After About 5 Days I get this: openvpn[5531]: RESOLVE: Cannot resolve host addre



  • I have my home network setup so that the OpenVPN Client interface is set to WAN and all the data is being sent through the VPN (or so I think is there a way to check?). Everything seems to be working but after about 4-5 days of the client being connected the vpn goes down and I am not able to use the internet. I looked in the OpenVPN logs and this is the error message. If I restart the OpenVPN client all goes back to normal for another 4-5 days. Could someone help resolve this? I have a very basic knowledge of home network systems so please feel free to explain it as if I have no clue.

    Oct 17 15:45:23 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:28 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:33 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:38 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:43 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:48 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:53 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:45:58 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Oct 17 15:46:03 openvpn[5531]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known



  • Ok, let's see

    It seems that somehow your vpn server cannot be resolved ~ weird.

    Did you use a particular guide to set pfsense up?
    Could you show us a screenshot of your openvpn client configuration?
    Also can you post screenshots of:
    Interfaces->(assign) page?
    Then List interfaces you have (if VPN Interface)
    Also System-> Routing  gateways page
    then press edit on your VPN Gateway and screenshot of that page. (THIS MAYBE IMPORTANT AS IN MY SETUP I HAVE MONITOR GATEWAY SETTINGS)

    This should be enough :)



  • oh boy… I followed this guide http://www.komodosteve.com/archives/232 and please see the attached screenshots of the rest! Please be aware that I am only connected to either the Midwest or Swiss VPN at one time not both at once.

    ![Interface Assign.PNG](/public/imported_attachments/1/Interface Assign.PNG)
    ![Interface Assign.PNG_thumb](/public/imported_attachments/1/Interface Assign.PNG_thumb)


    ![OpenVPN Client 1 of 2.PNG](/public/imported_attachments/1/OpenVPN Client 1 of 2.PNG)
    ![OpenVPN Client 1 of 2.PNG_thumb](/public/imported_attachments/1/OpenVPN Client 1 of 2.PNG_thumb)
    ![OpenVPN Client 2 of 2.PNG](/public/imported_attachments/1/OpenVPN Client 2 of 2.PNG)
    ![OpenVPN Client 2 of 2.PNG_thumb](/public/imported_attachments/1/OpenVPN Client 2 of 2.PNG_thumb)
    ![System Gateways Edit Gateway.PNG](/public/imported_attachments/1/System Gateways Edit Gateway.PNG)
    ![System Gateways Edit Gateway.PNG_thumb](/public/imported_attachments/1/System Gateways Edit Gateway.PNG_thumb)



  • Interesting.
    1st. You can manage your CAs in the pfsense and there is no need to do that as part of advanced config…. just a thought but that's not an issue...

    Why do you have so many gateways? If you have only 2 VPNs ie swiss and midwest?

    On My setup I have following gateways:
    LAN
    WAN
    VPN-US ---> Here I have monitor ip set to 8.8.8.8 ie google dns
    VPN-EUROPE --> here I have monitor ip set to same as above


    I have both connected at the same time ( I don't care really I dont want to bother reconnecting stuff if needed)

    I have 2 VPN Clients
    US one
    in advanced edit box I specified this
    remote server-name-for-us1 port;
    remote server-name-for-us2 port;
    remote server-name-for-us3 port;
    remote-random;

    EU one
    in advanced edit box I specified this
    remote server-name-for-eu1 port;
    remote server-name-for-eu2 port;
    remote server-name-for-eu3 port;
    remote-random;

    What above does is allows your vpn client to randomly choose from the pool of servers to connect to. ( I am assuming this is the reason you have many gateways).



  • Also what does your general setup page look like?



