump to conclusions too early: just switch to DNS over TLS (supported by Quad9). Configuration needs a little bit of documentation, please check (while you are in the VPN): https://www.elevenforum.com/t/enable-dns-over-tls-dot-in-windows-11.9012/

DNS over TLS will ensure that your DNS queries will not be tampered by your ISP or any MITM (when you are in the VPN you are already protected as the DNS is inside the VPN, but when you're not connected to the VPN you're not protected).

Thanks for your analysis!

Unfortunately the article you linked to is for WIN-11, but on that PC I run WIN-7. Can you provide me with another guide how to set up DNS over TLS that works for WIN-7?

But maybe I don't need to do anything except set a checkmark on my router. I found the option for DoT in the section where I manually set the DNS servers (see screenshot). Should I try that?

How can I check that it works? In your post the address returned by nslookup is "37.120.217.245", but in the config file it says "Endpoint = 178.162.212.216:1637". I'm confused! What is the correct DNS resolution?

Fritzbox_26.06.png

Share this post


Link to post
@Greyzy

Hello!

Our regional (country / continent / world) domain names for "best" servers change their records frequently, according to https://airvpn.org/faq/servers_ip/ . That's why you can get a different resolution every 5 minutes. This matter is totally irrelevant for the problem you experience, don't worry about it.

It is possible that Vodafone is messing up your DNS queries. We saw this shameful behavior in the past, many years ago, by Vodafone Italia, which re-directed anything to port 53 to force resolution of names by its own DNS servers and also prevent any other protocol to port 53. We can't rule out, according to all the data you provided, that this is the case for you too, with the addition of some acrimony against our VPN domain names.

The problem should get resolved by DNS over TLS to port 853. Unfortunately Windows 7, as far as we know, can't support it, but Windows 10 (which runs in another machine of yours) and the router can: please test it. Once the router is configured properly for DNS over TLS, you can configure your Windows 7 system to query only the router for names resolution (in the DNS settings enter only the router address in your local network).

Important side note: please consider to drop Windows 7 as it is an abandoned system ever since a long time ago.

Kind regards
 

Share this post


Link to post
@Staff @go558a83nk First, let me say thanks to both of you for supporting me regarding this issue. Much appreciated!

Thanks for the explanation above. I'll try activating DNS over TLS on the router tomorrow, when I hope I have more time. Before I do that I wanted to run a test and provide you with the results. As you are the experts I was hoping you might glean something from it.

Here's what I did: I tried to resolve "ie3.vpn.airdns.org" (Ireland) which should always return "146.70.94.5" (there's only 1 server in Ireland called Minchir). I attemted this on 3 PCs: the WIN-7 I use with AirVPN, the WIN-10 I wrote about earlier (changed the DNS settings in the adapter according to your recommendations) and a second WIN-10 PC with the standard adapter setting ("automatic"). All 3 PC are connected directly via LAN cable to the same router (DNS settings as shown above per your recommendation).

Result: only the WIN-10 PC with the manual adapter settings succeeded to deliver a correct resolution. The WIN-7 PC again gave a false address and when I engaged WireGuard with a working VPN connection it gave no result at all. The second WIN-10 PC didn't give a result, but returned some weird info regarding the standard server. I then also ran ipleak.net on the second WIN-10 PC.

Here are the results documented in a few annotated screenshots. Maybe you can make sense of this...

Thanks so much again!
Tom
test_win-7_27_06.thumb.png.2ab4e672bceb60d7fc4dfe3b3308933f.png
 

test_win-10-1_27.06.png

test_win-10-2_27.06.png

test_win-10-2_ipleak.net_27.06.png

Share this post


Link to post
45 minutes ago, Staff said:
@Greyzy

Hello!

Just an additional verification: please check filter lists in the Fritz!Box and make sure that AirVPN domain names are not included.

Kind regards
 
I just checked:
- no parental controls for any of the devices (PCs)
- in the "profile" section there are 3 profiles (guest, standard, unlimited); only for "guest" there is an active filter setting: the list of filters is empty, but the checkmark to block "sites with media harmful for youths" is ON
But all my devices have the "standard" profile.

Let me know, if there's any other info I can provide or test to conduct.
 

Share this post


Link to post
@Staff @go558a83nk Today I tested switching to DNS over TLS on my Fritzbox (screenshot with my settings attached) and got some weird results:
- after switching to DoT this website (https://www.cloudflare.com/de-de/ssl/encrypted-sni/#sni) confirmed that DoT is working (first checkmark in screenshot)
- still the DNS resolution for the AirVPN domain names does NOT work on my WIN-7 PC while the resolution of OTHER domain names works fine (see screenshot with several domains tested)
- on my second WIN-10 PC that previously did NOT find the correct IP this now WORKS (adapter settings still on "automatic", so it shows that it uses the Fritzbox as the DNS server): resolution of ie3.vpn.airdns.org (Ireland) to 146.70.94.5 (Server Minchir)
- I noticed that the "online monitor" of my Fritzbox shows "DoT encrypted" only for the IPv4 addresses, but NOT for the IPv6 addresses (see screenshot). Is that normal?

Do you have any idea why the DNS resolution works for other domains, but not yours? Would it help to test certain other domain names (please provide) to see if other VPN providers are blocked, too?

Could it be that somewhere in the bowels of my WIN-7 PC there's a setting that interferes with the resolution of AirVPN domains? Maybe something left over from years before? I started using AirVPN in 2013 with older versions of Eddie at that time and maybe had to do some manual tweaking that I've forgotten by now.

