Openvpn windows 10 dns not working

The guide provides a way of checking to see if the DNS query you are doing from your OpenVPN client device, is actually making it through the VPN tunnel.

Introduction

Companies often run their own DNS server that they use to resolve DNS names to private IP addresses, to make accessing systems easier for users. It is for example easier to tell a user to start their Remote Desktop client program and to connect to server1 instead of having to tell them to connect to 192.168.70.243. To learn what DNS is, see this article. OpenVPN Access Server supports pushing an instruction to a connecting OpenVPN client to use a specific DNS server. Actually it supports pushing 2 DNS servers, in case the first one fails to respond. This can be configured in the Admin UI under VPN Settings. The Access Server also supports sending additional instructions for DNS Resolution Zones, which functions like a type of split-DNS where only queries for a specific DNS zone are sent to the VPN server, and DNS Default Suffix, which provides a hint to Windows to ‘autocomplete’ a partial hostname to a Fully Qualified Domain Name, or FQDN.

Unfortunately, not every operating system behaves the same in regards to DNS. Some systems will try all DNS servers at once, and accept the response from the first to respond. Others will be able to do split-DNS, and others will not. This can lead to certain problems. The guide below provides a way of checking to see if the DNS query you are doing from your OpenVPN client device, is actually making it through the VPN tunnel to the OpenVPN Access Server. And from there, of course, to the target DNS server. This information is valuable in determining whether or not the problem is at the client end, or at the server end.

Testing DNS resolution from a client system

We are going to assume that you have a DNS server configured in the Admin UI of the Access Server, under VPN Settings. We are assuming you are not using the DNS Resolution Zones or the DNS Default Suffix fields. With this setting, all DNS request should be going from the OpenVPN client, through the OpenVPN Access Server, and then to the specified DNS server. In our example we are pushing the Google Public DNS server 8.8.8.8, and our test results will reflect this in the sample outputs as well.

Install your OpenVPN client program on your chosen client system. In our example we will be using a Windows 10 Professional client system with the OpenVPN Connect Client installed, and connected to the OpenVPN Access Server. Next open a console session or an SSH session to the OpenVPN Access Server, and obtain root privileges. We will be using the tool tcpdump to monitor activity on port 53 TCP and UDP, the default port where DNS queries are handled. We will be flushing the local DNS resolver cache on the client side, and then resolve a number of domains simply by pinging them by name. In our test situation, there are only a handful of clients connected, and the activity of DNS queries is very low, so we can monitor it easily. If you are testing on a production system and the tcpdump command gives too much output, you can append a grep filter by IP address, to filter queries coming only from your specific VPN client’s IP address, to make reading and locating the DNS query results easier.

On the Access Server run these commands:

apt-get update
apt-get install tcpdump

With TCPdump installed, now run it with these parameters:

tcpdump -eni any port 53

Or, if you want to filter it by the IP address of your VPN client (adjust as needed):

tcpdump -eni any port 53 | grep "172.27.10.22"

With this running in the background, go to your VPN client’s operating system, and open a command prompt. On Windows for example you can run the cmd program to open an old style DOS prompt. With that open, use the following commands to wipe the local DNS resolver cache, so it won’t pull results from its own local memory, and then do an actual query.

Wipe local DNS resolver cache on Windows:

ipconfig /flushdns

Resolve some domain names:

ping www.google.com
ping www.openvpn.net
ping www.facebook.com

Each of these should yield results that look somewhat like this:

Pinging www.google.com [216.58.212.228] with 32 bytes of data:
Reply from 216.58.212.228: bytes=32 time=4ms TTL=56
Reply from 216.58.212.228: bytes=32 time=3ms TTL=56
Reply from 216.58.212.228: bytes=32 time=3ms TTL=56
Reply from 216.58.212.228: bytes=32 time=3ms TTL=56
Ping statistics for 216.58.212.228:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 3ms, Maximum = 4ms, Average = 3ms

On the OpenVPN Access Server you should be seeing results that look somewhat like this:

18:03:07.976553 In ethertype IPv4 (0x0800), length 76: 172.27.232.2.49531 > 8.8.8.8.53: 53268+ A? www.google.com. (32)
18:03:07.976579 Out 00:0c:29:c7:60:e9 ethertype IPv4 (0x0800), length 76: 192.168.47.133.49531 > 8.8.8.8.53: 53268+ A? www.google.com. (32)
18:03:07.981162 In 34:31:c4:8e:b5:67 ethertype IPv4 (0x0800), length 92: 8.8.8.8.53 > 192.168.47.133.49531: 53268 1/0/0 A 216.58.211.100 (48)
18:03:07.981181 Out ethertype IPv4 (0x0800), length 92: 8.8.8.8.53 > 172.27.232.2.49531: 53268 1/0/0 A 216.58.211.100 (48)

The above result from tcpdump shows that a DNS request was received from the VPN client at 172.27.232.2, and that it was directed at the DNS server at 8.8.8.8, and the request was to find the A record (IP address) for the DNS name www.google.com. The first line shows that this request is coming in at the OpenVPN Access Server, from the VPN client. The second line shows the request leaving the Access Server through the network interface with MAC address 00:0c:29:c7:60:e9. In our test setup, this is the network interface of the Access Server that goes to the Internet, which makes sense, because the 8.8.8.8 DNS server is on the Internet. The third line shows that a DNS result has been received, and the fourth line shows that this result has been relayed back to the VPN client. In this case, DNS resolution is working.

Split-DNS when using DNS Resolution Zones

Split-DNS is the principle of resolving only certain zones (domains) through a DNS server pushed by the VPN server, and the rest through your already present local DNS servers. In Access Server there is a field in the Admin UI, under VPN Settings, called DNS Resolution Zones. If you enter a single domain or a list of (comma-separated) domains here, then the clients will receive an instruction to only resolve those domains through the DNS server pushed by the VPN server, and resolve the rest through the client’s local DNS server.

Please note that not all OpenVPN clients out there support this and there are some differences in behavior between versions of OpenVPN as well. The best results can be achieved by using OpenVPN Connect v3 client software.

