Howdy,

I use Surfshark and every once in a while, my VPN loses its connection. 
I sent the info from messages to Surfshark but the info they sent back
on how to set the nameserver info doesn't really work with Gentoo.  I
suspect they are used to systemd stuff.  Anyway, I tried to follow in a
more Gentoo way but it still didn't work.  Then I googled, searched the
Gentoo wiki and tried some of those things, still refuses to use the
manually entered nameserver.  I've tried resolv.conf, resolvconf.conf
and resolv.conf-tun0.sv.  I installed openresolv to see if that would
help.  Nope.

I might add, a lot of this stuff is written for people using systemd and
I use openrc here.  I found one that had I think the right info but
neglected to name the file that needed to be edited, sounds like
something I'd do really.  lol 

This is what I got from Surfshark:

I would recommend changing the DNS addresses on your Linux device. You
can simply do that by following the steps below.
 
First, you need to open the terminal with the CTRL + ALT + T
combination and type in the following commands:
sudo rm -r /etc/resolv.conf
sudo nano /etc/resolv.conf
 
You will be asked for your root password after each command line, so
just type it in and press enter. When the text editor opens, you will
have to type in these lines:
nameserver xxx.xxx.172.57
nameserver xxx.xxx.159.92

I edited the file they say with kwrite.  Even after I restart openvpn,
the IP they want is there but it doesn't use it according to the site
they sent for me to check it with.  It shows other IP addresses.  I'm
sure I'm missing something, likely something simple, but I can't figure
out how to make it work.  I don't know if it is because I'm using openrc
or what. 

Anyone have a idea on how to make this work? 

Thanks.

Dale

:-)  :-)

P. S.  I edited the IP address above.  I'm not sure if those are public
or not. 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 05/03/2023 18:41, Dale wrote:

I edited the file they say with kwrite.  Even after I restart openvpn,
the IP they want is there but it doesn't use it according to the site
they sent for me to check it with.  It shows other IP addresses.  I'm
sure I'm missing something, likely something simple, but I can't figure
out how to make it work.  I don't know if it is because I'm using openrc
or what.

Anyone have a idea on how to make this work?

resolv.conf tells DNS where to look. That's not openrc/systemd specific.

There's another file - can't remember its name - that tells your
resolver what to try in what order - the hosts file, dns, what dhcp told
you, etc etc, so your resolver might not be using dns the way you think.

I can't get that to work, either. I want my hosts file to take priority,
but it's ignored.

And then, of course, to really screw you over your ISP might be
hijacking dns.

Cheers,
Wol

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 6 Mar 2023 07:54:51 +0000, Wols Lists wrote:

There's another file - can't remember its name - that tells your
resolver what to try in what order - the hosts file, dns, what dhcp
told you, etc etc, so your resolver might not be using dns the way you
think.

Do you mean /etc/nsswitch.conf?


--
Neil Bothwick

There are only 10 types of people in the world:
those who understand binary and those who don't.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8k9T/rX16EJxEKG692eFu0QSMJgFAmQFn3gACgkQ92eFu0QS MJgf8g/9EV2dCpSvirEWUUIIM2p74qbn9Ly/UJSH20TA7TRE5vdi1BNbA/O+oWAm BVcXTovxwigVWScuv5hlHEeeJ2ZM2FKeMXF8VsYxncS5ihgme3t5cGi4GKZsT8ka w//T0Lf6lAp7V0opcEYAVsEWOUVru76EkfezOVXDlrMBZedDZbOmXfhGU7qH9LBS +D1Pir8xhghmpHlRVVFVS8K3XzMS69bVbmOJ8EHvIfCaploHnsOQlvg/DIIUZSkS y4oxSeAMHqf5vbONJB3Rs2FnQDW7NYX+T22NMv4uXar2f21BtKDCWWJ4V0B+xcch IBMPOSzLk/bmyNiqcL6k42ErIQY4pZyrlyEEIqCsgPiwpMkpx0SZpGKxPfIISLHc rKQGb5npHoD5pvOx0GF/j53oCyLj39x8AGTVHtEbJK1Voq7vgm5LEgWH0s0vzgmj G39k2QopcMH24WVcymLB0jbAji2uT8BIYibVNZ7i0AGFqBulexTu4Cl2SE6YKZ3O xttNOAzVLJU8U7SraNe1FYEAMw4Uho9uHJyljOQgY5DSSemzovH24GAMROTESEDz Hi3d+Ayt3lUzExUDd+2l3QcSccUgAaqfdKPK9f4dFQkIpgnIDtjgGwFsltUjch/Q ieOCyVxpPDqTjbU5AJlIdriIlBT8V1urdTQV0TjMfNOcUvZ416w=
=xNqC
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet

On 06/03/2023 08:08, Neil Bothwick wrote:

On Mon, 6 Mar 2023 07:54:51 +0000, Wols Lists wrote:

There's another file - can't remember its name - that tells your
resolver what to try in what order - the hosts file, dns, what dhcp
told you, etc etc, so your resolver might not be using dns the way you
think.

Do you mean /etc/nsswitch.conf?

Ah yes. Any idea why Firefox seems to ignore it? Whenever I try to
browse to local machines in /etc/hosts, firefox gives me a google search
page which is a bloody nuisance. If I type a VALID ADDRESS in the
ADDRESS BAR, that's where I expect to go! Not some damn random search page!

Cheers,
Wol

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 6 March 2023 08:24:35 GMT Wols Lists wrote:

On 06/03/2023 08:08, Neil Bothwick wrote:

On Mon, 6 Mar 2023 07:54:51 +0000, Wols Lists wrote:

There's another file - can't remember its name - that tells your
resolver what to try in what order - the hosts file, dns, what dhcp
told you, etc etc, so your resolver might not be using dns the way you
think.

Do you mean /etc/nsswitch.conf?

Ah yes. Any idea why Firefox seems to ignore it? Whenever I try to
browse to local machines in /etc/hosts, firefox gives me a google search
page which is a bloody nuisance. If I type a VALID ADDRESS in the
ADDRESS BAR, that's where I expect to go! Not some damn random search page!

