After About 5 Days I get this: openvpn[5531]: RESOLVE: Cannot resolve host addre
-
I have my home network setup so that the OpenVPN Client interface is set to WAN and all the data is being sent through the VPN (or so I think is there a way to check?). Everything seems to be working but after about 4-5 days of the client being connected the vpn goes down and I am not able to use the internet. I looked in the OpenVPN logs and this is the error message. If I restart the OpenVPN client all goes back to normal for another 4-5 days. Could someone help resolve this? I have a very basic knowledge of home network systems so please feel free to explain it as if I have no clue.
Oct 17 15:45:23 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:28 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:33 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:38 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:43 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:48 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:53 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:45:58 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Oct 17 15:46:03 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known -
Ok, let's see
It seems that somehow your vpn server cannot be resolved ~ weird.
Did you use a particular guide to set pfsense up?
Could you show us a screenshot of your openvpn client configuration?
Also can you post screenshots of:
Interfaces->(assign) page?
Then List interfaces you have (if VPN Interface)
Also System-> Routing gateways page
then press edit on your VPN Gateway and screenshot of that page. (THIS MAYBE IMPORTANT AS IN MY SETUP I HAVE MONITOR GATEWAY SETTINGS)This should be enough :)
-
oh boy… I followed this guide http://www.komodosteve.com/archives/232 and please see the attached screenshots of the rest! Please be aware that I am only connected to either the Midwest or Swiss VPN at one time not both at once.
 -
Interesting.
1st. You can manage your CAs in the pfsense and there is no need to do that as part of advanced config…. just a thought but that's not an issue...Why do you have so many gateways? If you have only 2 VPNs ie swiss and midwest?
On My setup I have following gateways:
LAN
WAN
VPN-US ---> Here I have monitor ip set to 8.8.8.8 ie google dns
VPN-EUROPE --> here I have monitor ip set to same as above
I have both connected at the same time ( I don't care really I dont want to bother reconnecting stuff if needed)
I have 2 VPN Clients
US one
in advanced edit box I specified this
remote server-name-for-us1 port;
remote server-name-for-us2 port;
remote server-name-for-us3 port;
remote-random;EU one
in advanced edit box I specified this
remote server-name-for-eu1 port;
remote server-name-for-eu2 port;
remote server-name-for-eu3 port;
remote-random;What above does is allows your vpn client to randomly choose from the pool of servers to connect to. ( I am assuming this is the reason you have many gateways).
-
Also what does your general setup page look like?
-
Honestly I think the gateways were auto setup as I have not made changes to them. Private Internet Access does not provide IP address "Due to an update in our business practices, and the increased blocking of our IP's by end point providers, we will no longer be updating this thread with a copy of our IP addresses, a news post for comments will be put up shortly." They give a list like this
United States (US VPN)
us-midwest.privateinternetaccess.com
us-east.privateinternetaccess.com
us-west.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-california.privateinternetaccess.com
us-florida.privateinternetaccess.com
 -
Interesting ok.
Maybe because you're using Ipv6 which I am not. In system advanced->networking. but that's off topic.Try this:
In your vpn client advanced: add the follwing:With all your us servers:
remote server-name-for-eu1 port;
remote server-name-for-eu2 port;
remote server-name-for-eu3 port;
remote-random;Then in your gateway configuration
add alternate monitoring ip and put 8.8.8.8 or another dns server ip like opendns.go to status->services and restart your openvpn client.
Clear and start monitoring your logs for openvpn try maybe unplugging your modem to see what happens and if your internet dies. to check if your openvpn will try to reconnect.
on side note judging from your log though it seems like your firewall cannot resolve your us domain name once VPN is down.
-
Yeah…......... crap lol
I think this is the issue.
Since you are blocking all access to the internet and your vpn is down.... can router resolve domain names? -
Yeah…......... crap lol
I think this is the issue.
Since you are blocking all access to the internet and your vpn is down.... can router resolve domain names?I am guessing that my router cannot resolve the domain name. How would I check that?
-
1. Check your outbound NAT rules and your FIREWALL rules.
2. login into your router using ssh when this issue is happening then do nslookup microsoft.com or ping microsoft.com etc…...... or your vpn server name.
Also this is not an issue for me since I am using policy based routing
SO all my network has access to WAN except 3-4 machines those are routed to VPN exclusively. So my firewall always has access to ISP DNS servers but VPN machines do not.Easiest solution for you to fix this is to enable DNS forwarding BUT THAT IS A BAD IDEA!!!! you WILL HAVE DNS leaks.