When you use split-DNS, you will not see the DNS server that is being pushed in your ipconfig or ifconfig output. The DNS server will not get implemented at the network interface configuration level. Instead, it will be implemented in the DNS system in a DNS resolution policy table. On mac OS for example this can be queried using the scutil command line utility and on Windows this can be queried using netsh to query the resolution policy table in the OS. Such a table is simply a list of domains, and which DNS servers they should be resolved through. Below we will show example output of how split-DNS and normal DNS resolution looks like through a VPN tunnel. Some superfluous data has been removed from these example outputs.

Commands to see network configuration and DNS resolution policy on Windows:

ipconfig /all
netsh namespace show effectivepolicy

Commands to see network configuration and DNS resolution policy on mac OS:

ifconfig
scutil -dns

Example output on Windows when split-DNS is currently in use:

(OpenVPN) adapter Local Area Connection:
Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                    fec0:0:0:ffff::2%1
                                    fec0:0:0:ffff::3%1

Ethernet adapter Ethernet:
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
DNS Servers . . . . . . . . . . . : 192.168.47.254

DNS Effective Name Resolution Policy Table Settings
Settings for .openvpn.net
----------------------------------------------------------------------------
Generic (DNS Servers) : 1.2.3.4

In the above output, you can see that split-DNS is now being used because the DNS server assigned to the normal network interface called Ethernet that connects to our local network has DNS server 192.168.47.254, which is our local DNS server, and the Name Resolution Policy Table has a zone for .openvpn.net that resolves through 1.2.3.4, which is the DNS server pushed by the VPN server. This means that *.openvpn.net will get resolved through the VPN DNS server, and the rest will resolve through the local DNS server 192.168.47.254. Note also that the VPN interface gets 3 IPv6 self-assigned DNS server addresses, which are not assigned by OpenVPN, but by the OS itself. This should not affect DNS resolution.

Example output on Windows when split-DNS is not used:

(OpenVPN) adapter Local Area Connection:
  Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
  DNS Servers . . . . . . . . . . . : 1.2.3.4

DNS Effective Name Resolution Policy Table Settings
Settings for .
----------------------------------------------------------------------------
Generic (DNS Servers) : 1.2.3.4

In the above output, you can see that split-DNS is not being used because the DNS server is assigned to the network interface adapter itself, and there is only one top level zone for DNS resolution (the dot means all zones). This means that this configuration is not using split-DNS and therefore all DNS queries get redirected to the server at 1.2.3.4.

Troubleshooting

Below are a number of common problems you can see that we try to explain here and where to look for a solution.

Ping request could not find domain (…). Please check the name and try again This can happen when the DNS servers your client system is using is badly configured, cannot be reached, or if the DNS server it is using does not know the domain you are trying to resolve. For example with local DNS servers in your own network it is entirely possible that they only know local computer systems, and have no knowledge of online names like openvpn.net or such. Usually in such a case you can configure the DNS server to forward DNS queries to a public DNS server that does know the answer to those queries, so that it is able to respond to both queries for local names and also public names. A useful step in this situation may be to again run tcpdump as described in the testing DNS resolution from a client system section above, and checking to see what the output of tcpdump is.
If you see a result like this:

18:07:10.082330 In ethertype IPv4 (0x0800), length 94: 172.27.232.2.54519 > 8.8.8.8.53: 50281+ A? thisdomainreallydoesnotexist.com. (50)
18:07:10.082356 Out 00:0c:29:c7:60:e9 ethertype IPv4 (0x0800), length 94: 192.168.47.133.54519 > 8.8.8.8.53: 50281+ A? thisdomainreallydoesnotexist.com. (50)
18:07:10.082507 In ethertype IPv4 (0x0800), length 94: 172.27.232.2.57858 > 8.8.8.8.53: 65054+ AAAA? thisdomainreallydoesnotexist.com. (50)
18:07:10.082521 Out 00:0c:29:c7:60:e9 ethertype IPv4 (0x0800), length 94: 192.168.47.133.57858 > 8.8.8.8.53: 65054+ AAAA? thisdomainreallydoesnotexist.com. (50)
18:07:10.103610 In 34:31:c4:8e:b5:67 ethertype IPv4 (0x0800), length 167: 8.8.8.8.53 > 192.168.47.133.54519: 50281 NXDomain 0/1/0 (123)
18:07:10.103641 Out ethertype IPv4 (0x0800), length 167: 8.8.8.8.53 > 172.27.232.2.54519: 50281 NXDomain 0/1/0 (123)

Specifically the item NXDomain here is important. It means that this DNS server does not know the name we are trying to resolve. Another DNS might still know the name. but this one doesn’t. In the example above however we have purposefully selected a name that does not exist (or at least it didn’t when we ran the test — it is possible of course someone may register the name in the future) to be sure we see the error. If you are encountering this problem you may want to try to use the nslookup program on a computer with direct access to the DNS server, and use it to query the specific DNS server directly, to confirm that it does know the domain.

If you see a result like this, repeated a few times:

18:19:29.935439 Out 00:0c:29:c7:60:e9 ethertype IPv4 (0x0800), length 76: 192.168.47.133.60180 > 1.2.3.4.53: 16427+ AAAA? www.google.com. (32)
18:19:29.935479 In ethertype IPv4 (0x0800), length 76: 172.27.232.3.51334 > 1.2.3.4.53: 37513+ A? www.google.com. (32)

Then what you may notice here is that you do see a query arriving from the VPN client, pass through the Access Server, and go out to the Internet, but there is no reply. Usually this means that this DNS server is unreachable, or is not a DNS server at all. In the example I have chosen IP address 1.2.3.4 which I know for a fact is not a DNS server. Obviously the query will be repeated a few times but will ultimately fail. The obvious solution here is to choose a DNS server that works, or, to make sure that there is no firewall standing in the way, blocking the queries from the VPN clients to the DNS server. In some cases, when routing is used to give VPN clients access to servers on the private network behind the Access Server, it is a matter of a missing route. In such a case that packets from VPN clients make it to the target DNS server just fine, but it is not able to respond because it is receiving packets from a subnet it does not know how to respond to. That can be solved by implementing static routes for direct VPN client communication, or switching to giving access using NAT instead. In other cases we’ve seen, especially on Windows Server platforms, the built-in Windows Firewall could be blocking queries coming from a subnet outside of the local network. In such a case an adjustment to the firewall is necessary to allow the DNS server to receive the query and respond to it.