Cheers,
Wol

I suspect the behaviour you noticed is related to FF functionality like TRR (Trusted Recursive Resolver) farming all your DNS queries over to the cloudfarce honeypot.

Have a look here if you want to disable it:

https://wiki.archlinux.org/title/Firefox/Privacy#Disable/ enforce_'Trusted_Recursive_Resolver'

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmQFuxAACgkQseqq9sKV ZxnOhxAAlLRRmjAnjrqkq2t2lMO72vJLJzUQAsrgIRf0wkJvoy+688hrUeJXzX4J H+cMgXf6yewNpeQsdI4OZKRhCOZibkJ1Ha+048aSAoCS8cZQG8B+QiPj/kUO8PiR FmQjksu8zFsNkZTQu/O+Qyqpt0RZNF17xS/442eXM3CZpSH4Ra1ZzNmN9zexeufT O4h8jhgMlQIpdUYrhQt6ZBW0LJPj23HRV24JcyhifxF2VLV8gkFMN/26aRrdcSys c4m6ny6SL4/a2WD1Y0lABm3toRWyXvuF93vpPmGGE1o8i1w+kPuO2oWvov2UvPEL qLzWxCKLxQ6nPzXl3I3bLgjUV5MXLZQZNw+4bq8Kndc97AlOerTP1eUhwF+wjsKd QQN+ayQm7r4QMTjs09BK+qpHXZ+ozDiUbUBiVB3+lq+76S+/wpj/uFHunhETGJcc OnXZGqb5pB9e0GhL1n8IL21KEMT6nR/n/TIiwn/7oswpq9X0RdPzkByeNCY7AZ+A IDJCg9D7UjnHv1TeXH5vxZ7KYRFj0Zplp/GyDNvGU5BCUEjgS9zJIHlg7pnlwJIt /wOi04rhqkcA04CSrbMYL6Z5RFesL/gO5vlKE+a0ubrT1cn8U8OJoOsTtwJJOXqH JYFQPEWeAPJe46WmxAji8Gqn8SzvLzRPUwjcEhR7g18vc45duIc=
=YDOO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 06/03/2023 10:06, Michael wrote:

On Monday, 6 March 2023 08:24:35 GMT Wols Lists wrote:

On 06/03/2023 08:08, Neil Bothwick wrote:

On Mon, 6 Mar 2023 07:54:51 +0000, Wols Lists wrote:

There's another file - can't remember its name - that tells your
resolver what to try in what order - the hosts file, dns, what dhcp
told you, etc etc, so your resolver might not be using dns the way you >>>> think.

Do you mean /etc/nsswitch.conf?

Ah yes. Any idea why Firefox seems to ignore it? Whenever I try to
browse to local machines in /etc/hosts, firefox gives me a google search
page which is a bloody nuisance. If I type a VALID ADDRESS in the
ADDRESS BAR, that's where I expect to go! Not some damn random search page! >>
Cheers,
Wol

I suspect the behaviour you noticed is related to FF functionality like TRR (Trusted Recursive Resolver) farming all your DNS queries over to the cloudfarce honeypot.

Have a look here if you want to disable it:

https://wiki.archlinux.org/title/Firefox/Privacy#Disable/ enforce_'Trusted_Recursive_Resolver'

Thanks. That led me to network.trr.allow-rfc1918, which provided your
name has a dot in it ! appears to resolve addresses from /etc/hosts. I
guess that actually means firefox uses your local resolver first, and if
it returns an rfc1918 address, will use it.

Surely that should be the default! It shouldn't break a PRIVATE network
in the name of security !!!

Cheers,
Wol

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Wols Lists wrote:

On 06/03/2023 08:08, Neil Bothwick wrote:

On Mon, 6 Mar 2023 07:54:51 +0000, Wols Lists wrote:

There's another file - can't remember its name - that tells your
resolver what to try in what order - the hosts file, dns, what dhcp
told you, etc etc, so your resolver might not be using dns the way you
think.

Do you mean /etc/nsswitch.conf?

Ah yes. Any idea why Firefox seems to ignore it? Whenever I try to
browse to local machines in /etc/hosts, firefox gives me a google
search page which is a bloody nuisance. If I type a VALID ADDRESS in
the ADDRESS BAR, that's where I expect to go! Not some damn random
search page!

Cheers,
Wol

I found where someone posted about Firefox, it seems you can change that
in preferences.  You just uncheck a box.  Anyway.

I looked at the nsswitch file.  I'm not 100% sure what it says but it
looks like others I've found.  Basically, it points to /etc and that's
it, for network stuff anyway.  So, I dug around some more.  I found a
command that shows what it is seeing and should be using.  This is the info:


root@fireball / # resolvconf -l
# resolv.conf from tun0
# Generated by openvpn for interface tun0
nameserver 162.252.172.57
nameserver 149.154.159.92

# resolv.conf from tun0.inet
nameserver 162.252.172.57
nameserver 149.154.159.92

# resolv.conf from enp3s0
# Generated by netifrc for interface enp3s0
nameserver 8.8.8.8
nameserver 8.8.4.4

# resolv.conf from enp3s0.dhcp
# Generated by dhcpcd from enp3s0.dhcp
nameserver 10.0.0.1

root@fireball / #


I left the IPs Surfshark gave me in this one.  As you can see tho, for
my VPN it should be using the ones I'm telling it to use, manually. 
Thing is, it isn't.  This is a link to the website Surfshark sent me and
the info it says it is using for DNS lookup. 

https://surfshark.com/check

DNS addresses:
107.179.20.190 / United States of America, Los Angeles / LayerHost

As one can tell, I don't have the IP for DNS listed anywhere up there. 
So, it seems one part is seeing the changes I want to make but the rest
is just plain ignoring me.  Do I need to do something for those to take
effect or do they just work?  I restarted both the VPN and my regular network.  What am I missing here? 

Thanks.

Dale

:-)  :-) 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 6 March 2023 10:56:37 GMT Wols Lists wrote:

On 06/03/2023 10:06, Michael wrote:

I suspect the behaviour you noticed is related to FF functionality like
TRR
(Trusted Recursive Resolver) farming all your DNS queries over to the cloudfarce honeypot.