  • Honestly I think the gateways were auto setup as I have not made changes to them. Private Internet Access does not provide IP address "Due to an update in our business practices, and the increased blocking of our IP's by end point providers, we will no longer be updating this thread with a copy of our IP addresses, a news post for comments will be put up shortly." They give a list like this
    United States (US VPN)
    us-midwest.privateinternetaccess.com
    us-east.privateinternetaccess.com
    us-west.privateinternetaccess.com
    us-texas.privateinternetaccess.com
    us-california.privateinternetaccess.com
    us-florida.privateinternetaccess.com

    ![system General Setup.PNG_thumb](/public/imported_attachments/1/system General Setup.PNG_thumb)
    ![system General Setup.PNG](/public/imported_attachments/1/system General Setup.PNG)



  • Interesting ok.
    Maybe because you're using Ipv6 which I am not. In system advanced->networking. but that's off topic.

    Try this:
    In your vpn client advanced: add the follwing:

    With all your us servers:

    remote server-name-for-eu1 port;
    remote server-name-for-eu2 port;
    remote server-name-for-eu3 port;
    remote-random;

    Then in your gateway configuration
    add alternate monitoring ip and put 8.8.8.8 or another dns server ip like opendns.

    go to status->services and restart your openvpn client.

    Clear and start monitoring your logs for openvpn try maybe unplugging your modem to see what happens and if your internet dies. to check if your openvpn will try to reconnect.

    on side note judging from your log though it seems like your firewall cannot resolve your us domain name once VPN is down.



  • Yeah…......... crap lol
    I think this is the issue.
    Since you are blocking all access to the internet and your vpn is down.... can router resolve domain names?



  • @m3ki:

    Yeah…......... crap lol
    I think this is the issue.
    Since you are blocking all access to the internet and your vpn is down.... can router resolve domain names?

    I am guessing that my router cannot resolve the domain name. How would I check that?



  • 1. Check your outbound NAT rules and your FIREWALL rules.
    2. login into your router using ssh when this issue is happening then do nslookup microsoft.com or ping microsoft.com etc…...... or your vpn server name.


    Also this is not an issue for me since I am using policy based routing
    SO all my network has access to WAN except 3-4 machines those are routed to VPN exclusively. So my firewall always has access to ISP DNS servers but VPN machines do not.

    Easiest solution for you to fix this is to enable DNS forwarding BUT THAT IS A BAD IDEA!!!! you WILL HAVE DNS leaks.
    What this means is
    Any dns request you do will go like this COMPUTER ->>> ROUTER ----> ROUTER WILL GO AND LOOKUP DOMAIN NAME THROUGH ANY AVAILABLE GATEWAY (ISP INCLUDED) Then RETURN THAT IP TO YOUR MACHINE.
    So if vpn is up or down your firewall will go to your isp and to your vpn provider to check domain name ---> DNS LEAK ---> NOT SECURE.



  • Well I do not want DNS leaks. What if I changed my router to use all policy based routing and just selected all the machines to use either the US or Europe vpn? do you think that would fix the issue? That would honestly be preferred to have certain machines on the US vpn and others on the Europe vpns. If that would fix the problem of resolving the host address issue, would you mind explaining how to change from whatever I am doing :o to policy based routing?



  • It is really not hard to do…

    I think I did something like this to setup my initial vpn for the first time:
    http://forum.pfsense.org/index.php/topic,29944.0.html --- just a setup not policy stuff.

    Also your crazy number of gateway confuses me.... :) check your ipv6 if it is enabled....
    Now to policy based routing and multi VPN.

    1. Make 2 VPN clients, 2 gateways etc..... make sure they are both connecting at the same time. (and use my suggestions for using multiple remotes in previous posts per client)
    2. In your firewall rules in LAN you will specify source: ip or alias EU machine and in advanced you will select your gateway EU
    3. same for your US machine.
    4. outbound nat settings on top you will say and this is important if you want to restrict your vpn machine not to go on the internet when vpn is down.... outbound nat: source vpn machineip or aluas DO NOT NAT CHECK.
    5. in your floating rules. proto: any, source: vpn machine ip or alias, outgoing any, interface WAN. this with #4  will block your machine from going to internets.