My windows 10 machine is not able to resolve any dns? It’s able to connect to the vpn, ping external ip addresses, receive discord messages, and access google.com by typing the ip of it manually but trying to ping google.com does not work. I’m assuming this is a dns problem because the internet does work(if you have the ip address of the site you want to use :P). This vpn is also working fully with my edgerouter 4 as a client already. Can anyone offer advice?

Client config

Code: Select all

client
proto udp
remote 1xx.2xx.xx.xxx xxxxx
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_xxxxxxxxx name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3

Server config

Code: Select all

port xxxxx
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_xxxxxxx.crt
key server_xxxxxxxx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

Client log

Code: Select all

Tue Sep 17 17:02:37 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Sep 17 17:02:37 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Sep 17 17:02:37 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Sep 17 17:02:37 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Sep 17 17:02:37 2019 Need hold release from management interface, waiting...
Tue Sep 17 17:02:38 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'state on'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'log all on'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'echo all on'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'hold off'
Tue Sep 17 17:02:38 2019 MANAGEMENT: CMD 'hold release'
Tue Sep 17 17:02:38 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Sep 17 17:02:38 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Sep 17 17:02:38 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Sep 17 17:02:38 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Sep 17 17:02:38 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]redactedIP
Tue Sep 17 17:02:38 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Sep 17 17:02:38 2019 UDP link local: (not bound)
Tue Sep 17 17:02:38 2019 UDP link remote: [AF_INET]redactedIP
Tue Sep 17 17:02:38 2019 MANAGEMENT: >STATE:1568754158,WAIT,,,,,,
Tue Sep 17 17:02:38 2019 MANAGEMENT: >STATE:1568754158,AUTH,,,,,,
Tue Sep 17 17:02:38 2019 TLS: Initial packet from [AF_INET]RedactedIp, sid=feb45b57 1f229ce5
Tue Sep 17 17:02:38 2019 VERIFY OK: depth=1, CN=cn_hm2Ph37iye3P5DNu
Tue Sep 17 17:02:38 2019 VERIFY KU OK
Tue Sep 17 17:02:38 2019 Validating certificate extended key usage
Tue Sep 17 17:02:38 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Sep 17 17:02:38 2019 VERIFY EKU OK
Tue Sep 17 17:02:38 2019 VERIFY X509NAME OK: CN=server_eHabSYnbcyZtj0IW
Tue Sep 17 17:02:38 2019 VERIFY OK: depth=0, CN=server_eHabSYnbcyZtj0IW
Tue Sep 17 17:02:41 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit EC, curve: prime256v1
Tue Sep 17 17:02:41 2019 [server_eHabSYnbcyZtj0IW] Peer Connection Initiated with [AF_INET]redactedIp
Tue Sep 17 17:02:43 2019 MANAGEMENT: >STATE:1568754163,GET_CONFIG,,,,,,
Tue Sep 17 17:02:43 2019 SENT CONTROL [server_eHabSYnbcyZtj0IW]: 'PUSH_REQUEST' (status=1)
Tue Sep 17 17:02:43 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 1.0.0.1,dhcp-option DNS 1.1.1.1,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 1,cipher AES-128-GCM'
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: route options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: route-related options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: peer-id set
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Sep 17 17:02:43 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Sep 17 17:02:43 2019 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Sep 17 17:02:43 2019 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Sep 17 17:02:43 2019 interactive service msg_channel=592
Tue Sep 17 17:02:43 2019 ROUTE_GATEWAY 192.168.0.1/255.255.252.0 I=6 HWADDR=00:28:f8:21:5f:a2
Tue Sep 17 17:02:43 2019 open_tun
Tue Sep 17 17:02:43 2019 TAP-WIN32 device [Ethernet 2] opened: \.Global{E2354CBE-F4FE-4A34-B22B-CD596E42E246}.tap
Tue Sep 17 17:02:43 2019 TAP-Windows Driver Version 9.21 
Tue Sep 17 17:02:43 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.3/255.255.255.0 [SUCCEEDED]
Tue Sep 17 17:02:43 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.3/255.255.255.0 on interface {E2354CBE-F4FE-4A34-B22B-CD596E42E246} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Tue Sep 17 17:02:43 2019 Successful ARP Flush on interface [23] {E2354CBE-F4FE-4A34-B22B-CD596E42E246}
Tue Sep 17 17:02:43 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Sep 17 17:02:43 2019 MANAGEMENT: >STATE:1568754163,ASSIGN_IP,,10.8.0.3,,,,
Tue Sep 17 17:02:43 2019 Blocking outside dns using service succeeded.
Tue Sep 17 17:02:48 2019 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Sep 17 17:02:48 2019 C:WINDOWSsystem32route.exe ADD redactedIp MASK 255.255.255.255 192.168.0.1
Tue Sep 17 17:02:48 2019 Route addition via service succeeded
Tue Sep 17 17:02:48 2019 C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Sep 17 17:02:48 2019 Route addition via service succeeded
Tue Sep 17 17:02:48 2019 C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Sep 17 17:02:48 2019 Route addition via service succeeded
Tue Sep 17 17:02:48 2019 Initialization Sequence Completed
Tue Sep 17 17:02:48 2019 MANAGEMENT: >STATE:1568754168,CONNECTED,SUCCESS,10.8.0.3,RedactedIP,

Thanks.

I spun up a fresh install of Windows 10 in a VM to test on after seeing this issue on every physical Win10 machine I have. I tested all of the answers in this thread and none of them worked. I discovered that the solution is to combine the answers posted here by «Keenans» and «ECC-Dan»:

http://answers.microsoft.com/en-us/windows/forum/windows_10-networking/win-10-dns-resolution-of-remote-network-via-vpn/513bdeea-0d18-462e-9ec3-a41129eec736?page=1

Control Panel > Network and Sharing Center > Change adapter settings > Right click your Ethernet or Wifi adapter > Properties > double click IPv4 > Advanced > Uncheck Automatic Metric > Enter 15 for interface metric > OK > OK.