Have a look here if you want to disable it:

https://wiki.archlinux.org/title/Firefox/Privacy#Disable/ enforce_'Trusted_Recursive_Resolver'

Thanks. That led me to network.trr.allow-rfc1918, which provided your
name has a dot in it ! appears to resolve addresses from /etc/hosts. I
guess that actually means firefox uses your local resolver first, and if
it returns an rfc1918 address, will use it.

Surely that should be the default! It shouldn't break a PRIVATE network
in the name of security !!!

It is the default here, in www-client/firefox-110.0.1 .

--
Regards,
Peter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, 5 March 2023 18:41:10 GMT Dale wrote:

Howdy,

I use Surfshark and every once in a while, my VPN loses its connection.
I sent the info from messages to Surfshark but the info they sent back
on how to set the nameserver info doesn't really work with Gentoo. I
suspect they are used to systemd stuff. Anyway, I tried to follow in a
more Gentoo way but it still didn't work. Then I googled, searched the Gentoo wiki and tried some of those things, still refuses to use the
manually entered nameserver. I've tried resolv.conf, resolvconf.conf
and resolv.conf-tun0.sv. I installed openresolv to see if that would
help. Nope.

AFAIR, you're meant to pull down from the openvpn server the DNS resolvers you're meant to use with their service, unless you have your own reasons for wanting to override these and set up your own DNS resolvers. Have you looked in /etc/openvpn/ for a suitable setting in the configuration file? I'm sure
it will be set to automatically pull down the DNS resolvers and the Up script will set these up for your system when you start openvpn.

This is what I got from Surfshark:

I would recommend changing the DNS addresses on your Linux device. You
can simply do that by following the steps below.

First, you need to open the terminal with the CTRL + ALT + T
combination and type in the following commands:
sudo rm -r /etc/resolv.conf
sudo nano /etc/resolv.conf

Normally, you would not have to do this manually. The Up script will enter
the resolver IP addresses in your resolv.conf. If it doesn't, then check your configuration and your openvpn script.



-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmQFwJ4ACgkQseqq9sKV Zxmb+g//XrGJNhTeE65mGes0DUz39qPVKlyY7DtQjijfQROKOxQ/PrVkK4VFwgs4 DJ9oZEur8fnuRVSJl+/nbJwRzC/k1KYA/Pk2g9ZAIzhwTgBCK860pIbtYqVD7R6b IOBPS6jZyayPMagd3YO68yBpj7iFwjNP5idRAKppo9EzaY7tp6CTdHDvB7smrBJc J5paPpxF2kP+UFe9HgGNq91KVK6MIWKqVthlEbtgaP45qDVixZs0nS1Otft/k3tq 36v+OMTbxv5g9xcZPjH61QY6+cx1FRfGvyOZoScfNA4eyRaah6T2YVHzCs4tPjz4 x5dKYemq5AdLwdTN22s1QWgoOInbrAJpRa3AnKgOD5rwTQ8VlxFnemhNLip2Nim4 Rcod/YCNLjYA6kD0Ab9x1xGiFmkFn9TxBtEW02H4w8epMgBPLu3z1l/JQqCL9dX0 8/IaE+dKcdPiYRmXrms2hsyHe2CNNNjuadgplow13usygZYmUWT+UO7t/ltkP2Rz IWADXwVoUKBLYz4N8MKlkHt8VR/dxwXWHplufNh/kM2yE5PePftNsEM00st8A7jN wDm1x8G8Ce8sboXG8GH4eB9t3ncpPkT4T15Gw6U56ssowjX9UaaGtc0Ok5NR/iuT zYIDAVg6+ZObGRZVZEDrkfYpiIL4d9R8Ej7L/aTvnS1ALF6zMJI=
=Us7I
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 06/03/2023 11:08, Peter Humphrey wrote:

On Monday, 6 March 2023 10:56:37 GMT Wols Lists wrote:

On 06/03/2023 10:06, Michael wrote:

I suspect the behaviour you noticed is related to FF functionality like
TRR
(Trusted Recursive Resolver) farming all your DNS queries over to the
cloudfarce honeypot.

Have a look here if you want to disable it:

https://wiki.archlinux.org/title/Firefox/Privacy#Disable/
enforce_'Trusted_Recursive_Resolver'

Thanks. That led me to network.trr.allow-rfc1918, which provided your
name has a dot in it ! appears to resolve addresses from /etc/hosts. I
guess that actually means firefox uses your local resolver first, and if
it returns an rfc1918 address, will use it.

Surely that should be the default! It shouldn't break a PRIVATE network
in the name of security !!!

It is the default here, in www-client/firefox-110.0.1 .

I'm running amd not ~amd, and I've got FF 102esr. As soon as I changed
it to allow rfc1918, it started working ...

Cheers,
Wol

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 6 March 2023 12:05:40 GMT Wols Lists wrote:

On 06/03/2023 11:08, Peter Humphrey wrote:

On Monday, 6 March 2023 10:56:37 GMT Wols Lists wrote:

On 06/03/2023 10:06, Michael wrote:

I suspect the behaviour you noticed is related to FF functionality like >>> TRR
(Trusted Recursive Resolver) farming all your DNS queries over to the
cloudfarce honeypot.

Have a look here if you want to disable it:

https://wiki.archlinux.org/title/Firefox/Privacy#Disable/
enforce_'Trusted_Recursive_Resolver'

Thanks. That led me to network.trr.allow-rfc1918, which provided your
name has a dot in it ! appears to resolve addresses from /etc/hosts. I
guess that actually means firefox uses your local resolver first, and if >> it returns an rfc1918 address, will use it.

Surely that should be the default! It shouldn't break a PRIVATE network
in the name of security !!!

It is the default here, in www-client/firefox-110.0.1 .

I'm running amd not ~amd, and I've got FF 102esr. As soon as I changed
it to allow rfc1918, it started working ...

