openvpn not reconnecting on internet drop raspbian jessie

matthewobrn · 05-21-2017, 07:47 AM

Hi guys,

Thanks for reading this (and hopefully helping).

My setup is as follows:
I have a raspberry pi running raspbian jessie.
I have openvpn and have it setup to connect to TorGuard Vpn (Sweden). They have issued opvn config files to connect and I setup my username and password.

I also have a service running to ensure that thread is running on boot and if the command is terminated it will restart within 30 sec.

I have a fairly mediocre internet connection and it drops a couple times per day (shitty I know) when the pi boots it connects to the vpn and that great but if the internet drops off then the vpn tunnel fails to resolve the host-name. I tried adding keepalive 10 60 to the config but from what I understand its enabled by default. It also didn't help.

Here is the config file content:

Code:

client
dev tun
proto udp
remote swe.torguardvpnaccess.com 1912
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
auth SHA256
cipher AES-128-CBC
remote-cert-tls server
auth-user-pass user.txt
comp-lzo
verb 1
reneg-sec 0
fast-io
# Uncomment these directives if you have speed issues
;sndbuf 393216
;rcvbuf 393216
;push "sndbuf 393216"
;push "rcvbuf 393216"

And here is the syslog:

Code:

May 21 22:30:56 raspberrypi systemd[1]: Starting Session c6 of user pi.
May 21 22:30:56 raspberrypi systemd[1]: Started Session c6 of user pi.
May 21 22:31:25 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:32:10 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:32:10 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:33:40 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:32:55 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:33:40 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:33:40 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:35:10 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:34:25 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:35:10 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:35:10 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:36:40 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:35:55 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:36:40 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:36:40 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:38:10 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:37:26 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:38:11 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:38:11 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:39:41 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:38:56 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:39:41 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:39:41 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:41:11 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:40:26 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:41:11 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:41:11 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:42:41 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:41:56 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:42:41 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution
May 21 22:42:41 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 21 22:44:11 2017 [try http://www.rsyslog.com/e/2007 ]
May 21 22:43:26 raspberrypi openvpn[5470]: RESOLVE: Cannot resolve host address: swe.torguardvpnaccess.com: Temporary failure in name resolution

Here is the command to start openvpn:

Code:

/usr/sbin/openvpn --daemon --cd /etc/openvpn/ --config TorGuard.Sweden.Stockholm.ovpn

I'm self taught in linux cmd but understand the basic and prefer the using the command line.

Thanks for your help with this.

matthewobrn · 05-25-2017, 12:59 AM

Does anyone have any ideas where I might be able to start looking to resolve this?

Cheers.

brebs · 05-25-2017, 10:02 AM

Fix your /etc/resolv.conf so that a DNS server is listed which does not require a VPN connection.

Alternatively, and more easily, change this line:
remote swe.torguardvpnaccess.com 1912
to:
remote 46.246.29.158 1912

matthewobrn · 05-26-2017, 04:41 AM

Thanks for the help, I'll give it a go.

matthewobrn · 05-26-2017, 08:13 PM

So I have looked into the resolv.conf it is getting the dns ip addresses from resolvconf which is getting them from the dhcp server.

I had already configured the dhcp to use the VPN's dns server settings which are available with or without an active vpn.

resolv.conf

Code:

# Generated by resolvconf
nameserver 91.121.113.58
nameserver 91.121.113.7

resolvconf -l

Code:

pi@raspberrypi:~ $ resolvconf -l
# resolv.conf from eth0
# Generated by dhcpcd from eth0
nameserver 91.121.113.58
nameserver 91.121.113.7

# resolv.conf from wlan0
# Generated by dhcpcd from wlan0
nameserver 91.121.113.58
nameserver 91.121.113.7

I also ping'd swe.torguardvpnaccess.com from my local laptop and RPI got a different IP addresses:
46.246.124.92 from the laptop,
46.246.124.43 from the RPI.

So I'm a little dubious about putting an ip address in the OpenVPN config file.

Thanks

brebs · 05-27-2017, 03:13 PM

Quote:

Originally Posted by matthewobrn

46.246.124.92 from the laptop,
46.246.124.43 from the RPI.

That's because the DNS has a lifetime of 30 seconds.

Code:

$ dig swe.torguardvpnaccess.com
...
;; ANSWER SECTION:
swe.torguardvpnaccess.com. 30	IN	A	46.246.124.4

;; AUTHORITY SECTION:
swe.torguardvpnaccess.com. 86400 IN	NS	ns1.p04.dynect.net.
swe.torguardvpnaccess.com. 86400 IN	NS	ns3.p04.dynect.net.
swe.torguardvpnaccess.com. 86400 IN	NS	ns2.p04.dynect.net.
swe.torguardvpnaccess.com. 86400 IN	NS	ns4.p04.dynect.net.

Looking at this a bit more... obviously, we can't expect the VPN to connect when you don't even have an Internet connection.

When your Internet connection comes back up, then openvpn should reconnect, especially if you make the tweak I suggested.

I recommend changing "verb 1" to e.g. "verb 4" to get some debugging info in the logs.

matthewobrn · 05-30-2017, 09:23 PM

Ah right that makes sense.

I've changed the config file to this:

Code:

client
dev tun
proto udp
remote 46.246.29.158 1912
#remote swe.torguardvpnaccess.com 1912
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
auth SHA256
cipher AES-128-CBC
remote-cert-tls server
auth-user-pass user.txt
comp-lzo
verb 4
reneg-sec 0
fast-io
# Uncomment these directives if you have speed issues
;sndbuf 393216
;rcvbuf 393216
;push "sndbuf 393216"
;push "rcvbuf 393216"

matthewobrn · 06-02-2017, 06:38 AM

So the changes to the config file seems to have fixed the issue, even when I disconnect the phone line and reconnect it the vpn reconnects and everything works.

Thanks for your help in this!