On that same Properties page, double click IPv6 > Advanced > Uncheck Automatic Metric > Enter 15 for interface metric > OK > OK.

Only after changing both of those settings is the issue resolved. I tested changing either one back and it breaks again. After changing both I ran nslookup from command line and it returned the DNS server on the remote network where the VPN is connected to, where as otherwise it would return the local DNS server. I then used Wireshark capturing on the Ethernet interface, did some pings to random websites, and verified that there were no DNS packets captured. This proves that after making the changes, DNS queries are being sent ONLY over the VPN connection, and not simultaneously over all connections (which is known as the Win10 DNS leak). So this is also part of the solution for the Win10 DNS leak:

https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1#.7ppsn1nda

Note that fix the DNS leak, you first need to do the steps above. Then you need to set two registry values. The linked articles only list one, which by itself, does not fix the issue in newer builds of Win10. Set these registry values:

Key: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTDNSClient
Value:  DisableSmartNameResolution
Data:  1

Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscacheParameters
Value: DisableParallelAandAAAA
Data:  1

Only after doing all of that, will your DNS client behavior be back to the way it was in Win7. You have to wonder how this got through QA at Microsoft.

  • Remove From My Forums
  • Общие обсуждения

  • привет

    при переходе на windows 10 перестал нормально работать dns резолвер

    использует тот ответ который приходит быстрее

    из за этого некоторые внутренния ресурсы работают неправильно

    до windows 10 приоритет учитывался

    такая уязвимость довольно серьезная дыра в безопасности

    есть какое то решение для этого ?

    • Изменен тип

      5 октября 2015 г. 6:26
      Тема переведена в разряд обсуждений по причине отсутствия активности.

Just update verb to 4 and get the full log, but can not find any line related to DNS server address..
Will check with the administrator, thanks for the help again

