Jump to content


Photo

AirDNS stopped working unexpectedly after two months of use on pfSense

airdns pfsense

  • Please log in to reply
57 replies to this topic

#1 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 23 December 2018 - 05:25 PM

Hi everyone,

 

Here's what happened.

 

I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides.

 

It worked flawlessly until last Thursday.

 

Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.

 

screencapture-192-168-0-1-diag_dns-php-2018-12-22-13_07_17.png

 

 

I wonder if someone else here has also encountered (or is encountering) this situation?

 

This is very weird. I am positively sure that wasn't any loss of data (my Firewall Appliance is connected to a brand new UPS) 

 

Please, let me know.

 

 

Regards

 

 



#2 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 24 December 2018 - 03:00 PM

try adding an external dns server to the WAN

Attached Thumbnails

  • Untitled.jpeg


#3 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 24 December 2018 - 05:21 PM

Thanks for replying it.

try adding an external dns server to the WAN

 

I have added to DNS on General Setup

 

It started to resolve again but not thru AirDNS.

 

screencapture-192-168-0-1-diag_dns-php-2018-12-24-14_15_49.png

 

I noticed that your setup is apparently different than mine.

 

Which guide did you use it? I have used the one AirVPN provides. It was working, Than stopped overnight.

 

It isn't my ISP. I can connect using Eddie to any server on Windows on the same network.



#4 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 24 December 2018 - 08:14 PM

Right I have the same issue,

It’s taken me about a year to tweak my box to be able to work correctly

Try this :
Services / dhcp server - under dns add 10.4.0.1 or the dns server pushed through your tunnel

Once you reboot pfsense and your computer it should get that address added by the dhcp server

Make sense?

#5 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 24 December 2018 - 09:36 PM

Thanks for replying it.

 

I left my PC unattended after i added the external DNS.

 

I only noticed now that it is passing ipleak,net.

 

Even without AirDNS.

 

Also, I have added as you asked me 

 

But I have lost completely the ability to access the internet

 

Capturar.PNG

 

 



#6 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 25 December 2018 - 01:58 AM

remove 192.168.0.1 and see if everything works.  you would have to restart your computer or renew release the nic



#7 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 25 December 2018 - 03:08 PM

Hi Air4141841

 

Thanks for replying it.

 

I did as you told me.

 

Capturar.PNG

 

removed 192.168.0.1 and left only AirDNS. This time I could still access the internet.

 

But the issue with AirDNS not resolving DNS queries persists

 

screencapture-192-168-0-1-diag_dns-php-2018-12-25-12_01_27.png

 

Oddly is still passing ipleak.net as well. For now.



#8 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 25 December 2018 - 11:56 PM

Under general - dns uncheck. So 127.0.0.1 is not used that is another problem I see.. you don’t want 127.0.0.1 listed on that page

I can give better instructions when I am in front of my laptop

 

home now.   make sure this box IS checked:

 

Disable DNS Forwarder

 

make sure this is unchecked:

DNS Server Override

 

​this is under system > general setup 



#9 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 26 December 2018 - 03:16 AM


Following are screen captures of unaltered settings that I have. I believe it matches what you re trying to do.

 

Please have a look on the images.

 

Another thing. 

 

I suspect the 127.0.0.1 that appear when DNS Lookup is queried is because of the localhost to AirVPN_WAN rule 

 

It is from the AirVPN Pfsense Guide https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

 

My setup (hopefully) mirrors that one. Like I stated a couple of times worked for almost two months.

Attached Thumbnails

  • screencapture-192-168-0-1-services_unbound-php-2018-12-26-00_07_41.png
  • screencapture-192-168-0-1-services_dnsmasq-php-2018-12-26-00_11_58.png
  • screencapture-192-168-0-1-system-php-2018-12-26-00_03_30.png


#10 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 26 December 2018 - 11:58 AM

picture one i would enable: Enable SSL/TLS Service

picture one i would enable : Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

also picture one for advanced configuration read my last sentense.  127.0.0.1 hasn't worked for me for months.   thats why i switched to the netgate link below

also under DNS server settings.   put 9.9.9.9 for the WAN gateway.   10.4.0.1 for Airvpngateway

 

i know exactly what you are talking about now.  that is why i switched to DNS over TLS setting from Pfsense: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

 

i am sure my way is a total and complete roundabout way to get it to work!.   but i have not see anyone else post or offer help for these issues, its taken me over a year to tweak my pfsense box and i have learned alot along the way...



#11 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 26 December 2018 - 12:15 PM

picture one is how i created manual static entries and rules for each device i want on that tunnel 

 

 

picture 2 shows the static DNS entry for Airvpn DNS server 

Attached Thumbnails

  • Untitled.jpeg
  • Untitled2.jpeg


#12 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 26 December 2018 - 03:34 PM

thanks Air4141841,

 

I have tried your first post. To no avail.

 

10.4.0.1 is still not responding to all queries.