  • Wow that is pretty cool! One computer is connected to the US VPN and anther is connected to the Europe VPN. It is interesting that If one of the VPN's goes down both alias connected to the do not nat and floating rules stop working. Why is that? Good news however all other devices not associated with the alias go back to the regular WAN gateway and work just fine. Thanks for your help!!



  • Hehe I am glad it's working for you!!!
    It's freaking cool stuff.

    So regarding your private message.
    In order to have each VPN client (i assuming you have 2 setup in openpn) to randomly connect to its available server you have to
    specify 1 address in its remote field and rest put in advanced section.

    Regarding nat.
    As I understand how nat works it translates your internal IP address ie 192.168.1.5 to outside world.
    By saying DO NOT NAT this address your router wont translate to outside world. (btw this rule should be on top). So it's kinda hanging around in router….
    Then this way floating section of firewall will drop your packet and wont let it go outside.  If you don't set floating rule i think it may still get out but will be dropped by isp. (I may be wrong here i am not a network expert) :)

    So in my personal setup i have:
    2 Clients
    2 Gateways
    2 Floating firewall rules
    2 Nat rules don't nat in nat section
    In LAN tab I have 2 rules routing traffic from alias -> gateways
    in openvpn tab I have nothing no rules all dropped.
    In each gateway tabs I have nothing all incoming dropped.

    Hope this helped. If anything you can post your setup (gateways, clients, firewall floating rules, etc.... here) I can check stuff.

    also is connection still dropped after few days or all good?

    PS

    I may have misread your post are you saying both all vpn client machine stop working like if one goes down both us and eu go down?
    keep in mind you should have DNAT rule for each machine or each alias
    DNT for EU
    DNT for US



  • As far as the original issue of the network cannot resolve host name, it is still to early to tell if that is fixed (It used to happen after about 5 days or so… and I am only on day 2).

    I believe I now have the same setup as you are describing. The weird thing is that if one VPN goes down then both the US and EU VPN's kill the connections (I do have 2 - Do NOT NAT rules). I would have assumed that if the EU VPN went down then only the EU connections would be stopped.

    So why did you want to setup random remote IP's? Also I have attached a couple of screen shots of how I setup the various remote severs (hopefully I did that correctly).






  • I have random servers just so it connects to different servers and not single one every time no particular reason but just to make sure if  one of servers is slow it will connect to different one automatically next time i reconnect.

    Could you take screenshots of:

    1. List of your gateways.
    2. Your floating rules.
    3. Your LAN rules.
    4. Your NAT outgoing table
    5. Your clients list (you can blank out what you dont wanna show)



  • I have attached the screenshots. I also have an internal OpenVPN server setup so that I can access my network so that is why my NAT outgoing tables has so many entries. Let me know if you need any other screenshots.

    ![System Gateways.JPG](/public/imported_attachments/1/System Gateways.JPG)
    ![System Gateways.JPG_thumb](/public/imported_attachments/1/System Gateways.JPG_thumb)
    ![Floating Rules.JPG](/public/imported_attachments/1/Floating Rules.JPG)
    ![Floating Rules.JPG_thumb](/public/imported_attachments/1/Floating Rules.JPG_thumb)
    ![LAN Rules.JPG](/public/imported_attachments/1/LAN Rules.JPG)
    ![LAN Rules.JPG_thumb](/public/imported_attachments/1/LAN Rules.JPG_thumb)



  • More Screenshots

    ![NAT Outgoing Table.JPG](/public/imported_attachments/1/NAT Outgoing Table.JPG)
    ![NAT Outgoing Table.JPG_thumb](/public/imported_attachments/1/NAT Outgoing Table.JPG_thumb)
    ![OpenVPN Clients.JPG](/public/imported_attachments/1/OpenVPN Clients.JPG)
    ![OpenVPN Clients.JPG_thumb](/public/imported_attachments/1/OpenVPN Clients.JPG_thumb)



  • Your protocols should be any.
    Also floating rules should block traffic not allow it.