2022-03-14 09:01:31 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-03-14 09:01:31 us=156000 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-03-14 09:01:31 us=156000 Current Parameter Settings:
2022-03-14 09:01:31 us=156000   config = 'jimchen__ssl_vpn_config.ovpn'
2022-03-14 09:01:31 us=156000   mode = 0
2022-03-14 09:01:31 us=156000   show_ciphers = DISABLED
2022-03-14 09:01:31 us=156000   show_digests = DISABLED
2022-03-14 09:01:31 us=156000   show_engines = DISABLED
2022-03-14 09:01:31 us=156000   genkey = DISABLED
2022-03-14 09:01:31 us=156000   genkey_filename = '[UNDEF]'
2022-03-14 09:01:31 us=156000   key_pass_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   show_tls_ciphers = DISABLED
2022-03-14 09:01:31 us=156000   connect_retry_max = 0
2022-03-14 09:01:31 us=156000 Connection profiles [0]:
2022-03-14 09:01:31 us=156000   proto = udp
2022-03-14 09:01:31 us=156000   local = '[UNDEF]'
2022-03-14 09:01:31 us=156000   local_port = '[UNDEF]'
2022-03-14 09:01:31 us=156000   remote = 'remote.KCompanyresearch.com'
2022-03-14 09:01:31 us=156000   remote_port = '2194'
2022-03-14 09:01:31 us=156000   remote_float = DISABLED
2022-03-14 09:01:31 us=156000   bind_defined = DISABLED
2022-03-14 09:01:31 us=156000   bind_local = DISABLED
2022-03-14 09:01:31 us=156000   bind_ipv6_only = DISABLED
2022-03-14 09:01:31 us=156000   connect_retry_seconds = 5
2022-03-14 09:01:31 us=156000   connect_timeout = 120
2022-03-14 09:01:31 us=156000   socks_proxy_server = '[UNDEF]'
2022-03-14 09:01:31 us=156000   socks_proxy_port = '[UNDEF]'
2022-03-14 09:01:31 us=156000   tun_mtu = 1500
2022-03-14 09:01:31 us=156000   tun_mtu_defined = ENABLED
2022-03-14 09:01:31 us=156000   link_mtu = 1500
2022-03-14 09:01:31 us=156000   link_mtu_defined = DISABLED
2022-03-14 09:01:31 us=156000   tun_mtu_extra = 0
2022-03-14 09:01:31 us=156000   tun_mtu_extra_defined = DISABLED
2022-03-14 09:01:31 us=156000   mtu_discover_type = -1
2022-03-14 09:01:31 us=156000   fragment = 0
2022-03-14 09:01:31 us=156000   mssfix = 1450
2022-03-14 09:01:31 us=156000   explicit_exit_notification = 1
2022-03-14 09:01:31 us=156000   tls_auth_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   key_direction = not set
2022-03-14 09:01:31 us=156000   tls_crypt_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   tls_crypt_v2_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000 Connection profiles END
2022-03-14 09:01:31 us=156000   remote_random = DISABLED
2022-03-14 09:01:31 us=156000   ipchange = '[UNDEF]'
2022-03-14 09:01:31 us=156000   dev = 'tun'
2022-03-14 09:01:31 us=156000   dev_type = '[UNDEF]'
2022-03-14 09:01:31 us=156000   dev_node = '[UNDEF]'
2022-03-14 09:01:31 us=156000   lladdr = '[UNDEF]'
2022-03-14 09:01:31 us=156000   topology = 1
2022-03-14 09:01:31 us=156000   ifconfig_local = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ifconfig_remote_netmask = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ifconfig_noexec = DISABLED
2022-03-14 09:01:31 us=156000   ifconfig_nowarn = DISABLED
2022-03-14 09:01:31 us=156000   ifconfig_ipv6_local = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ifconfig_ipv6_netbits = 0
2022-03-14 09:01:31 us=156000   ifconfig_ipv6_remote = '[UNDEF]'
2022-03-14 09:01:31 us=156000   shaper = 0
2022-03-14 09:01:31 us=156000   mtu_test = 0
2022-03-14 09:01:31 us=156000   mlock = DISABLED
2022-03-14 09:01:31 us=156000   keepalive_ping = 0
2022-03-14 09:01:31 us=156000   keepalive_timeout = 0
2022-03-14 09:01:31 us=156000   inactivity_timeout = 0
2022-03-14 09:01:31 us=156000   ping_send_timeout = 0
2022-03-14 09:01:31 us=156000   ping_rec_timeout = 0
2022-03-14 09:01:31 us=156000   ping_rec_timeout_action = 0
2022-03-14 09:01:31 us=156000   ping_timer_remote = DISABLED
2022-03-14 09:01:31 us=156000   remap_sigusr1 = 0
2022-03-14 09:01:31 us=156000   persist_tun = ENABLED
2022-03-14 09:01:31 us=156000   persist_local_ip = DISABLED
2022-03-14 09:01:31 us=156000   persist_remote_ip = DISABLED
2022-03-14 09:01:31 us=156000   persist_key = ENABLED
2022-03-14 09:01:31 us=156000   passtos = DISABLED
2022-03-14 09:01:31 us=156000   resolve_retry_seconds = 1000000000
2022-03-14 09:01:31 us=156000   resolve_in_advance = DISABLED
2022-03-14 09:01:31 us=156000   username = '[UNDEF]'
2022-03-14 09:01:31 us=156000   groupname = '[UNDEF]'
2022-03-14 09:01:31 us=156000   chroot_dir = '[UNDEF]'
2022-03-14 09:01:31 us=156000   cd_dir = '[UNDEF]'
2022-03-14 09:01:31 us=156000   writepid = '[UNDEF]'
2022-03-14 09:01:31 us=156000   up_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   down_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   down_pre = DISABLED
2022-03-14 09:01:31 us=156000   up_restart = DISABLED
2022-03-14 09:01:31 us=156000   up_delay = DISABLED
2022-03-14 09:01:31 us=156000   daemon = DISABLED
2022-03-14 09:01:31 us=156000   inetd = 0
2022-03-14 09:01:31 us=156000   log = ENABLED
2022-03-14 09:01:31 us=156000   suppress_timestamps = DISABLED
2022-03-14 09:01:31 us=156000   machine_readable_output = DISABLED
2022-03-14 09:01:31 us=156000   nice = 0
2022-03-14 09:01:31 us=156000   verbosity = 4
2022-03-14 09:01:31 us=156000   mute = 0
2022-03-14 09:01:31 us=156000   status_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   status_file_version = 1
2022-03-14 09:01:31 us=156000   status_file_update_freq = 60
2022-03-14 09:01:31 us=156000   occ = ENABLED
2022-03-14 09:01:31 us=156000   rcvbuf = 0
2022-03-14 09:01:31 us=156000   sndbuf = 0
2022-03-14 09:01:31 us=156000   sockflags = 0
2022-03-14 09:01:31 us=156000   fast_io = DISABLED
2022-03-14 09:01:31 us=156000   comp.alg = 2
2022-03-14 09:01:31 us=156000   comp.flags = 0
2022-03-14 09:01:31 us=156000   route_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   route_default_gateway = '[UNDEF]'
2022-03-14 09:01:31 us=156000   route_default_metric = 0
2022-03-14 09:01:31 us=156000   route_noexec = DISABLED
2022-03-14 09:01:31 us=156000   route_delay = 4
2022-03-14 09:01:31 us=156000   route_delay_window = 30
2022-03-14 09:01:31 us=156000   route_delay_defined = ENABLED
2022-03-14 09:01:31 us=156000   route_nopull = DISABLED
2022-03-14 09:01:31 us=156000   route_gateway_via_dhcp = DISABLED
2022-03-14 09:01:31 us=156000   allow_pull_fqdn = DISABLED
2022-03-14 09:01:31 us=156000   Pull filters:
2022-03-14 09:01:31 us=156000     ignore "dhcp-option DNS"
2022-03-14 09:01:31 us=156000     ignore "route-method"
2022-03-14 09:01:31 us=156000   route remote_host/255.255.255.255/net_gateway/default (not set)
2022-03-14 09:01:31 us=156000   management_addr = '127.0.0.1'
2022-03-14 09:01:31 us=156000   management_port = '25340'
2022-03-14 09:01:31 us=156000   management_user_pass = 'stdin'
2022-03-14 09:01:31 us=156000   management_log_history_cache = 250
2022-03-14 09:01:31 us=156000   management_echo_buffer_size = 100
2022-03-14 09:01:31 us=156000   management_write_peer_info_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   management_client_user = '[UNDEF]'
2022-03-14 09:01:31 us=156000   management_client_group = '[UNDEF]'
2022-03-14 09:01:31 us=156000   management_flags = 16390
2022-03-14 09:01:31 us=156000   shared_secret_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   key_direction = not set