What this means is
Any dns request you do will go like this COMPUTER ->>> ROUTER ----> ROUTER WILL GO AND LOOKUP DOMAIN NAME THROUGH ANY AVAILABLE GATEWAY (ISP INCLUDED) Then RETURN THAT IP TO YOUR MACHINE.
So if vpn is up or down your firewall will go to your isp and to your vpn provider to check domain name ---> DNS LEAK ---> NOT SECURE. -
Well I do not want DNS leaks. What if I changed my router to use all policy based routing and just selected all the machines to use either the US or Europe vpn? do you think that would fix the issue? That would honestly be preferred to have certain machines on the US vpn and others on the Europe vpns. If that would fix the problem of resolving the host address issue, would you mind explaining how to change from whatever I am doing :o to policy based routing?
-
It is really not hard to do…
I think I did something like this to setup my initial vpn for the first time:
http://forum.pfsense.org/index.php/topic,29944.0.html --- just a setup not policy stuff.Also your crazy number of gateway confuses me.... :) check your ipv6 if it is enabled....
Now to policy based routing and multi VPN.1. Make 2 VPN clients, 2 gateways etc..... make sure they are both connecting at the same time. (and use my suggestions for using multiple remotes in previous posts per client)
2. In your firewall rules in LAN you will specify source: ip or alias EU machine and in advanced you will select your gateway EU
3. same for your US machine.
4. outbound nat settings on top you will say and this is important if you want to restrict your vpn machine not to go on the internet when vpn is down.... outbound nat: source vpn machineip or aluas DO NOT NAT CHECK.
5. in your floating rules. proto: any, source: vpn machine ip or alias, outgoing any, interface WAN. this with #4 will block your machine from going to internets. -
Wow that is pretty cool! One computer is connected to the US VPN and anther is connected to the Europe VPN. It is interesting that If one of the VPN's goes down both alias connected to the do not nat and floating rules stop working. Why is that? Good news however all other devices not associated with the alias go back to the regular WAN gateway and work just fine. Thanks for your help!!
-
Hehe I am glad it's working for you!!!
It's freaking cool stuff.So regarding your private message.
In order to have each VPN client (i assuming you have 2 setup in openpn) to randomly connect to its available server you have to
specify 1 address in its remote field and rest put in advanced section.Regarding nat.
As I understand how nat works it translates your internal IP address ie 192.168.1.5 to outside world.
By saying DO NOT NAT this address your router wont translate to outside world. (btw this rule should be on top). So it's kinda hanging around in router….
Then this way floating section of firewall will drop your packet and wont let it go outside. If you don't set floating rule i think it may still get out but will be dropped by isp. (I may be wrong here i am not a network expert) :)So in my personal setup i have:
2 Clients
2 Gateways
2 Floating firewall rules
2 Nat rules don't nat in nat section
In LAN tab I have 2 rules routing traffic from alias -> gateways
in openvpn tab I have nothing no rules all dropped.
In each gateway tabs I have nothing all incoming dropped.Hope this helped. If anything you can post your setup (gateways, clients, firewall floating rules, etc.... here) I can check stuff.
also is connection still dropped after few days or all good?
PS
I may have misread your post are you saying both all vpn client machine stop working like if one goes down both us and eu go down?
keep in mind you should have DNAT rule for each machine or each alias
DNT for EU
DNT for US -
As far as the original issue of the network cannot resolve host name, it is still to early to tell if that is fixed (It used to happen after about 5 days or so… and I am only on day 2).
I believe I now have the same setup as you are describing. The weird thing is that if one VPN goes down then both the US and EU VPN's kill the connections (I do have 2 - Do NOT NAT rules). I would have assumed that if the EU VPN went down then only the EU connections would be stopped.
So why did you want to setup random remote IP's? Also I have attached a couple of screen shots of how I setup the various remote severs (hopefully I did that correctly).
-
I have random servers just so it connects to different servers and not single one every time no particular reason but just to make sure if one of servers is slow it will connect to different one automatically next time i reconnect.
Could you take screenshots of:
1. List of your gateways.
2. Your floating rules.
3. Your LAN rules.
4. Your NAT outgoing table
5. Your clients list (you can blank out what you dont wanna show) -
I have attached the screenshots. I also have an internal OpenVPN server setup so that I can access my network so that is why my NAT outgoing tables has so many entries. Let me know if you need any other screenshots.
 -
More Screenshots
 -
Your protocols should be any.
Also floating rules should block traffic not allow it. -
Oh thanks! I changed the rules to blocked. The protocols are set to any see the attached screenshots (I am not sure why it says IPv4 *). Also, to make sure it is working all I have to do is disable a vpn client and then ping google.com and as long as the packets don't send I am good right?