 

The only way I see to remove 127.0.0.1 from the list wast to disable DNS Forwarder/Resolver on General > Setup and that stops my internet after a reboot. Also doesn't solve the AirDNS situation. No response whatsoever.

 

Tomorrow will make a week this problem has started. 



#13 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 26 December 2018 - 05:05 PM

what does your DNS resolver look like now?   your client page?

 

it has to be something in your setup.  my works perfectly and has worked perfectly like this since the DNS over TLS post



#14 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 26 December 2018 - 10:07 PM

Sorry for the late response.

 

I have no internet connection on my pfsense box.

 

 

Attached Thumbnails

  • screencapture-192-168-0-1-services_unbound-php-2018-12-26-19_01_02.png
  • screencapture-192-168-0-1-vpn_openvpn_client-php-2018-12-26-19_03_29.png
  • screencapture-192-168-0-1-system-php-2018-12-26-19_06_23.png


#15 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 26 December 2018 - 10:20 PM

your client connection looks nothing like mine

1.  i assume you wiped your TLS key?

2. IF you are using TLS  tls usage should be set to Tls and Authentication.

3. encryption alg should be set to 256 GCM   negotiation is fine

4.  Auth digest alg?   that should be sha512

5. compression should be set too . legacy comp LZO NO

6. don't pull routes.  UNCHECKED

7. don't add remove routes UNCHECKED

8.   once those are set go back to system General and set DNS forwarder to checked. 

 

since you have VERB set to 4.  it will tell you generally how to fix your config.    also  generate a new client config file.  it will show you what you need to set your client config too. because it appears you are following old configuration files..



#16 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 26 December 2018 - 10:35 PM

Yes. I wiped.

 

I rebooted once more and I am now connected.

 

I followed the pfsense how to guide from AirVPN.

 

I even disable DNS Forwarder/Resolver on General 

 

127.0.0.1 is gone

 

Here's my DNS Lookup

 

 

Attached Thumbnails

  • screencapture-192-168-0-1-diag_dns-php-2018-12-26-19_31_52.png


#17 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 26 December 2018 - 10:56 PM

The several year old guide is extremely helpful. But I found several issues along the way.

I posted most of the improvements I have found. Good luck

#18 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 27 December 2018 - 01:49 AM

I have followed the steps to update my openvpn client config.

 

But it is failing to properly connect. Honestly I cannot cypher what error is this

 

Please, have a look: 

 

Dec 26 19:38:06	openvpn	36721	Server poll timeout, restarting
Dec 26 19:38:06	openvpn	36721	TCP/UDP: Closing socket
Dec 26 19:38:06	openvpn	36721	SIGUSR1[soft,server_poll] received, process restarting
Dec 26 19:38:06	openvpn	36721	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 26 19:38:06	openvpn	36721	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 19:38:06	openvpn	36721	Re-using SSL/TLS context
Dec 26 19:38:06	openvpn	36721	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Dec 26 19:38:06	openvpn	36721	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Dec 26 19:38:06	openvpn	36721	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Dec 26 19:38:06	openvpn	36721	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Dec 26 19:38:06	openvpn	36721	TCP/UDP: Preserving recently used remote address: [AF_INET]96.47.229.58:443
Dec 26 19:38:06	openvpn	36721	Socket Buffers: R=[42080->524288] S=[57344->524288]
Dec 26 19:38:06	openvpn	36721	UDPv4 link local (bound): [AF_INET]192.168.1.232:0
Dec 26 19:38:06	openvpn	36721	UDPv4 link remote: [AF_INET]96.47.229.58:443
Dec 26 19:38:16	openvpn	36721	Server poll timeout, restarting
Dec 26 19:38:16	openvpn	36721	TCP/UDP: Closing socket
Dec 26 19:38:16	openvpn	36721	SIGUSR1[soft,server_poll] received, process restarting
Dec 26 19:38:16	openvpn	36721	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 26 19:38:16	openvpn	36721	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 19:38:16	openvpn	36721	Re-using SSL/TLS context
Dec 26 19:38:16	openvpn	36721	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Dec 26 19:38:16	openvpn	36721	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Dec 26 19:38:16	openvpn	36721	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Dec 26 19:38:16	openvpn	36721	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Dec 26 19:38:16	openvpn	36721	TCP/UDP: Preserving recently used remote address: [AF_INET]96.47.229.58:443
Dec 26 19:38:16	openvpn	36721	Socket Buffers: R=[42080->524288] S=[57344->524288]
Dec 26 19:38:16	openvpn	36721	UDPv4 link local (bound): [AF_INET]192.168.1.232:0
Dec 26 19:38:16	openvpn	36721	UDPv4 link remote: [AF_INET]96.47.229.58:443
Dec 26 19:38:26	openvpn	36721	Server poll timeout, restarting
Dec 26 19:38:26	openvpn	36721	TCP/UDP: Closing socket
Dec 26 19:38:26	openvpn	36721	SIGUSR1[soft,server_poll] received, process restarting
Dec 26 19:38:26	openvpn	36721	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 26 19:38:26	openvpn	36721	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 19:38:26	openvpn	36721	Re-using SSL/TLS context
Dec 26 19:38:26	openvpn	36721	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Dec 26 19:38:26	openvpn	36721	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Dec 26 19:38:26	openvpn	36721	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Dec 26 19:38:26	openvpn	36721	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Dec 26 19:38:26	openvpn	36721	TCP/UDP: Preserving recently used remote address: [AF_INET]96.47.229.58:443
Dec 26 19:38:26	openvpn	36721	Socket Buffers: R=[42080->524288] S=[57344->524288]
Dec 26 19:38:26	openvpn	36721	UDPv4 link local (bound): [AF_INET]192.168.1.232:0
Dec 26 19:38:26	openvpn	36721	UDPv4 link remote: [AF_INET]96.47.229.58:443
Dec 26 19:38:36	openvpn	36721	Server poll timeout, restarting
Dec 26 19:38:36	openvpn	36721	TCP/UDP: Closing socket
Dec 26 19:38:36	openvpn	36721	SIGUSR1[soft,server_poll] received, process restarting
Dec 26 19:38:36	openvpn	36721	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 26 19:38:36	openvpn	36721	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 19:38:36	openvpn	36721	Re-using SSL/TLS context
Dec 26 19:38:36	openvpn	36721	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Dec 26 19:38:36	openvpn	36721	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Dec 26 19:38:36	openvpn	36721	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Dec 26 19:38:36	openvpn	36721	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Dec 26 19:38:36	openvpn	36721	TCP/UDP: Preserving recently used remote address: [AF_INET]96.47.229.58:443
Dec 26 19:38:36	openvpn	36721	Socket Buffers: R=[42080->524288] S=[57344->524288]
Dec 26 19:38:36	openvpn	36721	UDPv4 link local (bound): [AF_INET]192.168.1.232:0
Dec 26 19:38:36	openvpn	36721	UDPv4 link remote: [AF_INET]96.47.229.58:443
Dec 26 19:38:46	openvpn	36721	Server poll timeout, restarting
Dec 26 19:38:46	openvpn	36721	TCP/UDP: Closing socket
Dec 26 19:38:46	openvpn	36721	SIGUSR1[soft,server_poll] received, process restarting
Dec 26 19:38:46	openvpn	36721	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 26 19:38:46	openvpn	36721	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 19:38:46	openvpn	36721	Re-using SSL/TLS context
Dec 26 19:38:46	openvpn	36721	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Dec 26 19:38:46	openvpn	36721	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]