2022-03-14 09:01:31 us=156000   ciphername = 'AES-128-CBC'
2022-03-14 09:01:31 us=156000   ncp_enabled = ENABLED
2022-03-14 09:01:31 us=156000   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-128-CBC'
2022-03-14 09:01:31 us=156000   authname = 'SHA256'
2022-03-14 09:01:31 us=156000   prng_hash = 'SHA1'
2022-03-14 09:01:31 us=156000   prng_nonce_secret_len = 16
2022-03-14 09:01:31 us=156000   keysize = 0
2022-03-14 09:01:31 us=156000   engine = DISABLED
2022-03-14 09:01:31 us=156000   replay = ENABLED
2022-03-14 09:01:31 us=156000   mute_replay_warnings = DISABLED
2022-03-14 09:01:31 us=156000   replay_window = 64
2022-03-14 09:01:31 us=156000   replay_time = 15
2022-03-14 09:01:31 us=156000   packet_id_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   test_crypto = DISABLED
2022-03-14 09:01:31 us=156000   tls_server = DISABLED
2022-03-14 09:01:31 us=156000   tls_client = ENABLED
2022-03-14 09:01:31 us=156000   ca_file = '[INLINE]'
2022-03-14 09:01:31 us=156000   ca_path = '[UNDEF]'
2022-03-14 09:01:31 us=156000   dh_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   cert_file = '[INLINE]'
2022-03-14 09:01:31 us=156000   extra_certs_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   priv_key_file = '[INLINE]'
2022-03-14 09:01:31 us=156000   pkcs12_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   cryptoapi_cert = '[UNDEF]'
2022-03-14 09:01:31 us=156000   cipher_list = '[UNDEF]'
2022-03-14 09:01:31 us=156000   cipher_list_tls13 = '[UNDEF]'
2022-03-14 09:01:31 us=156000   tls_cert_profile = '[UNDEF]'
2022-03-14 09:01:31 us=156000   tls_verify = '[UNDEF]'
2022-03-14 09:01:31 us=156000   tls_export_cert = '[UNDEF]'
2022-03-14 09:01:31 us=156000   verify_x509_type = 1
2022-03-14 09:01:31 us=156000   verify_x509_name = 'C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_e7hcC8JQJoCbtj1, emailAddress=na@example.com'
2022-03-14 09:01:31 us=156000   crl_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ns_cert_type = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_ku[i] = 0
2022-03-14 09:01:31 us=156000   remote_cert_eku = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ssl_flags = 0
2022-03-14 09:01:31 us=156000   tls_timeout = 2
2022-03-14 09:01:31 us=156000   renegotiate_bytes = -1
2022-03-14 09:01:31 us=156000   renegotiate_packets = 0
2022-03-14 09:01:31 us=156000   renegotiate_seconds = 0
2022-03-14 09:01:31 us=156000   handshake_window = 60
2022-03-14 09:01:31 us=156000   transition_window = 3600
2022-03-14 09:01:31 us=156000   single_session = DISABLED
2022-03-14 09:01:31 us=156000   push_peer_info = DISABLED
2022-03-14 09:01:31 us=156000   tls_exit = DISABLED
2022-03-14 09:01:31 us=156000   tls_crypt_v2_metadata = '[UNDEF]'
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_protected_authentication = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_private_mode = 00000000
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_cert_private = DISABLED
2022-03-14 09:01:31 us=156000   pkcs11_pin_cache_period = -1
2022-03-14 09:01:31 us=156000   pkcs11_id = '[UNDEF]'
2022-03-14 09:01:31 us=156000   pkcs11_id_management = DISABLED
2022-03-14 09:01:31 us=156000   server_network = 0.0.0.0
2022-03-14 09:01:31 us=156000   server_netmask = 0.0.0.0
2022-03-14 09:01:31 us=156000   server_network_ipv6 = ::
2022-03-14 09:01:31 us=156000   server_netbits_ipv6 = 0
2022-03-14 09:01:31 us=156000   server_bridge_ip = 0.0.0.0
2022-03-14 09:01:31 us=156000   server_bridge_netmask = 0.0.0.0
2022-03-14 09:01:31 us=156000   server_bridge_pool_start = 0.0.0.0
2022-03-14 09:01:31 us=156000   server_bridge_pool_end = 0.0.0.0
2022-03-14 09:01:31 us=156000   ifconfig_pool_defined = DISABLED
2022-03-14 09:01:31 us=156000   ifconfig_pool_start = 0.0.0.0
2022-03-14 09:01:31 us=156000   ifconfig_pool_end = 0.0.0.0
2022-03-14 09:01:31 us=156000   ifconfig_pool_netmask = 0.0.0.0
2022-03-14 09:01:31 us=156000   ifconfig_pool_persist_filename = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ifconfig_pool_persist_refresh_freq = 600
2022-03-14 09:01:31 us=156000   ifconfig_ipv6_pool_defined = DISABLED
2022-03-14 09:01:31 us=156000   ifconfig_ipv6_pool_base = ::
2022-03-14 09:01:31 us=156000   ifconfig_ipv6_pool_netbits = 0
2022-03-14 09:01:31 us=156000   n_bcast_buf = 256
2022-03-14 09:01:31 us=156000   tcp_queue_limit = 64
2022-03-14 09:01:31 us=156000   real_hash_size = 256
2022-03-14 09:01:31 us=156000   virtual_hash_size = 256
2022-03-14 09:01:31 us=156000   client_connect_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   learn_address_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   client_disconnect_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   client_config_dir = '[UNDEF]'
2022-03-14 09:01:31 us=156000   ccd_exclusive = DISABLED
2022-03-14 09:01:31 us=156000   tmp_dir = 'C:UsersChiHangAppDataLocalTemp'
2022-03-14 09:01:31 us=156000   push_ifconfig_defined = DISABLED
2022-03-14 09:01:31 us=156000   push_ifconfig_local = 0.0.0.0
2022-03-14 09:01:31 us=156000   push_ifconfig_remote_netmask = 0.0.0.0
2022-03-14 09:01:31 us=156000   push_ifconfig_ipv6_defined = DISABLED
2022-03-14 09:01:31 us=156000   push_ifconfig_ipv6_local = ::/0
2022-03-14 09:01:31 us=156000   push_ifconfig_ipv6_remote = ::
2022-03-14 09:01:31 us=156000   enable_c2c = DISABLED
2022-03-14 09:01:31 us=156000   duplicate_cn = DISABLED
2022-03-14 09:01:31 us=156000   cf_max = 0
2022-03-14 09:01:31 us=156000   cf_per = 0
2022-03-14 09:01:31 us=156000   max_clients = 1024
2022-03-14 09:01:31 us=156000   max_routes_per_client = 256
2022-03-14 09:01:31 us=156000   auth_user_pass_verify_script = '[UNDEF]'
2022-03-14 09:01:31 us=156000   auth_user_pass_verify_script_via_file = DISABLED
2022-03-14 09:01:31 us=156000   auth_token_generate = DISABLED
2022-03-14 09:01:31 us=156000   auth_token_lifetime = 0
2022-03-14 09:01:31 us=156000   auth_token_secret_file = '[UNDEF]'
2022-03-14 09:01:31 us=156000   vlan_tagging = DISABLED
2022-03-14 09:01:31 us=156000   vlan_accept = all
2022-03-14 09:01:31 us=156000   vlan_pvid = 1
2022-03-14 09:01:31 us=156000   client = ENABLED
2022-03-14 09:01:31 us=156000   pull = ENABLED
2022-03-14 09:01:31 us=156000   auth_user_pass_file = 'D:/login.conf'
2022-03-14 09:01:31 us=156000   show_net_up = DISABLED
2022-03-14 09:01:31 us=156000   route_method = 3
2022-03-14 09:01:31 us=156000   block_outside_dns = DISABLED
2022-03-14 09:01:31 us=156000   ip_win32_defined = DISABLED
2022-03-14 09:01:31 us=156000   ip_win32_type = 3
2022-03-14 09:01:31 us=156000   dhcp_masq_offset = 0
2022-03-14 09:01:31 us=156000   dhcp_lease_time = 31536000
2022-03-14 09:01:31 us=156000   tap_sleep = 0
2022-03-14 09:01:31 us=156000   dhcp_options = ENABLED
2022-03-14 09:01:31 us=156000   dhcp_renew = DISABLED
2022-03-14 09:01:31 us=156000   dhcp_pre_release = DISABLED
2022-03-14 09:01:31 us=156000   domain = 'KCompanytoken.com'
2022-03-14 09:01:31 us=156000   netbios_scope = '[UNDEF]'
2022-03-14 09:01:31 us=156000   netbios_node_type = 0
2022-03-14 09:01:31 us=156000   disable_nbt = DISABLED
2022-03-14 09:01:31 us=156000   DNS[0] = 172.29.20.10
2022-03-14 09:01:31 us=156000 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-03-14 09:01:31 us=156000 Windows version 10.0 (Windows 10 or greater) 64bit