Thanks for taking a look!
Tom

Fritzbox_set to DoT_28.06.png

Adapter set to Fritzbox with DoT_5_28.06.png

Adapter set to Fritzbox with DoT_4_28.06.png

Share this post


Link to post
@Greyzy

Hello!

According to your screenshots and provided that your description is accurate, Fritz!Box is resolving the same domain name differently for different devices. This is a typical behavior of filters (parental control etc.) applied on a device basis. Different devices querying the Fritz!Box as DNS can have different resolutions.

Kind regards
 

Share this post


Link to post
32 minutes ago, Staff said:
@Greyzy

Hello!

According to your screenshots and provided that your description is accurate, Fritz!Box is resolving the same domain name differently for different devices. This is a typical behavior of filters (parental control etc.) applied on a device basis. Different devices querying the Fritz!Box as DNS can have different resolutions.

Kind regards
 
Thanks for your reply, but what do you suggest I do about it?
These "devices" are PCs that are used exclusively by me, so there's no need for any restrictions. I am not aware of any filters applied to them. As I wrote earlier: there are no filters set up on the Fritzbox for any of my devices (PC or others).

Any advice how to identify the reason for the faulty behavior?

P.S. I noticed that the "wrong" addresses are all in the same range (see screenshot). Does that help in any way?

address range_29.06.png

Share this post


Link to post
5 hours ago, Air4141841 said:

have you tried turning off or tweaking comodo internet firewall yet? 


https://help.comodo.com/topic-72-1-522-6381-.html

 

Thanks so much! You pointed me in the right direction. COMODO was OK, but Malwarebytes caused the problem.

If the option marked in the screenshot is OFF the DNS resolution of the AirVPN domain works! I couldn't find any other settings that influences the logic behind that setting. Maybe AirVPN needs to get their servers whitelisted with Malwarebytes?

In any case: PROBLEM SOLVED!!!

@Staff @go558a83nk Thanks very much to you as well!!!

One last thing I want to get sorted out:
I now setup DoT on my Fritzbox, but am not sure what the correct DNS resolution settings are for the LAN adapters on each PC.

Is there a difference between:
a) "automatic" => nslookup shows that the Fritzbox is used
b) manually setting the Fritzbox IP => for IPv4 it's "192.168.0.1", but what's the data for IPv6 (where can I get the data)?

Thanks,
Tom

Malwarebytes_29.06.png

Share this post


Link to post
@Greyzy

Malwarebytes' behavior has been unspeakable for years, and it seems even worse now that they are trying to promote their VPN. We're very glad that you resolved the problem. If only you had mentioned Malwarebytes earlier we would have immediately identified the problem because Malwarebytes has been infamous for blocking VPNs and other services for no reason for over a decade now. In this case it does not block VPN protocols, but it poisons even the innocuous resolution of domain names bypassing both your hosts and DNS settings. Imagine which degree of control over your machine you have given to Malwarebytes, up to the point to cause malfunctions requiring intensive work to be resolved.

https://airvpn.org/forums/topic/59721-malwarebytes-blocking-airvpn/?do=findComment&comment=233910

Be more careful when you let other software control your system against your will next time.

Kind regards
 

Share this post


Link to post
21 hours ago, Greyzy said:

b) manually setting the Fritzbox IP => for IPv4 it's "192.168.0.1", but what's the data for IPv6 (where can I get the data)?


Heimnetz > Netzwerk > Netzwerkeinstellungen > Weitere Einstellungen > At IP-Adressen, IPv6-Adressen > Unique Local Address Ihrer Fritz!Box.

Or simply

> nslookup
> set type AAAA
> fritz.box


But it shouldn't matter: A v4 DNS server can resolve v6 addresses and vice versa. You don't need a DNS server to have v6 connectivity to resolve v6.
 
21 hours ago, Greyzy said:

a) "automatic" => nslookup shows that the Fritzbox is used


That's simply DHCP/DHCPv6. Use that.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

I needed to open a separate post, because this one was "closed for further replies" (which is the current status of the "new" post, therefore I now need to reply here... 😉)

Anyways, my original questions are still not answered (or I fail to connect the answers to the questions...). Here's what I asked in the other post:

Quote
One thing I want to get sorted out:
I setup DNS over TLS on my Fritzbox, but am not sure what the correct DNS resolution settings are for the LAN adapters on each PC.

Is there a difference between:
a) "automatic" => nslookup shows that the Fritzbox is used
b) manually setting the Fritzbox IP => for IPv4 it's "192.168.0.1", but what's the data for IPv6 (where can I get the data)?

So let me rephrase my questions:
1. Is there a difference between option a) and b)?
=> If "automatic" already defaults to my Fritzbox as the DNS server, then why add it manually as in option b)???

2. If for IPv6 I need to manually set the Fritzbox as the DNS server, what is the address to use?
=> In the screensot is it the one in the red or the green box (or if both are wrong, where do I get the correct data)?

Thanks,
Tom
 

Fritzbox data_30.06.png

Share this post


Link to post
10 minutes ago, Greyzy said:

I setup DNS over TLS on my Fritzbox, but am not sure what the correct DNS resolution settings are for the LAN adapters on each PC.


To use DNS over TLS on the Fritz!Box, no additional settings must be done for the LAN adapters on each PC. This option is for outbound DNS queries from the Fritz!Box (e.g., when one device queries the Fritz!Box for some name, Fritz!Box forwards this to the DNS over TLS server itself).

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...