VPN: Problem with ping and browsing
After connecting from at home via VPN to my institute by
sudo openvpn --config /home/myname/thinkpad1/thinkpad1.ovpnI cannot browse web pages. (The connection itself seems to be OK, saying "Initialzation sequence completed"). In analyzing the problem on the command line I see:
ping google.comgives no answer, whereas
ping 8.8.8.8is successful.
But calling
in the browser is NOT successful.
Further: Performing
route -nI get:
(1) Without VPN connection
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 600 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0(2) With VPN
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.217 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 600 0 0 wlan0
10.8.0.1 10.8.0.217 255.255.255.255 UGH 0 0 0 tun0
10.8.0.217 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.8.0.217 128.0.0.0 UG 0 0 0 tun0
147.142.19.56 192.168.0.1 255.255.255.255 UGH 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0 Edit: Both with VPN up and with VPN down, the command
ls -al /etc/resolv.confbrings
lrwxrwxrwx 1 root root 29 Jan 13 2016 /etc/resolv.conf -> ../run/resolvconf/resolv.confand
cat /etc/resolv.confbrings
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search boxAnd
systemd-resolve --status
says "unknown option"
I tried
systemd-resolve --versionand get
systemd 229
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDNThe command
ls -al /etc/openvpnyields insgesamt 20
drwxr-xr-x 2 root root 4096 Aug 22 12:38 .
drwxr-xr-x 161 root root 12288 Aug 23 11:52 ..
-rwxr-xr-x 1 root root 1301 Jun 22 2017 update-resolv-confAnd
grep -i -A3 script-security /home/myname/thinkpad1/thinkpad1.ovpnyields nothing.
Wheres
dpkg -l resolv*gives
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/ Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name Version Architektur Beschreibung
+++-==============-============-============-=================================
ii resolvconf 1.78ubuntu7 all name server information handler2 Answers
sudo -H gedit /home/myname/thinkpad1/thinkpad1.ovpn # edit this .ovpn file
Add the following to the END of the .ovpn file...
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-confSave the file and quit gedit.
Retry...
sudo openvpn --config /home/myname/thinkpad1/thinkpad1.ovpn # start VPN
Is your machine using DHCP? If not, you need to set your dns servers another way.
Also you should verify it's really a dns config issue... like look at your servers with:
$ cat /etc/resolv.conf
...
$ nslookup
> server
Default server: ... (some ip... if it's your normal non-vpn DNS server, this test fails...it should be something behind the VPN probably)
Address: ...
> What I do is... in your configuration file (possibly named client.ovpn), you can add lines like:
script-security 2
route-up connect up
route-pre-down connect downAnd then in the script named connect (in the same dir as the ovpn file), you have some code to do what you need... for example:
- back up the old
/etc/resolv.conf(with mv, not cp... otherwise hard power off can damage files) - write a new one, maybe with another name and symlink
ln -s /etc/resolv.conf.vpn /etc/resolv.conf - and also (yuck but not sure how else to do it) enable a shutdown/startup init/rc script that will replace it with the original if you were to uncleanly stop the computer (so the route-pre-down never runs).
- and also what I do is not include those above 3 lines in the original, and instead my
connectwithout args will append them to a new file and run it likeopenvpn client.ovpn.generated
And the ugliest part is... for unknown reasons, this doesn't work with one particular machine that also has DHCP that doesn't work properly either, and so the currently used so far problem free but still terrible solution is to do it the same as static like I described, but also chattr +i /etc/resolv.conf in the script, and chattr -i /etc/resolv.conf there and also on the shutdown/startup init/rc script. This is certainly the wrong way, but I haven't found a proper way that complies with usual distro networking scripts. I hope you have better luck than this one machine.