2022-03-14 09:01:31 us=156000 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2022-03-14 09:01:31 us=156000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2022-03-14 09:01:31 us=156000 Need hold release from management interface, waiting...
2022-03-14 09:01:31 us=593000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2022-03-14 09:01:31 us=703000 MANAGEMENT: CMD 'state on'
2022-03-14 09:01:31 us=703000 MANAGEMENT: CMD 'log all on'
2022-03-14 09:01:32 us=156000 MANAGEMENT: CMD 'echo all on'
2022-03-14 09:01:32 us=156000 MANAGEMENT: CMD 'bytecount 5'
2022-03-14 09:01:32 us=171000 MANAGEMENT: CMD 'hold off'
2022-03-14 09:01:32 us=171000 MANAGEMENT: CMD 'hold release'
2022-03-14 09:01:32 us=187000 MANAGEMENT: CMD 'proxy NONE  '
2022-03-14 09:01:33 us=203000 LZO compression initializing
2022-03-14 09:01:33 us=203000 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-03-14 09:01:33 us=203000 MANAGEMENT: >STATE:1647219693,RESOLVE,,,,,,
2022-03-14 09:01:33 us=203000 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-03-14 09:01:33 us=203000 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
2022-03-14 09:01:33 us=203000 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
2022-03-14 09:01:33 us=203000 TCP/UDP: Preserving recently used remote address: [AF_INET]61.219.243.246:2194
2022-03-14 09:01:33 us=203000 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-03-14 09:01:33 us=203000 UDP link local: (not bound)
2022-03-14 09:01:33 us=203000 UDP link remote: [AF_INET]61.219.243.246:2194
2022-03-14 09:01:33 us=203000 MANAGEMENT: >STATE:1647219693,WAIT,,,,,,
2022-03-14 09:01:33 us=203000 MANAGEMENT: >STATE:1647219693,AUTH,,,,,,
2022-03-14 09:01:33 us=203000 TLS: Initial packet from [AF_INET]61.219.243.246:2194, sid=85ee0e01 d381956f
2022-03-14 09:01:33 us=296000 VERIFY OK: depth=1, C=TW, ST=Taiwan, L=Taipei, O=KCompany Research, OU=HPC, CN=gateway, emailAddress=hpc@KCompanyresearch.com
2022-03-14 09:01:33 us=296000 VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_e7hcC8JQJoCbtj1, emailAddress=na@example.com
2022-03-14 09:01:33 us=296000 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_e7hcC8JQJoCbtj1, emailAddress=na@example.com
2022-03-14 09:01:33 us=375000 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: ecdsa-with-SHA256
2022-03-14 09:01:33 us=375000 [Appliance_Certificate_e7hcC8JQJoCbtj1] Peer Connection Initiated with [AF_INET]61.219.243.246:2194
2022-03-14 09:01:34 us=406000 MANAGEMENT: >STATE:1647219694,GET_CONFIG,,,,,,
2022-03-14 09:01:34 us=406000 SENT CONTROL [Appliance_Certificate_e7hcC8JQJoCbtj1]: 'PUSH_REQUEST' (status=1)
2022-03-14 09:01:35 us=406000 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:35 us=453000 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:35 us=484000 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:35 us=656000 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:36 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:36 us=671000 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:38 us=31000 Key [AF_INET]61.219.243.246:2194 [0] not initialized (yet), dropping packet.
2022-03-14 09:01:39 us=62000 SENT CONTROL [Appliance_Certificate_e7hcC8JQJoCbtj1]: 'PUSH_REQUEST' (status=1)
2022-03-14 09:01:39 us=78000 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,sndbuf 0,rcvbuf 0,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,redirect-gateway def1,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,dhcp-option DNS 172.29.20.10,dhcp-option DNS 172.29.20.11,dhcp-option DOMAIN KCompanytoken.com,ifconfig 10.81.234.10 255.255.255.0'
2022-03-14 09:01:39 us=78000 Pushed option removed by filter: 'dhcp-option DNS 172.29.20.10'
2022-03-14 09:01:39 us=78000 Pushed option removed by filter: 'dhcp-option DNS 172.29.20.11'
2022-03-14 09:01:39 us=78000 OPTIONS IMPORT: timers and/or timeouts modified
2022-03-14 09:01:39 us=78000 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-03-14 09:01:39 us=78000 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-03-14 09:01:39 us=78000 OPTIONS IMPORT: --ifconfig/up options modified
2022-03-14 09:01:39 us=78000 OPTIONS IMPORT: route options modified
2022-03-14 09:01:39 us=78000 OPTIONS IMPORT: route-related options modified
2022-03-14 09:01:39 us=78000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-03-14 09:01:39 us=78000 Using peer cipher 'AES-128-CBC'
2022-03-14 09:01:39 us=78000 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2022-03-14 09:01:39 us=78000 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-14 09:01:39 us=78000 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2022-03-14 09:01:39 us=78000 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-14 09:01:39 us=78000 interactive service msg_channel=704
2022-03-14 09:01:39 us=93000 open_tun
2022-03-14 09:01:39 us=109000 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-03-14 09:01:39 us=109000 TAP-Windows Driver Version 9.24 
2022-03-14 09:01:39 us=109000 TAP-Windows MTU=1500
2022-03-14 09:01:39 us=109000 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.10/255.255.255.0 [SUCCEEDED]
2022-03-14 09:01:39 us=109000 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.10/255.255.255.0 on interface {AC546456-9C13-4AFA-AE49-AB98FA257865} [DHCP-serv: 10.81.234.0, lease-time: 31536000]
2022-03-14 09:01:39 us=109000 DHCP option string: 0f0f6b72 6f6e6f73 746f6b65 6e2e636f 6d0604ac 1d140a
2022-03-14 09:01:39 us=109000 Successful ARP Flush on interface [13] {AC546456-9C13-4AFA-AE49-AB98FA257865}
2022-03-14 09:01:39 us=125000 do_ifconfig, ipv4=1, ipv6=0
2022-03-14 09:01:39 us=125000 MANAGEMENT: >STATE:1647219699,ASSIGN_IP,,10.81.234.10,,,,
2022-03-14 09:01:39 us=125000 IPv4 MTU set to 1500 on interface 13 using service
2022-03-14 09:01:43 us=156000 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
2022-03-14 09:01:43 us=156000 C:WINDOWSsystem32route.exe ADD 61.219.243.246 MASK 255.255.255.255 192.168.50.1
2022-03-14 09:01:43 us=156000 Route addition via service succeeded
2022-03-14 09:01:43 us=156000 C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.81.234.5
2022-03-14 09:01:43 us=171000 Route addition via service succeeded
2022-03-14 09:01:43 us=171000 C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.81.234.5
2022-03-14 09:01:43 us=171000 Route addition via service succeeded
2022-03-14 09:01:43 us=171000 MANAGEMENT: >STATE:1647219703,ADD_ROUTES,,,,,,
2022-03-14 09:01:43 us=171000 C:WINDOWSsystem32route.exe ADD 61.219.243.246 MASK 255.255.255.255 192.168.50.1
2022-03-14 09:01:43 us=171000 ROUTE: route addition failed using service: 物件已經存在。   [status=5010 if_index=14]
2022-03-14 09:01:43 us=171000 Route addition via service failed
2022-03-14 09:01:43 us=171000 C:WINDOWSsystem32route.exe ADD 61.219.243.246 MASK 255.255.255.255 192.168.50.1
2022-03-14 09:01:43 us=171000 ROUTE: route addition failed using service: 物件已經存在。   [status=5010 if_index=14]
2022-03-14 09:01:43 us=171000 Route addition via service failed
2022-03-14 09:01:43 us=171000 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-03-14 09:01:43 us=171000 Initialization Sequence Completed
2022-03-14 09:01:43 us=171000 MANAGEMENT: >STATE:1647219703,CONNECTED,SUCCESS,10.81.234.10,61.219.243.246,2194,,

