Jump to content


Photo

AirDNS stopped working unexpectedly after two months of use on pfSense

airdns pfsense

  • Please log in to reply
57 replies to this topic

#21 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 27 December 2018 - 09:06 PM

Without the open vpn log on verb 4 I have no idea

If you can not get tls to work I would create a new opvn file

#22 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 27 December 2018 - 09:29 PM

Without the open vpn log on verb 4 I have no idea

If you can not get tls to work I would create a new opvn file

 

 

I Couldn't make it work with TLS Encryption and Authentication or/with SHA 512. I mean.using these settings I cannot establish a successful VPN connection

 

 

Had to go with TLS Auth and SHA1 

 

I am connected to the internet. But only on my pfsense box.

 

I can even download in there using: fetch -o /dev/null http://ipv4.download.thinkbroadband.com/200MB.zip

 

I can ping from my laptop to the gateway 10.14.192.1

 

I can ping from pfSense to my laptop IP address

 

But I can't browse the internet on my laptop or my Apple TV.

 

 

 



#23 Wolke68

Wolke68

    Member

  • Members2
  • PipPip
  • 20 posts

Posted 28 December 2018 - 06:53 AM

in your screenshot you doesnt fill in your TLS key so you havent TLs Auth

 

and NCP Options

 

AES-256-GCM

AES-256-CBc

 

your openvpn config isnt correct



#24 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 28 December 2018 - 11:45 AM

i saw that as well.  i assumed it was done on purpose.  i really have no idea why...   on the GCM that will also connect just fine   you can add cbc on there but it will connect to GCM from my experience

 

also the options in his custom config i am not sure if it will work that way.   he needs to copy and paste it EXACTLY the way i posted it and erase everything he has.

 

change to Verb 4 and it will give more details about the issue

 

this all makes NO sense the issue the original poster is having



#25 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 01:49 PM

Thank you guys for replying it.

 

My issue now has changed. 

 

10.4.0.1 is now accepting my queries.

 

Inside my pfsense box I can resolve, traceroute, ping and even download it.

 

But on my Lan side, I can only ping using the internet. 

 

Here's some new info:

 

screencapture-192-168-0-1-vpn_openvpn_client-php-2018-12-28-10_46_41.png

screencapture-192-168-0-1-system-php-2018-12-28-10_48_36.png

screencapture-192-168-0-1-status_gateways-php-2018-12-28-10_51_02.png

 

Dec 28 16:53:15	openvpn	33200	MANAGEMENT: Client disconnected
Dec 28 16:53:15	openvpn	33200	MANAGEMENT: CMD 'status 2'
Dec 28 16:53:15	openvpn	33200	MANAGEMENT: CMD 'state 1'
Dec 28 16:53:15	openvpn	33200	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 28 16:53:12	openvpn	33200	Initialization Sequence Completed
Dec 28 16:53:12	openvpn	33200	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 28 16:53:12	openvpn	33200	/sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0
Dec 28 16:53:12	openvpn	33200	/sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0
Dec 28 16:53:12	openvpn	33200	ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 28 16:53:12	openvpn	33200	/sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255
Dec 28 16:53:12	openvpn	33200	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 init
Dec 28 16:53:12	openvpn	33200	/sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0
Dec 28 16:53:12	openvpn	33200	/sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up
Dec 28 16:53:12	openvpn	33200	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Dec 28 16:53:12	openvpn	33200	TUN/TAP device /dev/tun1 opened
Dec 28 16:53:12	openvpn	33200	TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 28 16:53:12	openvpn	33200	ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=igb0 HWADDR=00:0d:b9:4c:8b:70
Dec 28 16:53:12	openvpn	33200	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 28 16:53:12	openvpn	33200	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 28 16:53:12	openvpn	33200	Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: data channel crypto options modified
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: adjusting link_mtu to 1625
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: peer-id set
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: route-related options modified
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: route options modified
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: --ifconfig/up options modified
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: compression parms modified
Dec 28 16:53:12	openvpn	33200	OPTIONS IMPORT: timers and/or timeouts modified
Dec 28 16:53:12	openvpn	33200	PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.14.192.1,route-gateway 10.14.192.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.14.192.252 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Dec 28 16:53:12	openvpn	33200	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 28 16:53:11	openvpn	33200	[server] Peer Connection Initiated with [AF_INET]96.47.229.58:443
Dec 28 16:53:11	openvpn	33200	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Dec 28 16:53:11	openvpn	33200	WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Dec 28 16:53:11	openvpn	33200	WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
Dec 28 16:53:11	openvpn	33200	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1558'
Dec 28 16:53:10	openvpn	33200	VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 28 16:53:10	openvpn	33200	VERIFY EKU OK
Dec 28 16:53:10	openvpn	33200	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 28 16:53:10	openvpn	33200	Validating certificate extended key usage
Dec 28 16:53:10	openvpn	33200	VERIFY KU OK
Dec 28 16:53:10	openvpn	33200	VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 28 16:53:10	openvpn	33200	TLS: Initial packet from [AF_INET]96.47.229.58:443, sid=da02aee6 f0dd9a17
Dec 28 16:53:10	openvpn	33200	UDPv4 link remote: [AF_INET]96.47.229.58:443
Dec 28 16:53:10	openvpn	33200	UDPv4 link local (bound): [AF_INET]192.168.1.232:0
Dec 28 16:53:10	openvpn	33200	Socket Buffers: R=[42080->42080] S=[57344->57344]
Dec 28 16:53:10	openvpn	33200	TCP/UDP: Preserving recently used remote address: [AF_INET]96.47.229.58:443
Dec 28 16:53:10	openvpn	33200	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Dec 28 16:53:10	openvpn	33200	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Dec 28 16:53:10	openvpn	33200	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]