Cheers,
Wol

As I understand it the purpose of this setting is to avoid web attacks being able to redirect to local private addresses, which may be hosting vulnerable services - a.k.a. 'DNS-rebinding'. The default setting is 'false' in FF 102.8.0, but if you have disabled TRR it appears the effects of network.trr.allow-rfc1918 are disabled too.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmQF3A8ACgkQseqq9sKV ZxkHJg//dNG4KOgnSGKnjAFsWh2SDeoSBorV7Qi7wV+Wtvvj/cAjXWPScPHNsrT8 BDiCDyEqUzfmwL5xsntJ9g3XkMfoCBfnxcMImRnMSlQ08g4OHD8/hbmJgfkdPXf8 EgxogY/PcOz9jDzg/F+sELpfrnIDkwYe7zuYkm8XadBe6xqs/+GhqGRyYREwJzhH 9gwsaoRP39sxyDzwo4pal7pgUlysC/OiSxf92OwPMc/z2YovJxcO5CHwMrNVuzHs Rngp1Jul0RJJteMmU/h/dzzoeIopnNaBXBNbYc22sUhMAUn3t1fepOjOxbQ2EECw QKrZe2SSOT3C5XpyVCiDeiBgH1GaLgaGY0JW3ZA6a1YFILRH2yFu7puxZ3HA9sLc PhV65dpwLJjXWV7GrxtXeiG3QK9RQVNgxOQJv75q6bOPv6ujGJd+Rl/4NHMswK2J hf9jERz8xRrc5ZqY+RhAKaQHtSM8TVFvRa9mz8ks/GE0N+uDiMZd0MSy6APU8JFZ RxciOo0IrovAYmxwStgL2EvYvM1O4NXSG4Pa6EERzykF6y780BdwlK6CqTiwF2f1 ElFRiPowzOtqYIeIk7JD83yT3azM9Ehc2O2tT7M76fDaIrgsiUAaI2DAYIryCfnY DuZ22hL7DG6gPWUrlTIQZdDrThCqAvZ9rcVAR4pYs3brMiHuEBc=
=QdjD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 6 Mar 2023 08:24:35 +0000, Wols Lists wrote:

Do you mean /etc/nsswitch.conf?

Ah yes. Any idea why Firefox seems to ignore it? Whenever I try to
browse to local machines in /etc/hosts, firefox gives me a google
search page which is a bloody nuisance. If I type a VALID ADDRESS in
the ADDRESS BAR, that's where I expect to go! Not some damn random
search page!

I see the same with Chromium sometimes, as the same input field is used
for addresses and search terms and the browser has to make a guess at
which you mean. With Chromium the solution is to add a trailing slash.


--
Neil Bothwick

There are two hard things in computer science:
cache invalidation, naming things and off-by-one errors.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8k9T/rX16EJxEKG692eFu0QSMJgFAmQF+O8ACgkQ92eFu0QS MJi8WA/+OeNAjn1zuYtkyOdzaHMCfE/pASNoao//HewICtpTr4KrSuWMgpJcOd9z QpXX8UT8FdAy4tvdHBWjtYImUF6JJZsgaDpyI/PIMpVowB9LV+yQLIDnVoHoo0C9 SfNF+HhAiw2DT98/IbVZW+zUgQgf/bTtwaTxQLEl0HAsqY5AJMtBfqn+dQdAR1dw kj459Lbr+AUKiMIr2BXlN6JKSKpKAHJUDR2EHowQ5vjNOVbFKe4j4IZDcwYE7bb1 r+tOCMlmrTAb9t3Mt43Y6fU/xRdnUSa6AR6jASjbzRX9Sca4OZbNX5nb5fnlfgeu HSwIPJa0QSICiuTVcCcNRMsYbVbF7VavzYFHfqky2krrCclwvaZMfg2+QhXgp12o HNCTE3rdLRDAmB7DPHlaFnl0WVRzXU+FDThgCPsdmPIyX1JMm4o+RJJ76DRS11wD 4nFsy6H+GKD8aCzTP6KCXrHAcZm0BXGP8BCUeIP3RnpNlJZA205mCu78z2J/Kxah nvqIFBX636bgwQ8TbCoLiRG9cbi3lBrU5EvcwBT9Qq8MK7jFiueuIRerlpV0/NDN 9CywhLCTiuYGy3OmiL/cBJV7h2+9kzIaKQ8gFTu9aekcXjmEJtixvj1XIZyRe2MP Th8ViXg8GR4bvZ86tDJvoJpoUxhmsxIAVhM874OVXjyYMuexRuw=
=8/6c
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet

Michael wrote:

On Sunday, 5 March 2023 18:41:10 GMT Dale wrote:

Howdy,

I use Surfshark and every once in a while, my VPN loses its connection.
I sent the info from messages to Surfshark but the info they sent back
on how to set the nameserver info doesn't really work with Gentoo. I
suspect they are used to systemd stuff. Anyway, I tried to follow in a
more Gentoo way but it still didn't work. Then I googled, searched the
Gentoo wiki and tried some of those things, still refuses to use the
manually entered nameserver. I've tried resolv.conf, resolvconf.conf
and resolv.conf-tun0.sv. I installed openresolv to see if that would
help. Nope.

AFAIR, you're meant to pull down from the openvpn server the DNS resolvers you're meant to use with their service, unless you have your own reasons for wanting to override these and set up your own DNS resolvers. Have you looked in /etc/openvpn/ for a suitable setting in the configuration file? I'm sure it will be set to automatically pull down the DNS resolvers and the Up script will set these up for your system when you start openvpn.

This started because I changed to doing OS updates every other weekend. 
That means two weeks of login, two weeks of the VPN being active etc
etc.  When doing that, the VPN would lose connection after a good
while.  Sometimes it would go the whole two weeks with no problems but
on occasion it would lose connection.  I wrote a email to make them
aware to see if this is expected behavior, if I had bad settings or
something was wrong on their end.  That's when I got the info in the
original post, to change DNS servers.  I'm not sure what that has to do
with anything but . . .

You know how awful I am with scripts.  Still, I read through the up
script and even to me, it looks like it is set up to get DNS servers
during the connection setup.  This is the part I see. 


        elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
            NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"


To me, it seems like it is getting the DNS info and putting it
somewhere.  It appears that wherever it puts it, it is the only place it
looks because nothing I change changes where it goes for DNS info.  To
be honest, I don't know why it should have to be changed.  One would
think that the DNS info they send should work fine otherwise why set it
up that way. 

This is what I got from Surfshark:

I would recommend changing the DNS addresses on your Linux device. You
can simply do that by following the steps below.