  • Oh thanks! I changed the rules to blocked. The protocols are set to any see the attached screenshots (I am not sure why it says IPv4 *). Also, to make sure it is working all I have to do is disable a vpn client and then ping google.com and as long as the packets don't send I am good right?

    ![Floating Rule 1.JPG](/public/imported_attachments/1/Floating Rule 1.JPG)
    ![Floating Rule 1.JPG_thumb](/public/imported_attachments/1/Floating Rule 1.JPG_thumb)
    ![Floating Rule 2.JPG](/public/imported_attachments/1/Floating Rule 2.JPG)
    ![Floating Rule 2.JPG_thumb](/public/imported_attachments/1/Floating Rule 2.JPG_thumb)



  • Theoretically now you should have either one vpn working. I don't know why both of yours go down. Maybe something to do with your interface assignments ?



  • Here is the interface assignment page?

    ![Interface Assignments.JPG](/public/imported_attachments/1/Interface Assignments.JPG)
    ![Interface Assignments.JPG_thumb](/public/imported_attachments/1/Interface Assignments.JPG_thumb)
    ![Interface Assignments 2.JPG](/public/imported_attachments/1/Interface Assignments 2.JPG)
    ![Interface Assignments 2.JPG_thumb](/public/imported_attachments/1/Interface Assignments 2.JPG_thumb)



  • Strange so if you disable one of the clients now. Then both EU and US machines wont have internet ?



  • Correct, If I disable one VPN client both the US and EU machines will not ping google



  • Hmm… that could be dns issue.... what if you ping google on one of those machines by ip?
    Also is there an overlap in your aliases by any chance?

    EU_VPNCLIENT -> DOWN
    US_VPNCLIENT -> UP

    EU_MACHINE -> ping -> 8.8.8.8 ??
    US_MACHINE -> ping -> 8.8.8.8 ??



  • I checked to make sure the aliases where in the correct spots and they appear to be. I then took the EU vpn down and tried 8.8.8.8 and still both will not get packets.



  • can you screenshot the do not nat rule?



  • Also try disabling floating rules try to troubleshoot. What happens if floating rules are disabled? any luck then?



  • Here is the DO NOT NAT RULE

    ![Do NOT NAT.JPG](/public/imported_attachments/1/Do NOT NAT.JPG)
    ![Do NOT NAT.JPG_thumb](/public/imported_attachments/1/Do NOT NAT.JPG_thumb)



  • If I disable the floating rules and ping 8.8.8.8 instead of getting "destination host unreachable" it says "request timed out" on both machines. So that doesn't seem to be the problem.



  • This means that DO NOT NAT is applied. So packets are not dropped. But still lurking. Keep Floating disabled for now. Try turning off do not nat rules. ( keep in mind they are applied top down.) If one doesnt apply next one will catch it ;)



  • OK so (Note: EU Do NOT NAT is on top)

    TEST 1:
    ALL floating rules disabled -> USA DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine will not ping

    TEST 2:
    ALL floating rules disabled -> USA DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not ping

    TEST 3:
    ALL floating rules disabled -> EU DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not ping

    TEST 4:
    ALL floating rules disabled -> EU DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping

    TEST 5:
    ALL floating rules disabled -> ALL DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping



  • Figured it out. The problems was that under Firewall -> Rules -> Lan, proto was set to "TCP" on both VPN's, I changed proto to "Any" and now if one vpn goes down the other one still works.