How to fix DNS issues when using OpenVPN.

Sometimes you successfully connect to vpn server but nothing still seems to work. Well, one of the reasons could be the DNS.
Firstly, you should check your vpn logs, that would be for instance,
for MacOS:
/Library/Application Support/Tunnelblick/Logs
or Linux in:
journalctl -u NetworkManager.service on linux

2019-06-11 23:30:25.110048 MANAGEMENT: >STATE:1560292225,GET_CONFIG,,,,,,
2019-06-11 23:30:25.110251 SENT CONTROL [openvpn.example.com]: 'PUSH_REQUEST' (status=1)
2019-06-11 23:30:25.252005 PUSH: Received control message: 'PUSH_REPLY,route ....
dhcp-option DOMAIN dev.example.com,dhcp-option DOMAIN prod.example.com,dhcp-option DOMAIN int.example.com'
...
....
2019-06-11 23:30:25.252374 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:13: dhcp-option (2.4.7)

In the example above, openvpn client complaints about not recognising dhcp-options, because server pushes multiple ‘dhcp-option DOMAIN value’ config params whereas
client expects a single command with multiple values: ‘dhcp-option DOMAIN value1 value2’.

This normally happens when your client version doesn’t match with your server version, so you client doesn’t know what to do with them.

As a result you may not get correct settings in your ‘/etc/resolv.conf’, for example missing or incomplete ‘nameserver’ or ‘search’.
In this example we won’t get ‘search’ set up correctly meaning if there was a DNS record like something.int.example.com, we wouldn’t be able
to refer to it without FQDN like just ‘something’, that is what ‘search’ parameter does in ‘/etc/resolv.conf’.

If ‘nameserver’ was not configured then our DNS won’t work at all.

But there is a solution.

In this example, we can configure our client to ignore specific configs from server and instead configure it on the client side as below:

pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN "dev.example.com prod.example.com int.example.com"

If it doesn’t work for some reason, or your client doesn’t support them at all, you can always run a custom script that adds those parameters to your resolve.conf, or whatever your system
uses, important thing is to know what server trying to set up, and just set them by yourself:

[[ "$vpn_connection" == "mywork_vpn" ]] && 
 echo "setting-up-dns manually..." && 
 sudo bash -c 'echo -e "search dev.example.com prod.example.com int.example.comnnameserver 172.16.0.03" > /etc/resolv.conf'

It is not probably best idea todo so, but in worst case it may still help, this file will be overriten by other tools like wifi connection or other vpn connection or you
can just store old version and write it after disconnecting from your mywork_vpn.

https://community.openvpn.net/openvpn/ticket/809
http://man7.org/linux/man-pages/man5/resolv.conf.5.html

Like this post? Please share to your friends:
  • Openvpn user option is not implemented on windows
  • Openvpn there are no tap windows adapters on this system
  • Openvpn technologies inc устанавливать или нет windows 10
  • Openvpn tap driver windows 7 цифровая подпись
  • Openvpn tap driver windows 7 скачать