First, you need to open the terminal with the CTRL + ALT + T
combination and type in the following commands:
sudo rm -r /etc/resolv.conf
sudo nano /etc/resolv.conf

Normally, you would not have to do this manually. The Up script will enter the resolver IP addresses in your resolv.conf. If it doesn't, then check your
configuration and your openvpn script.

I tried to edit the openvpn.conf file to manually set the nameserver but
it puked on my keyboard and refused to even connect.  I think we are
back to the server I connect to requires its info to be used and if it
isn't, it refuses to complete the connection.  Everything I try results
in a error and connection refused.  It could even be a security setting
that requires this. 

Either way, either this can't be changed and the VPN connect or there is
a setting somewhere that we are not aware of.  I've googled, asked here
plus looked everywhere I can think of, even some places I couldn't
imagine having anything to do with it, and had no luck finding where it
stores the info or how to change it. 

Unless someone comes up with a idea, I'm fresh out.  I have no clue what
to do.  Hey, it does work almost all the time.  It's not the end of the world. 

Thanks.

Dale

:-)  :-) 

P. S.  Getting close to garden time.  :-D

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tuesday, 7 March 2023 18:11:01 GMT Dale wrote:

Michael wrote:

On Sunday, 5 March 2023 18:41:10 GMT Dale wrote:

Howdy,

I use Surfshark and every once in a while, my VPN loses its connection.
I sent the info from messages to Surfshark but the info they sent back
on how to set the nameserver info doesn't really work with Gentoo. I
suspect they are used to systemd stuff. Anyway, I tried to follow in a
more Gentoo way but it still didn't work. Then I googled, searched the
Gentoo wiki and tried some of those things, still refuses to use the
manually entered nameserver. I've tried resolv.conf, resolvconf.conf
and resolv.conf-tun0.sv. I installed openresolv to see if that would
help. Nope.

AFAIR, you're meant to pull down from the openvpn server the DNS resolvers you're meant to use with their service, unless you have your own reasons for wanting to override these and set up your own DNS resolvers. Have
you looked in /etc/openvpn/ for a suitable setting in the configuration file? I'm sure it will be set to automatically pull down the DNS
resolvers and the Up script will set these up for your system when you start openvpn.

This started because I changed to doing OS updates every other weekend.
That means two weeks of login, two weeks of the VPN being active etc
etc. When doing that, the VPN would lose connection after a good
while. Sometimes it would go the whole two weeks with no problems but
on occasion it would lose connection.

When a connection goes down the openvpn client log would provide the reason
for it. It makes sense to start from there any troubleshooting effort. The DNS resolvers used within the tunnel may be a symptom, rather than the cause.

I wrote a email to make them
aware to see if this is expected behavior, if I had bad settings or
something was wrong on their end. That's when I got the info in the
original post, to change DNS servers. I'm not sure what that has to do
with anything but . . .

Heh! Same here, unless the server side logs indicated this was where the problem actually occurred with your connection.

You know how awful I am with scripts. Still, I read through the up
script and even to me, it looks like it is set up to get DNS servers
during the connection setup. This is the part I see.

elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"

To me, it seems like it is getting the DNS info and putting it
somewhere. It appears that wherever it puts it, it is the only place it looks because nothing I change changes where it goes for DNS info. To
be honest, I don't know why it should have to be changed. One would
think that the DNS info they send should work fine otherwise why set it
up that way.

DNS resolvers will be added to your resolv.conf when the tunnel comes up.

Instead of messing up with the scripts and hardcoding nameserver IP addresses, have you done any troubleshooting to find out what part of the connection goes down? Is the tunnel still up? Can you ping IP addresses through the tunnel? etc.

This is what I got from Surfshark:

I would recommend changing the DNS addresses on your Linux device. You >>> can simply do that by following the steps below.

First, you need to open the terminal with the CTRL + ALT + T
combination and type in the following commands:
sudo rm -r /etc/resolv.conf
sudo nano /etc/resolv.conf

Normally, you would not have to do this manually. The Up script will
enter
the resolver IP addresses in your resolv.conf. If it doesn't, then check your configuration and your openvpn script.

I tried to edit the openvpn.conf file to manually set the nameserver but
it puked on my keyboard and refused to even connect. I think we are
back to the server I connect to requires its info to be used and if it
isn't, it refuses to complete the connection. Everything I try results
in a error and connection refused. It could even be a security setting
that requires this.

I recall the openvpn.conf has an entry to specify pulling down the DNS resolvers from the server as it is establishing the tunnel. Here's some troubleshooting to confirm if this is the problem, after you reset to defaults everything you interfered with in the openvpn.conf settings.

Either way, either this can't be changed and the VPN connect or there is
a setting somewhere that we are not aware of. I've googled, asked here
plus looked everywhere I can think of, even some places I couldn't
imagine having anything to do with it, and had no luck finding where it stores the info or how to change it.

Unless someone comes up with a idea, I'm fresh out. I have no clue what
to do. Hey, it does work almost all the time. It's not the end of the world.

Thanks.

Dale

:-) :-)

P. S. Getting close to garden time. :-D

I suggest you test for one thing at a time when the connection fails and start with the logs. Hardcoding the DNS resolver addresses may not be the problem you're facing here.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmQIm6oACgkQseqq9sKV Zxk5BxAAiR3kOk6KdA+nipNWnBGdk7uSlAyBgMnvOhzPqkgjhnbcwvNGZ687Ty70 5LBbUPxgschxDYot5HfMb58mbrPGGAoIdBEyOkaULxAHD9nCceC9YQpXzJ8HpzBu UGsz92Z8TIyeY1meDhARIoamyVmwxbfdZnorQqr3rMpHUw3+T9YkliIskvFujkBr Vfww/qA8Dl4yd5Ej+W1TYk45ku+XiA5BGGUhgYccTEJXBT+Awfue8BqopjZF0QUY jdy4wYev4DCN2Stl9mlUB0EGOCLItVN92OKa9hZ8Hd4caxG+LM0MWaoW+nlh6PwJ BeTBu05GEgZ3wHfUKHKWc9X4rIW9Io+4H7T1lZLlimPiQVfCV1alMGnG1cd4MsME gzSQYVI+lpcjIrFxTj6pRP8XzRm71sxFXfEntMlhYCoijjzMuu2fAi4mC2Ec/98s amURglm/jEyQkcjFe60rL3pNT7LAW8to7CJKAvkATvQ6yjja4QC2MsH8fgNTMvlX 29KRsWjeiJEJG1pO9MZZlIzkNhpMUtJ7CMS+gBslFco/HrzNe3ye9KrSBbCb85pG ndDALaqN2dNfsK5gjG1fIzLIDIRW6z5+WVxc2zeNZ8YHCsUYGJlDjqrQ4grWeF/9 U0ioRUFoMrjMZ+YWhND69jCuPndwPuvHZ9vv/hB/2mUlLLeT5XQ=
=fU8G
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael wrote:

