Here is a screenshot. I can’t paste text because it says I have too many links.
There was more but it looks like it just keeps trying.
In case I forget to say so, I truly appreciate your assistance.
This is really ‘smelling’ like a DNS bootstrapping issue.
Is there any reason we can’t remove OVPN fr the equation & set up WireGuard to test? It’s a world of less complication to define specific DNS servers for the tunnel. Eg:
[Interface]
Address = 10.0.0.9/24
PrivateKey = [redacted]
DNS = 9.9.9.9, 1.1.1.1
MTU = 1320
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = [redacted]:51820
PersistentKeepalive = 25
PublicKey = [redacted]
PresharedKey = [redacted]
As far as I remember my OVPN configs there is no boostrapping DNS in OVPN.
The client will use the clients DNS server for the first connection and then the servers DNS might get pushed. But since the problem here is the 1st connection attempt it should be no problem with DNS provided by the OVPN server.
I will have to look up what DNS bootstrapping is and I don’t know what the interface and peer means.
I understand in general how a VPN works but when it gets into configuration and network layers and such I’m lost. I never went any farther then A+ certification and that was 25+ years ago
I’m running the VPN server on my home router and it doesn’t support wire guard and I don’t have a Pi laying around for this.
I really do appreciate you trying to help but if it’s beyond the scope of a forum chat I understand.
Do you have the possibility to check if the IP of your DNS domain is right on the device you are trying to connect?
Maybe with nslookup or ping or something like that?
That’s what I thought too. The problem existed on the last firmware version too and I was hoping this new version i loaded yesterday would help. Anyway, I really like the new version. Nice options.
Let’s go a lil’more ‘lower level’:
Can you SSH into your Mango? There’s a piece of software we can run from the command line called drill. It’s used to troubleshoot DNS resolution. That this problem is only happening on the Mango is quite something else. I’d like to chk what’s going on w/ the Mango’s DNS service.
opkg update; opkg install drilldrill +short $yourAsusDDNS
Example:
root@flint:~# drill +short quad9.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 46273
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; quad9.net. IN A
;; ANSWER SECTION:
quad9.net. 2390 IN A 216.21.3.77
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; EDNS: version 0; flags: ; udp: 1232
;; SERVER: 127.0.0.1
;; WHEN: Thu Nov 30 17:01:30 2023
;; MSG SIZE rcvd: 54
See the link below. The default IP for GL devices is 192.168.8.1, username root.
1 Like
I can probably try but I don’t see how that will help. The router never establishes the connection. I don’t remember the exact wording but it’s along the lines of “trying to connect”. The very same device will connect to the ovpn server directly if I don’t use the router.
I should probably give my use case. I need to route traffic through my home cable connection when away to view all of the cable channels. First world problem, I know.
This looks like it’s going to be a PIA to solve. I’m thinking I’ll just pull the actual IP address if it changes. It’s not very difficult and doesn’t usually happen more than a handful of times a year.
I thought this would be easy since the same ovpn for works on all of the other devices I’ve tried it on.
This sentence confuses me since it does not fit to the initial problem.
What do you mean by it?
Before we are starting:
Is your Home Network (LAN) different from 192.168.8.0/24 (GL-iNet default)? Or, if changed, different from the Network setup of the Mango. If no, change it. Within a VPN cannot exists 2 identical Networks.
So we have:
- Asus router home, as OpenVPN Server, Address: xxxx.asuscomm.com
- OpenVPN Client, Android/Ubuntu on the road.
- OpenVPN Client Mango on the road.
The connection between Android/Ubuntu and Asus is working.
For some reason the Mango isn’t working …
I’d like to focus in the DNS issue, not on any OpenVPN specific.
- How is the Mango connected to the Internet? WLAN or WAN port?
- Is the Mango outside your home network?
Please try:
- start the Mango, VPN off.
- Connect the Ubuntu to LAN (via Cable or WLAN)
- Try to open Google.com
- If this works, open a terminal and enter
ping -c2 xxxx.asuscomm.com. Did your public home IP is shown? - Now check what DNS is set in your Ubuntu. Maybe via
cat /etc/resolv.conf, or any GUI for Network-Manager, that the youth is using today. - Change the DNS to
192.168.8.1(only this one!). - Try
ping -c2 xxxx.asuscomm.comagain … Ideally it should not be able to resolve the hostname, now …
And, if I am right with all assumptions, all you need to do is changing the default DNS in the Mango.
This is maybe a little easier than ssh into the router.
1 Like
This is phone. If I use the openVPN client app on my phone, I can connect to my OpenVPN server (so I know that my phone can resolve the domain).
In hindsight, this makes no different other than the openVPN config file works on the Motorola phone, Samsung tablet and Ubuntu laptop. So I know the domain can be resolved. The glinet router resolve any domain request other than this, it’s weird that’s why I thought it would just be a simple setting somewhere.
Thank you for the instructions.
Yes, Home network is different. I use 192.168.1.x for home network
AR300 is connected wireless repeating my phones hotspot (or other wireless network)
I’m currently away from home network
Your Assumptions are correct
I’m Unable to ping my domain as it’s set to not respond to pings.
EDIT: I turned on respond to ping and it responds correctly and shows my correct IP address.