 

Here it is the new config image (tls key removed)

 

 

Attached Thumbnails

  • screencapture-192-168-0-1-vpn_openvpn_client-php-2018-12-26-22_45_11.png


#19 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 27 December 2018 - 12:17 PM

well the only thing left is your custom config:

 

here is mine.   try it and see what happens!   Notice a few entry's removed from the file given by the configurator...

resolv-retry infinite;
persist-key;
persist-tun;
remote-cert-tls server;
auth-nocache;
tls-version-min 1.2;
remote 199.249.230.34 443;
remote us3.vpn.airdns.org 443;
remote america3.vpn.airdns.org 443;



#20 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 27 December 2018 - 05:19 PM

I successfully tweaked some settings on my client config (although SHA512 and TLS and Auth didnt work for me) and finally was able to make 10.4.0.1 to respond to some queries. 

 

screencapture-192-168-0-1-diag_dns-php-2018-12-27-14_13_06.png

 

traceroute airvpn.org

1  10.14.192.1  140.994 ms  139.973 ms  139.885 ms
 2  * 96.47.229.57  142.709 ms  140.916 ms
 3  173.44.32.249  140.954 ms  139.738 ms  142.258 ms
 4  84.16.8.36  140.914 ms  141.742 ms  141.428 ms
 5  94.142.119.241  180.354 ms
    94.142.126.225  184.986 ms  180.993 ms
 6  198.27.73.160  182.647 ms  182.034 ms  181.853 ms
 7  142.44.208.69  281.681 ms
    198.27.73.218  187.688 ms  188.042 ms
 8  192.99.146.147  195.012 ms  194.605 ms
    192.99.146.138  265.044 ms
 9  192.99.146.147  194.115 ms  194.363 ms  193.476 ms
PING airvpn.org (5.196.64.52): 56 data bytes
64 bytes from 5.196.64.52: icmp_seq=0 ttl=52 time=263.442 ms
64 bytes from 5.196.64.52: icmp_seq=1 ttl=52 time=260.203 ms
64 bytes from 5.196.64.52: icmp_seq=2 ttl=52 time=263.098 ms

--- airvpn.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 260.203/262.248/263.442/1.453 ms

But I am not able to use the internet. There is none, according to my laptop, apple tv 

 

I don't know what is happening. There should be internet access.

.

Any idea how to troubleshoot this?

 

Thanks







Similar Topics Collapse


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Servers online. Online Sessions: 13662 - BW: 49600 Mbit/sYour IP: 34.228.143.13Guest Access.