On Tuesday, 7 March 2023 18:11:01 GMT Dale wrote:

Michael wrote:

On Sunday, 5 March 2023 18:41:10 GMT Dale wrote:

Howdy,

I use Surfshark and every once in a while, my VPN loses its connection. >>>> I sent the info from messages to Surfshark but the info they sent back >>>> on how to set the nameserver info doesn't really work with Gentoo. I
suspect they are used to systemd stuff. Anyway, I tried to follow in a >>>> more Gentoo way but it still didn't work. Then I googled, searched the >>>> Gentoo wiki and tried some of those things, still refuses to use the
manually entered nameserver. I've tried resolv.conf, resolvconf.conf
and resolv.conf-tun0.sv. I installed openresolv to see if that would
help. Nope.

AFAIR, you're meant to pull down from the openvpn server the DNS resolvers >>> you're meant to use with their service, unless you have your own reasons >>> for wanting to override these and set up your own DNS resolvers. Have
you looked in /etc/openvpn/ for a suitable setting in the configuration
file? I'm sure it will be set to automatically pull down the DNS
resolvers and the Up script will set these up for your system when you
start openvpn.

This started because I changed to doing OS updates every other weekend.
That means two weeks of login, two weeks of the VPN being active etc
etc. When doing that, the VPN would lose connection after a good
while. Sometimes it would go the whole two weeks with no problems but
on occasion it would lose connection.

When a connection goes down the openvpn client log would provide the reason for it. It makes sense to start from there any troubleshooting effort. The DNS resolvers used within the tunnel may be a symptom, rather than the cause.

This is from the messages file.  I don't see it logged anywhere else. 

It starts at about 13:54. It seems to try to reconnect but can't. I got this by using tail -n and then grep openvpn on the end.


Mar  1 13:53:32 fireball openvpn[27908]:
[us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart), restarting
Mar  1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1584 10.8.8.9 255.255.255.0 restart
Mar  1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart]
received, process restarting
Mar  1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar  1 13:53:37 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar  1 13:53:37 fireball openvpn[27908]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:53:37 fireball openvpn[27908]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:53:37 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]37.19.221.71:1194
Mar  1 13:53:37 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar  1 13:53:37 fireball openvpn[27908]: UDP link local: (not bound)
Mar  1 13:53:37 fireball openvpn[27908]: UDP link remote: [AF_INET]37.19.221.71:1194
Mar  1 13:54:37 fireball openvpn[27908]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mar  1 13:54:37 fireball openvpn[27908]: TLS Error: TLS handshake failed
Mar  1 13:54:37 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1653 10.8.8.9 255.255.255.0 restart
Mar  1 13:54:37 fireball openvpn[27908]: SIGUSR1[soft,tls-error]
received, process restarting
Mar  1 13:54:37 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar  1 13:54:42 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar  1 13:54:42 fireball openvpn[27908]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:54:42 fireball openvpn[27908]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:54:42 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]107.179.20.179:1194
Mar  1 13:54:42 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar  1 13:54:42 fireball openvpn[27908]: UDP link local: (not bound)
Mar  1 13:54:42 fireball openvpn[27908]: UDP link remote: [AF_INET]107.179.20.179:1194
Mar  1 13:55:42 fireball openvpn[27908]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mar  1 13:55:42 fireball openvpn[27908]: TLS Error: TLS handshake failed
Mar  1 13:55:42 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1653 10.8.8.9 255.255.255.0 restart
Mar  1 13:55:42 fireball openvpn[27908]: SIGUSR1[soft,tls-error]
received, process restarting
Mar  1 13:55:42 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar  1 13:55:47 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar  1 13:55:47 fireball openvpn[27908]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:55:47 fireball openvpn[27908]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:55:47 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]107.179.20.197:1194
Mar  1 13:55:47 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar  1 13:55:47 fireball openvpn[27908]: UDP link local: (not bound)
Mar  1 13:55:47 fireball openvpn[27908]: UDP link remote: [AF_INET]107.179.20.197:1194
Mar  1 13:56:47 fireball openvpn[27908]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mar  1 13:56:47 fireball openvpn[27908]: TLS Error: TLS handshake failed
Mar  1 13:56:47 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1653 10.8.8.9 255.255.255.0 restart
Mar  1 13:56:47 fireball openvpn[27908]: SIGUSR1[soft,tls-error]
received, process restarting
Mar  1 13:56:47 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar  1 13:56:52 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar  1 13:56:52 fireball openvpn[27908]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:56:52 fireball openvpn[27908]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar  1 13:56:52 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]107.179.20.203:1194
Mar  1 13:56:52 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar  1 13:56:52 fireball openvpn[27908]: UDP link local: (not bound)
Mar  1 13:56:52 fireball openvpn[27908]: UDP link remote: [AF_INET]107.179.20.203:1194


The weird thing, I can stop openvpn, then start it again just seconds later and it works fine for a good long while.

I wrote a email to make them
aware to see if this is expected behavior, if I had bad settings or
something was wrong on their end. That's when I got the info in the
original post, to change DNS servers. I'm not sure what that has to do
with anything but . . .

Heh! Same here, unless the server side logs indicated this was where the problem actually occurred with your connection.

