Mint 19 + OpenVPN within Network Manager -> no internet

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
farrina
Level 1
Level 1
Posts: 11
Joined: Thu Jul 20, 2017 11:32 am

Mint 19 + OpenVPN within Network Manager -> no internet

Post by farrina » Thu Jul 12, 2018 11:41 am

I run a small local network (192.168.123.0/24) with a pfsense gateway (192.168.123.254) that is configured so that all traffic (including DNS resolution) is forced down a permanently connected OpenVPN connection hosted by a commercial provider. If the VPN connection drops on the pfsense box it is configured so that internet access is blocked.

Pfsense provides DNS services for the local network using the inbuilt Unbound application which is configured to fully resolve to root servers. Additionally running on the pfsense box is a package called pfblockerNG which, in coordination with Unbound, is configured to sinkhole a large number of blocked domains and advertisers etc.

Occasionally when using any of my locally connected clients (Mint, iOS etc) I may find that a particular desired web resource is sink holed. Rather than messing around temporarily reconfiguring pfblockerNG to allow access to the sink holed connection it has been my practice to connect a local OpenVPN (ie on Mint 18.3 using the inbuilt Network Manager GUI or with iOS the VPN providers bespoke application) to bypass DNS on my pfsense box and use that provided by the network of the commercial VPN provider.

I believe this creates a VPN routed through my pfsense hosted VPN (tunnel with tunnel ?) and I have previously confirmed, with the local OpenVPN active that DNS resolution is as expected external to my local network.

The problem I now have is that using Mint 19 and with the local OpenVPN active this no longer works and I am unable to connect to the internet.

Mint 19 is assigned (as was Mint 18.3) a static IP address of 192.168.123.250 and Gateway/DNS is manually set to 192.168.123.254

In launching a web browser the status bar at the foot shows “waiting for <site>” (as opposed to “looking up <site>”) which suggests that DNS lookup has been successful.

Running nslookup from Mint 19 appears to resolve external DNS normally irrespective if the local OpenVPN connection is up or down.

Testing the local OpenVPN client with a vanilla install of Mint 19 outside of my local network eg using 4G I have no issues, which suggests that it may be related in some way to the tunnel within a tunnel.

On the off chance I have also tested an alternative OpenVPN provider as the local client but the issue remain.

I have pasted below details of the route tables shown in my Mint 19 client with the local OpenVPN down/up (with added comments) as well as a full configuration output of my hardware.

Finally I should add that with my local OpenVPN active very occasionally my web browser will partially load (a very few lines of text) from a site.

I should add (again on the off chance) I have installed Openresolv reference in this post viewtopic.php?f=157&t=272446&sid=617af6 ... 96acb96f5dhere (no change to issue).

I really am at a loss as to where to go next with this issue and any troubleshooting suggestions would be most welcome ( I appreciate this is a "big ask"!)

Thanks

############


Details contained within < > are added comments

casper@GHOST19:~$ route <with Local OpenVPN down>

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default Wibble.Wobble 0.0.0.0 UG 100 0 0 enp38s0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp38s0
172.16.131.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
192.168.123.0 0.0.0.0 255.255.255.0 U 100 0 0 enp38s0
192.168.238.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1


<Wibble.Wobble is name of pfsense box>

casper@GHOST19:~$ ping Wibble.Wobble
PING Wibble.Wobble (192.168.123.254) 56(84) bytes of data.
64 bytes from Wibble.Wobble (192.168.123.254): icmp_seq=1 ttl=64 time=0.172 ms
^C
--- Wibble.Wobble ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms


casper@GHOST19:~$ route <with Local OpenVPN connected>

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 50 0 0 tun0
default Wibble.Wobble 0.0.0.0 UG 100 0 0 enp38s0
10.30.40.0 0.0.0.0 255.255.252.0 U 50 0 0 tun0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp38s0
172.16.131.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
178.162.222.40 Wibble.Wobble 255.255.255.255 UGH 100 0 0 enp38s0
192.168.123.0 0.0.0.0 255.255.255.0 U 100 0 0 enp38s0
Wibble.Wobble 0.0.0.0 255.255.255.255 UH 100 0 0 enp38s0
192.168.238.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1


casper@GHOST19:~$ nslookup
> _gateway
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: _gateway
Address: 10.30.40.1
Name: _gateway
Address: 192.168.123.254
** server can't find _gateway: NXDOMAIN
> exit

<10.30.40.1 is the gateway IP address associated with the Local OpenVPN connection>

<With Local OPenVPN up both are pingable>

casper@GHOST19:~$ ping 10.30.40.1
PING 10.30.40.1 (10.30.40.1) 56(84) bytes of data.
64 bytes from 10.30.40.1: icmp_seq=1 ttl=64 time=75.8 ms
^C


casper@GHOST19:~$ ping 192.168.123.254
PING 192.168.123.254 (192.168.123.254) 56(84) bytes of data.
64 bytes from 192.168.123.254: icmp_seq=1 ttl=64 time=0.494 ms
64 bytes from 192.168.123.254: icmp_seq=2 ttl=64 time=0.406 ms
^C

