Ryfujk

Currently I am trying to route my traffic through a gateway running Debian Linux which forwards all incoming traffic thorugh a VPN connection (Client -> Gateway with OpenVPN client -> VPN server -> Internet). This works fine exept it loses the connection from time to time and is unable to reconnect ifself due to nslookup timeouts. This happens every few days, mostly at night (as far as I know, some servers are terminating the session if no traffic was sent for a long time).

When happening, I'll try to connect through SSH but after entering the username the server waits about 20 seconds before asking for the password which is also strange. Normally it askes for the password immediately.

When looking into the syslog this one comes up:

Jul 20 00:50:11 gateway ovpn-cyberghost[23893]: RESOLVE: Cannot resolve host address: 5-nl.cg-dialup.net: Temporary failure in name resolution

ifconfig and route shows, that the VPN interface is still up but seems to be hung up.

root@gateway:~# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         10.129.57.169   128.0.0.0       UG    0      0        0 tun0

0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth2

10.129.57.169   0.0.0.0         255.255.255.255 UH    0      0        0 tun0

93.190.138.125  192.168.0.1     255.255.255.255 UGH   0      0        0 eth2

128.0.0.0       10.129.57.169   128.0.0.0       UG    0      0        0 tun0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

217.23.12.229   192.168.0.1     255.255.255.255 UGH   0      0        0 eth2

Heres my OpenVPN config:

client

remote 5-nl.cg-dialup.net 443

dev tun 

proto udp

auth-user-pass /etc/openvpn/auth.txt

route-nopull



resolv-retry infinite 

redirect-gateway def1

persist-key

persist-tun

writepid /run/openvpn.pid

nobind

cipher AES-256-CBC

auth MD5

ping 5

ping-restart 20

persist-local-ip

ping-timer-rem

explicit-exit-notify 2

script-security 2

remote-cert-tls server

route-delay 5

tun-mtu 1500 

fragment 1300

mssfix 1300

verb 1

comp-lzo

Heres my resolv.conf:

 root@gateway:~# cat /etc/resolv.conf

 nameserver 85.214.20.141

 nameserver 213.73.91.35

Changing the nameservers, for example to 127.0.0.1 (bind9 correctly installed as a dns resolver), did not solve anything but I do not expect to find the problem here.

I guess, the following is the reason: The server closed the session due inactivity of the client so the client tries to reconnect. In the process of reconnecting OpenVPN resolves the hostname of the VPN server but it uses the broken VPN interface which is set as the default gateway instead of the correct default gateway. No cleanup is made (remove tun0 interface and deleting the routes), which would perhaps solve the problem. Also I think there could be an issue having two default gateways but I am not sure.

After terminating the OpenVPN process manually and starting it again everything works fine like nothing ever happend.

I don't know how either tell OpenVPN to use the eth2 interface for that initial nslookup or to get OpenVPN to cleanup the routes. Did I forgot to add something in the config file (I didn't found any helpful commands in the manpage)?

https://askubuntu.com/questions/28733/how-do-i-run-a-script-after-openvpn-has-connected-successfully tells how you can execute custom scripts after connection going up or down.

So, you should create a down script, which would clean up the routes and make OpenVPN execute that when connection goes down.