You know how awful I am with scripts. Still, I read through the up
script and even to me, it looks like it is set up to get DNS servers
during the connection setup. This is the part I see.


elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"


To me, it seems like it is getting the DNS info and putting it
somewhere. It appears that wherever it puts it, it is the only place it
looks because nothing I change changes where it goes for DNS info. To
be honest, I don't know why it should have to be changed. One would
think that the DNS info they send should work fine otherwise why set it
up that way.

DNS resolvers will be added to your resolv.conf when the tunnel comes up.

Instead of messing up with the scripts and hardcoding nameserver IP addresses,
have you done any troubleshooting to find out what part of the connection goes
down? Is the tunnel still up? Can you ping IP addresses through the tunnel?
etc.

When it stops working, nothing goes through.  My cell phone, which
connects directly to the router and doesn't use the VPN, does work so I
know my internet is working.  Everything else just shows it is trying to connect, which is usually very fast.  I'm loving this fiber internet. 

This is what I got from Surfshark:

I would recommend changing the DNS addresses on your Linux device. You >>>>> can simply do that by following the steps below.

First, you need to open the terminal with the CTRL + ALT + T
combination and type in the following commands:
sudo rm -r /etc/resolv.conf
sudo nano /etc/resolv.conf

Normally, you would not have to do this manually. The Up script will
enter
the resolver IP addresses in your resolv.conf. If it doesn't, then check >>> your configuration and your openvpn script.

I tried to edit the openvpn.conf file to manually set the nameserver but
it puked on my keyboard and refused to even connect. I think we are
back to the server I connect to requires its info to be used and if it
isn't, it refuses to complete the connection. Everything I try results
in a error and connection refused. It could even be a security setting
that requires this.

I recall the openvpn.conf has an entry to specify pulling down the DNS resolvers from the server as it is establishing the tunnel. Here's some troubleshooting to confirm if this is the problem, after you reset to defaults
everything you interfered with in the openvpn.conf settings.

I got this config file from Surfshark.  I think it's public so I guess
there's no harm posting as is. 


client
dev tun
proto udp
remote us-hou.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass /etc/openvpn/login.conf
mute-replay-warnings

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512


I don't see anything about DNS/nameserver/resolv.conf there but I may be missing it. When I tried to add that detail, it refused to start at all and puked on my keyboard. It was very unhappy with me telling it what DNS IP to use. That up script it runs
is pretty complicated looking. I'm kinda nervous about messing with it.

Either way, either this can't be changed and the VPN connect or there is
a setting somewhere that we are not aware of. I've googled, asked here
plus looked everywhere I can think of, even some places I couldn't
imagine having anything to do with it, and had no luck finding where it
stores the info or how to change it.

Unless someone comes up with a idea, I'm fresh out. I have no clue what
to do. Hey, it does work almost all the time. It's not the end of the
world.

Thanks.

Dale

:-) :-)

P. S. Getting close to garden time. :-D

I suggest you test for one thing at a time when the connection fails and start
with the logs. Hardcoding the DNS resolver addresses may not be the problem you're facing here.

I posted basically the same info I sent to Surfshark above.  Maybe you
will see something they didn't.  If you need me to check or post
something else, just let me know.  As for testing when it dies on me,
that could involve some wait time.  ;-)

Thanks.

Dale

:-)  :-) 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, 8 March 2023 18:30:55 GMT Dale wrote:

It starts at about 13:54. It seems to try to reconnect but can't. I got this by using tail -n and then grep openvpn on the end.

Mar 1 13:53:32 fireball openvpn[27908]:
[us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart), restarting
Mar 1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1584 10.8.8.9 255.255.255.0 restart
Mar 1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart]
received, process restarting
Mar 1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar 1 13:53:37 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar 1 13:53:37 fireball openvpn[27908]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar 1 13:53:37 fireball openvpn[27908]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar 1 13:53:37 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]37.19.221.71:1194
Mar 1 13:53:37 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar 1 13:53:37 fireball openvpn[27908]: UDP link local: (not bound)
Mar 1 13:53:37 fireball openvpn[27908]: UDP link remote: [AF_INET]37.19.221.71:1194
Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Here's your problem ^^^

Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS handshake failed

This is your error.

Mar 1 13:54:37 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1653 10.8.8.9 255.255.255.0 restart
Mar 1 13:54:37 fireball openvpn[27908]: SIGUSR1[soft,tls-error]
received, process restarting
Mar 1 13:54:37 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar 1 13:54:42 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar 1 13:54:42 fireball openvpn[27908]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar 1 13:54:42 fireball openvpn[27908]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Mar 1 13:54:42 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]107.179.20.179:1194
Mar 1 13:54:42 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar 1 13:54:42 fireball openvpn[27908]: UDP link local: (not bound)
Mar 1 13:54:42 fireball openvpn[27908]: UDP link remote: [AF_INET]107.179.20.179:1194
Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS handshake failed

Have a look here for suggestions:

https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

The weird thing, I can stop openvpn, then start it again just seconds later and it works fine for a good long while.

Right, the problem is with renegotiating a connection, after it times out and it fails to agree TLS keys. I seem to recall a bug with this, but I think it would/should have been fixed by now.

I got this config file from Surfshark. I think it's public so I guess there's no harm posting as is.

client
dev tun
proto udp
remote us-hou.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass /etc/openvpn/login.conf
mute-replay-warnings

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512

I don't see anything about DNS/nameserver/resolv.conf there but I may be missing it. When I tried to add that detail, it refused to start at all
and puked on my keyboard. It was very unhappy with me telling it what DNS
IP to use. That up script it runs is pretty complicated looking. I'm kinda nervous about messing with it.