 

 




#26 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 28 December 2018 - 03:13 PM

make sure you assign a DNS server to WAN.  and change 10.4.0.1 to the Airvpn tunnel on the  system general page.

 

have you configured  firewall > NAT > outbound correctly?



#27 cr00

cr00

    Newbie

  • Members2
  • Pip
  • 8 posts

Posted 28 December 2018 - 03:14 PM

AirVPN was set up with the pfsense-Tutorial here in the forum.

 

Hi everyone,

 

Here's what happened.

 

I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides.

 

It worked flawlessly until last Thursday.

 

Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.

(..)

Same Problem here last week.

The unbound DNS-Resolver-Log in pfsense showed this error "info: failed to prime trust anchor -- could not fetch DNSKEY rrset".

After disabling DNSSEC in the DNS-Resolver config of pfsense the DNS-Resolving-issue disappeared. Until today DNS-resolving doesn't work mit DNSSEC enabled on 10.4.0.1.



#28 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 28 December 2018 - 03:39 PM

interesting. i just confirmed that with my pfsense box and restarting the resolver



#29 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 04:18 PM

I did (I think) what you told me.

 

I have an internet connection again on my lan.

 

But it is leaking DNS. Here's the ipleak.net page. (AFAIK it should only appear there one DNS server)

 

screencapture-ipleak-net-2018-12-28-13_10_52.png

 

Following are two more screenshots of the changes I made.

 

PS: I reboted. Now is leaking ips from my country.

Attached Thumbnails

  • screencapture-192-168-0-1-system-php-2018-12-28-13_13_13.png
  • screencapture-192-168-0-1-services_dhcp-php-2018-12-28-13_12_11.png


#30 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 28 December 2018 - 04:43 PM

i don't know the best solution.  but i do have a solution that works for me....   and its not fun

 

under

DHCP Static Mappings for this Interface:   i created static entry's for each of my devices.  then clicked edit and under DNS servers put in 10.4.0.1

 

i would remove the one you added before.  i would have though it would have worked... but i guess not



#31 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 05:47 PM

Air4141841

 

On ipleak.net using this configuration, how many DNS servers do you see?



#32 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 05:51 PM

AirVPN was set up with the pfsense-Tutorial here in the forum.

 

Hi everyone,

 

Here's what happened.

 

I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides.

 

It worked flawlessly until last Thursday.

 

Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.

(..)

Same Problem here last week.

The unbound DNS-Resolver-Log in pfsense showed this error "info: failed to prime trust anchor -- could not fetch DNSKEY rrset".

After disabling DNSSEC in the DNS-Resolver config of pfsense the DNS-Resolving-issue disappeared. Until today DNS-resolving doesn't work mit DNSSEC enabled on 10.4.0.1.

 

This is very interesting.

 

You had the issue about the same time I started to have.

 

Could you please take a screenshot or paste the configuration of your VPN client?

 

Thanks



#33 cr00

cr00

    Newbie

  • Members2
  • Pip
  • 8 posts

Posted 28 December 2018 - 06:12 PM

This is very interesting.

 

You had the issue about the same time I started to have.

 

Could you please take a screenshot or paste the configuration of your VPN client?