  • How to use Policy Based Routing and Multi VPN

    • I Followed this guide http://www.komodosteve.com/archives/232

    • NOTES: I used the same server port for both VPN's

    • NOTES: I added the following commands into Advanced Config (When pfSense first boots it loads VPN_IP_#1 but if the client gets restarted it will randomly pick of the the 3 VPN_IP's

    • SCREENSHOT: OpenVPN Client 1

    • SCREENSHOT: OpenVPN Client 2

    remote_VPN IP_#1 Port#;
    remote VPN_IP_#2 Port#;
    remote VPN_IP_#3 Port#;
    remote-random;

    • SCREENSHOT: System Gateways

    • This is where you will setup two aliases for the USA VPN's and EU VPN's

    • Make sure you have static IP address for the machines

    • I made 3 rules (1 that redircts the EU vpn through the EU gateway, 1 that redirects the US vpn through the US gateway, and 1 that selects every other IP address not specified in aliases and sends it to the defualt WAN gateway)

    • Proto: ANY, Source: Alias, Gateway: VPN

    • SCREENSHOT: Firewall Rules 1

    • SCREENSHOT: Firewall Rules 2

    • First delete all rules

    • Select "Automatic outbound NAT rule generation" and click save

    • Select "Manual Outbound NAT rule generation" and click save

    • This should auto created any rules needed for the VPN's

    • Now create a rule that will stop traffic if the VPN is down

    • Click "Do not NAT", Interface "WAN", Protocol "any", Source "Alias"

    • MAKE SURE you move the rule to the top of the list as pfsense carries out rules from top down

    • SCREENSHOT: Firewall NAT Outbound 1

    • SCREENSHOT: Firewall NAT Outbound 2

    • Action "Block", Interface "WAN", Direction "any", Protocol "any", Source "alias"

    • SCREENSHOT: Firewall Rules Floating 1

    • SCREENSHOT: Firewall Rules Floating 2

    • This along with with #5  will block your machine from going to internet

    ![OpenVPN Client 1.JPG_thumb](/public/imported_attachments/1/OpenVPN Client 1.JPG_thumb)
    ![OpenVPN Client 1.JPG](/public/imported_attachments/1/OpenVPN Client 1.JPG)



  • Screenshots

    ![OpenVPN Client 2.JPG](/public/imported_attachments/1/OpenVPN Client 2.JPG)
    ![OpenVPN Client 2.JPG_thumb](/public/imported_attachments/1/OpenVPN Client 2.JPG_thumb)
    ![System Gateways.JPG](/public/imported_attachments/1/System Gateways.JPG)
    ![System Gateways.JPG_thumb](/public/imported_attachments/1/System Gateways.JPG_thumb)
    ![Firewall Rules 1.JPG](/public/imported_attachments/1/Firewall Rules 1.JPG)
    ![Firewall Rules 1.JPG_thumb](/public/imported_attachments/1/Firewall Rules 1.JPG_thumb)



  • Sounds about right ;) Glad I could help :)



  • Screenshots

    ![Firewall Rules 2.JPG](/public/imported_attachments/1/Firewall Rules 2.JPG)
    ![Firewall Rules 2.JPG_thumb](/public/imported_attachments/1/Firewall Rules 2.JPG_thumb)
    ![Firewall NAT Outbound 1.JPG](/public/imported_attachments/1/Firewall NAT Outbound 1.JPG)
    ![Firewall NAT Outbound 1.JPG_thumb](/public/imported_attachments/1/Firewall NAT Outbound 1.JPG_thumb)



  • screenshots

    ![Firewall NAT Outbound 2.JPG](/public/imported_attachments/1/Firewall NAT Outbound 2.JPG)
    ![Firewall NAT Outbound 2.JPG_thumb](/public/imported_attachments/1/Firewall NAT Outbound 2.JPG_thumb)
    ![Firewall Rules Floating 1.JPG](/public/imported_attachments/1/Firewall Rules Floating 1.JPG)
    ![Firewall Rules Floating 1.JPG_thumb](/public/imported_attachments/1/Firewall Rules Floating 1.JPG_thumb)



  • Screenshots

    ![Firewall Rules Floating 2.JPG](/public/imported_attachments/1/Firewall Rules Floating 2.JPG)
    ![Firewall Rules Floating 2.JPG_thumb](/public/imported_attachments/1/Firewall Rules Floating 2.JPG_thumb)



  • Hah now the topic went from cannot resolve address to…..... how to make policy based routing with multiple vpn clients.......