There is no DNS problem at all. The problem is related to your client renegotiating keys to encrypt the tunnel with and failing to do so. Have a look at the above URL and see if any of the solutions suggested there points you in the right direction.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmQI8QQACgkQseqq9sKV Zxk/QQ//XQ6AXGkmE+bAKTmI/Gq+8/gx1WfhiL9crSBGh75wRVOSqZTW9RmiW91w KyaN4sIx/p5aEt+2UaQs3CWoSlcGIQfiO+xq2Tcg7PVb7QnVekmf1U7V0LjvVsU+ NHtiYZew+UcqXiYYKbOvjCNPqox/0lYnz0AJFpWNJzQHBExhd1Ifq+6QR8Qvn76c XxJkCYP8Idh44+28LhKyp83uLoGUvwdgiflzmkFp8SjgbMUhMnTu7ldvwwnSbKLp Du1jG7VnwpFk21zzH/mc34BPg9NsED/YTRyGj4oa4mzFlvd8wVNmgu/mZYQmnt+l o5MKs1X3KHyuclAmfjUTXqCrNw8mC4+yHVtajN6QPylC9xbBKKthmndDON4gaRXW 3Fzt1lf/akx/7kl/ujacsn5b2HLdFbBe+gSaDPy5X+OGqXeOUvcpmOKlsMDW9FNB 4tior0Eq17WHsxC9/zfPYuBSqMJnAUDIsMWeEPSwYrShGHqmDUh+aqYFWR2VNc7t rLgm9G38zeiCtAySdzl8SQzhIkotkfwHpSca3XBwCx17AsxO1PEOgOv1gpHFR44O 1pt/KsDrcdGmXb8mEpb0oCIcllaLxMoxcmrow4FguEW/My+qXbVpulFeGJPijhwx V0tqFHSso7wc5+GCnHokHwWuxFz1RATHOgW6bUi6NzWs+BKn/ZQ=
=yMQn
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 8 Mar 2023 12:30:55 -0600
Dale <rdalek1967@gmail.com> wrote:

Michael wrote:

On Tuesday, 7 March 2023 18:11:01 GMT Dale wrote:

Michael wrote:

On Sunday, 5 March 2023 18:41:10 GMT Dale wrote:

Howdy,

<snip>

This is from the messages file.  I don't see it logged anywhere else. 

It starts at about 13:54. It seems to try to reconnect but can't. I got this by using tail -n and then grep openvpn on the end.

Mar  1 13:53:32 fireball openvpn[27908]:
[us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart), restarting
Mar  1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
1584 10.8.8.9 255.255.255.0 restart
Mar  1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart]
received, process restarting
Mar  1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar  1 13:53:37 fireball openvpn[27908]: NOTE: the current

<anip>

The weird thing, I can stop openvpn, then start it again just seconds later and it works fine for a good long while.

<snip>


I have seen OpenVPN get stuck and not process a SIGUSR1 properly. Maybe try setting remap-usr1 to SIGHUP in the configuration to reset the state of openvpn or run external kicker script.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael wrote:

On Wednesday, 8 March 2023 18:30:55 GMT Dale wrote:

It starts at about 13:54. It seems to try to reconnect but can't. I got this >> by using tail -n and then grep openvpn on the end.


Mar 1 13:53:32 fireball openvpn[27908]:
[us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart),
restarting
Mar 1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 150

0

1584 10.8.8.9 255.255.255.0 restart
Mar 1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart]
received, process restarting
Mar 1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar 1 13:53:37 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar 1 13:53:37 fireball openvpn[27908]: Outgoing Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication >> Mar 1 13:53:37 fireball openvpn[27908]: Incoming Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication >> Mar 1 13:53:37 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]37.19.221.71:1194
Mar 1 13:53:37 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar 1 13:53:37 fireball openvpn[27908]: UDP link local: (not bound)
Mar 1 13:53:37 fireball openvpn[27908]: UDP link remote:
[AF_INET]37.19.221.71:1194
Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)

Here's your problem ^^^

Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS handshake failed

This is your error.

Mar 1 13:54:37 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 150

0

1653 10.8.8.9 255.255.255.0 restart
Mar 1 13:54:37 fireball openvpn[27908]: SIGUSR1[soft,tls-error]
received, process restarting
Mar 1 13:54:37 fireball openvpn[27908]: Restart pause, 5 second(s)
Mar 1 13:54:42 fireball openvpn[27908]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Mar 1 13:54:42 fireball openvpn[27908]: Outgoing Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication >> Mar 1 13:54:42 fireball openvpn[27908]: Incoming Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication >> Mar 1 13:54:42 fireball openvpn[27908]: TCP/UDP: Preserving recently
used remote address: [AF_INET]107.179.20.179:1194
Mar 1 13:54:42 fireball openvpn[27908]: Socket Buffers:
R=[212992->425984] S=[212992->425984]
Mar 1 13:54:42 fireball openvpn[27908]: UDP link local: (not bound)
Mar 1 13:54:42 fireball openvpn[27908]: UDP link remote:
[AF_INET]107.179.20.179:1194
Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS handshake failed

Have a look here for suggestions:

https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

The weird thing, I can stop openvpn, then start it again just seconds later >> and it works fine for a good long while.

Right, the problem is with renegotiating a connection, after it times out and
it fails to agree TLS keys. I seem to recall a bug with this, but I think it
would/should have been fixed by now.

I got this config file from Surfshark. I think it's public so I guess
there's no harm posting as is.


client
dev tun
proto udp
remote us-hou.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass /etc/openvpn/login.conf
mute-replay-warnings

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512


I don't see anything about DNS/nameserver/resolv.conf there but I may be
missing it. When I tried to add that detail, it refused to start at all
and puked on my keyboard. It was very unhappy with me telling it what DNS >> IP to use. That up script it runs is pretty complicated looking. I'm kinda >> nervous about messing with it.

There is no DNS problem at all. The problem is related to your client renegotiating keys to encrypt the tunnel with and failing to do so. Have a look at the above URL and see if any of the solutions suggested there points you in the right direction.

I read through the link.  It would seem it would fail to establish any connection for most of those, blocked port on my end for example.  Since
it does connect and works for days, over a week even, I'd think those
ports are open.  There are others that point to the problem being on the
other end.  I have no way to check that part.  So, I think my end is OK
and their end has a hiccup somewhere.  I'm using openvpn-2.5.6 and I see
a keyworded version available.  Think I should try the newer version? 

Given I can't find a way to manually set DNS servers, would it be fair
to say that openvpn does it the way it does for security reasons?  I've
read that if ISPs can track DNS requests, they can learn quite a lot of
info.  It might be that openvpn requires it to be done its way for a
security reason and pukes when one tries to override that setting.  It
sure refuses to work at all when I try to set it manually. 

Now to figure out what to tell Surfshark.  :/

Dale

:-)  :-) 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)