The resolve.cnf file has 2 entries
nameserver. 127.0.0.53
search lan
I looked under connection information in UBuntu and my primary DNS is already 192.168.8.1. I’m just using whatever DNS is assigned by the AR300
I have tried changing the default DNS in the AR300 to cloudflare and Google and that didn’t help.
netstat -natp | grep 53
I really appreciate the assistance but this is just a bit too deep for me. I am not comfortable using SSH and working at that level. I have messed up Linux too many times working in root.
This is me being off topic but at some point do consider installing Virtualbox on your computer. You can then run a copy of whatever Linux distro you prefer in a ‘petri dish’ & experiment to your heart’s content.
If something ‘goes sideways’, the snapshot feature allows 'ya to revert in a couple of mouse clicks.
1 Like
This is some kind of strange.
First: If you are using the DNS 192.168.8.1, it is the DNS of the AR300. So if the Ubuntu connected to the AR300 will resolve the host, the AR300 can do this, too.
Second: Even if ping is blocked, the name resolving should works outside the box and should and lead to the right IP. But with a ‘Destination not reached’.
Only if the Domain Name is not know you get no IP:
lupus@kira:~$ LANG=C ping -c2 googledoesnotexist.net
ping: googledoesnotexist.net: Name or service not known
The AR300 is no full authoritative DNS Server, all requests for the own subnet (192.168.8.0/24) or domain (.lan) will be looked up in local files and services. All unknown domains will be forwarded to another DNS.
So you can else go Laptop - AR300 - ISP Router - Internet DNS (Internet DNS could be from your ISP, 8.8.8.8 (google) 1.1.1.1 (Cloudflare), …). Neither the Laptop, nor the AR300 or the ISP Router need to know the Hostname. But the Internet DNS should.
Ubuntu is some kind of quirky.
This means there is some kind of service listening on your system at the local address 127.0.0.53 and forward the requests to an external DNS … Configured wherever.
The behavior is configured here:
lupus@kira:~$ cat /etc/nsswitch.conf | grep -i hosts
hosts: files mdns4_minimal [NOTFOUND=return] dns
The files are for example /etc/hosts, which is overwriting any other request. So make sure your xxxx.asuscomm.com isn’t written there.
On my sytem some mdns4 voodo happens, and if this doesn’t know the host, it goes to dns → All Servers, set in /etc/resolv.conf.
Short:
Just edit the file /etc/resolv.conf to:
nameserver 192.168.8.1
search lan
With this change you can be sure it will use only this DNS server for external requests, not any second or third DNS server, configured in some kind of ubuntu voodoo.
→ Translated: There is a secondary configured?
If the request to the primary DNS fails, it will switch to the secondary. And all the confusoin above is solves.
1 Like
Thanks for the detailed reply. Honestly, a lot of what you wrote is way above my knowledge level. I’ll poke around though because I’m curious what’s lurking at 127.0.0.53.
On a positive note, I did some research and found that my internet provider only changes IP addresses when the modem at my residence is rebooted. The modem is on battery backup so it would have to be an extended power outage (or provider maintenance) for it to reboot without me being there. With that being the case, I’m going to use the actual IP address of the domain for the AR300. Doing that allows the VPN to function. If the IP does happen to change while I’m away, I can tunnel in with any other devices to lookup the new IP address. This isn’t something that I need to be available all the time at a moments notice. It’s only for those times when I need my television provider (or Netflix) to think I’m watching TV from home.
Again thanks everyone for trying. Your responses were quick and thorough. This is a great community. Reminds me of the Hubitat community I frequent. I’ll be lurking around looking to pick up knowledge on my glinet product.
Steve
1 Like
Unfortunately I am some kind of old. So I don’t like grub, I don’t like wayland and I don’t like systemd … But as it is the standard, I need to deal with it. As this is not part of the GL-iNet universe, I shortend it to ‘Ubuntu voodoo’ above.
systemd got a resolver, called networkd. This service is listening at 127.0.0.53, which is funny, because port 53 is the one responsible for DNS.
When I remember correct, systemd-resolved will show the ‘real’ DNS settings. But when I need to deal with DNS issues, I jump over systemd and edit the hosts file or the resolve.conf.
Back to GL-iNet:
When I read through the whole topic, I am not really sure how the connection is realized. The question is: When which DNS is asked to resolve an address to the IP?
I can imagine from all the above, that the AR300 is connected via tethering to your mobile and the mobile already has a connection to the VPN.
In this case the message should not be ‘Can’t resolve hostname’, but as it has too many question marks, maybe the message don’t represent the real issue.
The AR300 is currently connected to my phone by repeating the phones hotspot. The phone does not currently have a connection to the VPN. The error is correct because if I swap the domain name for the IP address everything works as it should.
Being that the phone will connect to the VPN, the tablet will connect to the VPN and the laptop will connect to the VPN using the domain name this is definitely something specific to the AR300. As I mentioned above, because the IP address of my VPN domain doesn’t change much I am going to run with that and call it good.
That’s a recommended configuration when setting OWRT’s dnsmasq to use dnscrypt-proxy for DNS over HTTPS or TLS.
root@flint:~# netstat -natp | grep .53:53
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 2530/dnscrypt-proxy
1 Like