 

Thanks

The config under "Services > DNS Resolver" is exactly the same like the one in step8 of pfsense_fan's tutorial

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/#entry40144

 

I unchecked DNSSEC and pfsense turned again to resolve DNS with 10.4.0.1 (set up in "System > General Setup: DNS-Servers)

 

for viewing the DNS Resolve log in pfsense log go to: Status > System Logs > DNS Resolver

The support informed me, that DNSSEC is not implemented and there is no need for DNSSEC enabled for the AirVPN-DNS-Servers.



#34 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 06:15 PM

See. I understand. Looks promising.

 

But I have to restore my configuration to make sure I will be the closest from my setttings of last week.

 

I will keep you guys posted.



#35 Wolke68

Wolke68

    Member

  • Members2
  • PipPip
  • 20 posts

Posted 28 December 2018 - 06:22 PM

Please read the how to for pfsense

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0
Dec 28 16:53:12 openvpn 33200 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255
Dec 28 16:53:12 openvpn 33200 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 init
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0
Dec 28 16:53:12 openvpn 33200 /sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up

For pfsense it isnt correct dont get routes etc.

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'


The only way i get airvpn DNS to work is in the DNS resolver Option (incl. DNSSEC) no forwarding

Advanced Option Box: forward-addr: 10.4.0.1

System DNS as an Example OpenDNS with no Gateway

#36 Air4141841

Air4141841

    Advanced Member

  • Members2
  • PipPipPip
  • 101 posts

Posted 28 December 2018 - 06:33 PM

Air4141841

 

On ipleak.net using this configuration, how many DNS servers do you see?

it shows me connected to Airvpn ip  which says Exit, Volans

 

ONE DNS server.   which says Volans



#37 Wolke68

Wolke68

    Member

  • Members2
  • PipPip
  • 20 posts

Posted 28 December 2018 - 06:37 PM

And i See

DNS Addresses - 2 servers
178.162.209.171
Germany
Germany
AirVPN Server (Exit, Serpens)
185.189.112.27
Germany
Germany
AirVPN Server (Exit, Cervantes)

Dnsleaktest

178.162.209.171 27.112.189.185.in-addr.arpa Leaseweb Deutschland GmbH Germany
185.189.112.27 none UK Web.Solutions Direct Ltd Germany

#38 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 07:25 PM

This is very interesting.

 

You had the issue about the same time I started to have.

 

Could you please take a screenshot or paste the configuration of your VPN client?

 

Thanks

The config under "Services > DNS Resolver" is exactly the same like the one in step8 of pfsense_fan's tutorial

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/#entry40144

 

I unchecked DNSSEC and pfsense turned again to resolve DNS with 10.4.0.1 (set up in "System > General Setup: DNS-Servers)

 

for viewing the DNS Resolve log in pfsense log go to: Status > System Logs > DNS Resolver

The support informed me, that DNSSEC is not implemented and there is no need for DNSSEC enabled for the AirVPN-DNS-Servers.

 

 

After reinstalling my old config I followed these steps. It worked.

 

But there is a catch. If I reboot, my internet connection is lost.

 

Did you reboot after you found this workaround?

 

I had to reinstall the configuration with this workaround to make it work again.



#39 hbs

hbs

    Advanced Member

  • Members2
  • PipPipPip
  • 40 posts

Posted 28 December 2018 - 07:32 PM

Please read the how to for pfsense

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0
Dec 28 16:53:12 openvpn 33200 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255
Dec 28 16:53:12 openvpn 33200 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 init
Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0
Dec 28 16:53:12 openvpn 33200 /sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up

For pfsense it isnt correct dont get routes etc.

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'


The only way i get airvpn DNS to work is in the DNS resolver Option (incl. DNSSEC) no forwarding

Advanced Option Box: forward-addr: 10.4.0.1

System DNS as an Example OpenDNS with no Gateway

 

what do you mean by that?

 

Disabling DNS Query Forwarding

Enable Forwarding Mode


#40 Wolke68

Wolke68

    Member

  • Members2
  • PipPip
  • 20 posts

Posted 28 December 2018 - 07:37 PM

In the how to https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/#entry40144



DNS Query Forwarding = [ ] (CHECKED)

WITH this it works for me

Advanced Option Box:

forward-zone:
name: "."
forward-addr: 10.4.0.1





Similar Topics Collapse


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 13648 - BW: 49292 Mbit/sYour IP: 34.228.143.13Guest Access.