<Local Client OpenVPN active) external DNS resolves still

casper@GHOST19:~$ nslookup
> google.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: google.com
Address: 172.217.19.78
Name: google.com
Address: 2a00:1450:4005:80b::200e
###############################
casper@GHOST19:~$ inxi -Fxz
System: Host: GHOST19 Kernel: 4.15.0-24-generic x86_64 bits: 64 gcc: 7.3.0
Desktop: Cinnamon 3.8.7 (Gtk 3.22.30-1ubuntu1)
Distro: Linux Mint 19 Tara
Machine: Device: desktop Mobo: ASUSTeK model: PRIME X370-PRO v: Rev X.0x serial: N/A
UEFI [Legacy]: American Megatrends v: 0604 date: 04/06/2017
Battery hidpp__0: charge: 70% condition: NA/NA Wh
model: Logitech M570 status: Discharging
CPU: 8 core AMD Ryzen 7 1700X Eight-Core (-MT-MCP-)
arch: Zen rev.1 cache: 4096 KB

flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm) bmips: 54298
clock speeds: max: 3400 MHz 1: 2124 MHz 2: 1959 MHz 3: 1880 MHz
4: 1876 MHz 5: 1946 MHz 6: 1954 MHz 7: 1935 MHz 8: 1924 MHz
9: 2038 MHz 10: 1985 MHz 11: 1889 MHz 12: 1939 MHz 13: 2705 MHz
14: 2120 MHz 15: 2970 MHz 16: 2782 MHz
Graphics: Card: NVIDIA GP108 bus-ID: 29:00.0
Display Server: x11 (X.Org 1.19.6 )
drivers: nvidia (unloaded: modesetting,fbdev,vesa,nouveau)
Resolution: 2560x1600@59.97hz, 3840x2160@60.00hz
OpenGL: renderer: GeForce GT 1030/PCIe/SSE2
version: 4.6.0 NVIDIA 390.48 Direct Render: Yes
Audio: Card-1 Advanced Micro Devices [AMD] Family 17h (Models 00h-0fh) HD Audio Controller
driver: snd_hda_intel bus-ID: 2b:00.3
Card-2 C-Media CMI8788 [Oxygen HD Audio]
driver: snd_virtuoso port: c000 bus-ID: 28:04.0
Card-3 NVIDIA GP108 High Def. Audio Controller
driver: snd_hda_intel bus-ID: 29:00.1
Sound: Advanced Linux Sound Architecture v: k4.15.0-24-generic
Network: Card: Intel I211 Gigabit Network Connection
driver: igb v: 5.4.0-k port: d000 bus-ID: 26:00.0
IF: enp38s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Drives: HDD Total Size: 1250.2GB (39.3% used)
ID-1: /dev/nvme1n1 model: Samsung_SSD_960_EVO_250GB size: 250.1GB
ID-2: /dev/nvme0n1 model: Samsung_SSD_960_EVO_250GB size: 250.1GB
ID-3: USB /dev/sda model: My_Passport_0740 size: 1000.2GB
Partition: ID-1: / size: 212G used: 89G (44%) fs: ext4 dev: /dev/dm-1
ID-2: /boot size: 704M used: 147M (23%)
fs: ext4 dev: /dev/nvme1n1p1
ID-3: swap-1 size: 17.11GB used: 0.00GB (0%)
fs: swap dev: /dev/dm-2
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 39.1C mobo: N/A gpu: 0.0:63C
Fan Speeds (in rpm): cpu: 0
Info: Processes: 382 Uptime: 4:46 Memory: 4123.2/16036.7MB
Init: systemd runlevel: 5 Gcc sys: 7.3.0
Client: Shell (bash 4.4.191) inxi: 2.3.56
casper@GHOST19:~$

User avatar
greerd
Level 5
Level 5
Posts: 964
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: Mint 19 + OpenVPN within Network Manager -> no internet

Post by greerd » Thu Jul 12, 2018 1:06 pm

Hi farrina,

Interesting problem which I unfortunately don't know the answer to but I'll give you an un-educated guess in hopes that I don't send you off on a tangent.

It looks like systemd has sunk it's tentacles in a little deeper with Mint 19 which now uses systemctl-resolved.service instead of resolvconf . Your nslookup's, both with and without local vpn, shows a DNS address of 127.0.0.53 which tells me that systemd-resolved is being used even though you've installed Openresolv.

Does this indicates that your pfsense router is the source of both nslookups and therefore subject to the same sinkholes????

man systemd-resolved for more info.

Cheers

Post Reply

Return to “Other networking topics”