-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openfortivpn 1.12 / DNS configuration problems #555
Comments
The only relevant change is:
This is interesting:
as this error message is associated to Yet
Finally which exact options do you pass to openfortivpn? Of particular interest are:
|
I'd follow the piece of advice cited in #514 (comment):
|
I'll start by answering your questions first, then i'll check with the new version/new cmdline params.
BUT, there is no rpm package of resolvconf, because (see resolvconf -h) of this:
Params to openfortivpn are:
and i start it using a script (the /etc/openfortivpn/config file is empty).... yes, i know, password on commandline is bad :-)
further tests will follow later... |
As a workaround you may instruct openfortivpn to hand over DNS settings to pppd which might not depend on systemd-resolved running:
That said it would probably be better to start systemd-resolved. Not sure whether it is supposed to be started and why it has not started on your Fedora 31 system. |
i tried several configs for now:
yes, if systemd-resolved is started, the above error messages disappear (Failed to set DNS configuration: Could not activate remote peer. / Failed to revert interface configuration: Could not activate remote peer.) but /etc/resolv.conf is not updated nor is the dns query possible for remote/tunneled destinations. And, for fedora31, the default config seems not to use systemd-resolved, so /etc/resolv.conf is not symlinked to any systemd files but a genuine file |
This looks like more of a resolvconf problem:
If resovlconf is indeed that fragile we probably should have a way to disable its use by openfortivpn - which is what happens when you downgrade to 1.11.0. But then I notice that |
no, i happened to setup this fedora31 system completely fresh some weeks ago. Nothing special yet, and even another fedora31 system (upgraded from previous releases) shows the exact same behaviour. So i assume this to be isolated to openfortivpn only (sorry). btw, using 1.11 i did not use the additional params you indicated (set-dns and ...peerdns) |
It is not isolated to openfortivpn because pppd suffers the same problem. |
ok, ok :-) i already said i'm sorry!!! |
As far as I can understand from one of your first comments Fedora provides a There are multiple methods of setting DNS servers:
It looks like some of the above executables are made available on some systems but are not configured by default - by design. Tools such as resolvconf that are made available on some systems to help with this task are not available, or worse are available but simply don't work on other systems. This leaves us with the difficult task to find a portable way to modify DNS settings. Either we find a way to automate DNS settings in a portable way across systems, or we provide options (in addition to I think it's worth taking the time to read about the first option, perhaps have a look at OpenVPN. However I fear we will have to provide options to switch manually... |
Oh, resolvconf being installed and not working out of the box is the worst choice that Fedora could make. |
@mrbaseman Yes, it looks like a command line option might be needed. What a pity, Fedora unilaterally broke resolvconf. I fear the DNS options are already a bit confusing:
I'm wondering whether we shouldn't change to something like this, keeping old options for compatibility of course:
We could also have a look at OpenVPN for inspiration - but they probably just rely on external scripts. |
I think we should add a new option but we should not change the existing ones. My concern is: the more we change, the more difficulties come to light. The GUIs (NM plugin / openfortigui) also rely on these command line options and we have already broken them by accident a couple of times. |
@mrbaseman What name for the new option? Should we use On Ubuntu 16.04 or 18.04:
On Fedora / Red Hat / CentOS the output looks different:
@slartibart70 Also what is the output of |
Fedora31 $ resolvconf exitcode: with the -h parameter: $ echo $? But, |
With the real resolvconf the exit code is 99 in case of unknown/missing command line option:
On Fedora is there a difference with/without option
|
Unfortunately LSB packages are often not available (not installed by default?) so I wouldn't rely on |
well, we still have |
Sure, but in the end what matters is the version of |
good question. Maybe
Honestly, I don't know. On the one hand it seemed to be the right way to use
I don't feel comfortable with the idea putting a lot of effort into a mechanism to detect if something is broken on a specific platform. We already have a configure option (maybe it can be improved, e.g. But essentially, if resolvconf shall be used by default, I'd say that's a decision that the packager should make. Based on the knowledge that resolvconf is broken on Fedora, I'd add a configure option in the spec file to disable it on that platform. If someone wants to configure resolvconv and wants to use it together with openfortivpn, he can still compile it from source with his own Does that make sense? |
@mrbaseman I was thinking of detecting the broken version of I like the idea of the configure option. Not sure about the effect of this option though:
Also how would this configure option be triggered?
|
just my opinion: using resolvconf seems to be the best way to handle the situation. Maybe we can add some checks (is the resolv.conf file really updated) and add some more explanatory log statements. |
@slartibart70 Yes, I agree too much automation might fail. On the other hand I believe Also detecting if
|
agreed, the check mechanism shoud not rely on the file itself. |
@DimitriPapadopoulos I have been thinking about your questions:
Both would be possible:
...along the lines of
we can implement an |
I have started to work on this in a new branch, in a first step a cleaner implementation of the workaround that I have suggested above a while ago (the first part of my previous comment). Next would be the Finally, we can think of an automatism to detect sane defaults at configure time and maybe a better solution for this initial commit, which avoids the string comparison at runtime. |
I have crated a first draft for a pull request |
Meanwhile I have opened an issue on the Fedora bug tracker: Hopefully we can understand why |
As a workaround until a new version of openfortivpn is released, you might move
My guess is that it won't matter since |
Fixed in version 1.13.1. |
openfortivpn 1.13.1 has been packaged for Fedora: Do not hesitate to install and test them. On Fedora 31 for example:
If it works for you and you have a Fedora account do not hesitate to add a karma point so that packages are released rapidly. |
Thanks @DimitriPapadopoulos I can confirm that the testing version works as expected on a F31 running |
Hi, could you create a package to FC30, please ?? |
Fedora 30 is not maintained anymore so I doubt there will be new packages: |
Since using openfortivpn 1.12 i do see issues with the DNS resolution, the tunnel is up and running, but no name resolution is possible (see log).
My current workaround is to stay with version 1.11 which runs properly
(running on fedora31, latest updates)
Using ip addresses instead of names is ok, querying the (remote/tunneled) nameserver directly with 'dig @a.b.c.d hostname' is ok, but a 'cat /etc/resolv.conf' only gives me my local router address, there are no remote dns server entries at all. (resolv.conf is managed by networkmanager on my system)
see error line: 'Failed to set DNS configuration: Could not activate remote peer.'
Logs:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/3
INFO: Got addresses: [10.147.x.z], ns [10.62.z.zz, 10.62.z.zz]
INFO: negotiation complete
INFO: negotiation complete
local IP address 10.147.x.x
remote IP address 192.0.x.x
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
WARN: Route to gateway exists already.
INFO: Adding VPN nameservers...
Failed to set DNS configuration: Could not activate remote peer.
INFO: Tunnel is up and running.
^CINFO: Cancelling threads...
INFO: Setting ppp interface down.
INFO: Restoring routes...
INFO: Removing VPN nameservers...
Failed to revert interface configuration: Could not activate remote peer.
Hangup (SIGHUP)
Modem hangup
Connect time 12.2 minutes.
Sent 113414 bytes, received 1988486 bytes.
Connection terminated.
INFO: pppd: The link was terminated by the modem hanging up.
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.
Any help with this?
The text was updated successfully, but these errors were encountered: