Unable to reconnect with message "RESOLVE: Cannot resolve host address:"

[dmp1ce]

I'm not sure if this is an issue with this project or my VPN provider. The connection to my VPN provider works well for a day or two and then it will get disconnected and try to reconnect. The reconnection never works. Here is the log from my most recent attempt and my docker-compose configuration.

Should this project be able to automatically reconnect to the VPN provider if the openvpn configuration is setup to do so? Will the strict firewall rules block reconnection attempts?

docker-compose.yml

openvpn:
  image: dperson/openvpn-client
  cap_add:
    - NET_ADMIN
  devices:
    - "/dev/net/tun"
  dns:
    - 8.8.4.4
    - 8.8.8.8
  restart: always
  log_driver: journald
  volumes:
    - ./vpn:/vpn
  dns:
    - 8.8.8.8
    - 8.8.4.4
  command: -f
transmission:
  image: dperson/transmission  
  log_driver: journald
  net: "container:openvpn"
  restart: always
  volumes:
    - /mnt/data/transmission/downloads:/var/lib/transmission-daemon/downloads
    - /mnt/data/transmission/incomplete:/var/lib/transmission-daemon/incomplete
    - /mnt/data/transmission/config:/var/lib/transmission-daemon
  environment:
    - USERID=1005
    - GROUPID=1006
transmission-proxy:
  image: dperson/nginx
  log_driver: journald
  links:
    - transmission
  command: -w "http://transmission:9091/transmission;/transmission"
  ports:
    - "9091:80"
  restart: always

openvpn log

openvpn_1 | Wed Feb  3 23:01:38 2016 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
openvpn_1 | Wed Feb  3 23:01:38 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
openvpn_1 | Wed Feb  3 23:01:38 2016 WARNING: file '/vpn/login.conf' is group or others accessible
openvpn_1 | Wed Feb  3 23:01:38 2016 NOTE: --fast-io is disabled since we are not using UDP
openvpn_1 | Wed Feb  3 23:01:38 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
openvpn_1 | Wed Feb  3 23:01:38 2016 Attempting to establish TCP connection with [AF_INET]185.94.28.242:52 [nonblock]
openvpn_1 | Wed Feb  3 23:01:39 2016 TCP connection established with [AF_INET]185.94.28.242:52
openvpn_1 | Wed Feb  3 23:01:39 2016 TCPv4_CLIENT link local: [undef]
openvpn_1 | Wed Feb  3 23:01:39 2016 TCPv4_CLIENT link remote: [AF_INET]185.94.28.242:52
openvpn_1 | Wed Feb  3 23:01:39 2016 TLS: Initial packet from [AF_INET]185.94.28.242:52, sid=0054a929 e38b84a0
openvpn_1 | Wed Feb  3 23:01:39 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn_1 | Wed Feb  3 23:01:40 2016 VERIFY OK: depth=1, C=US, ST=DE, L=Wilmington, O=VpnHT, OU=VPNHT, CN=vpn.ht, name=VPNHT, emailAddress=support@vpn.ht
openvpn_1 | Wed Feb  3 23:01:40 2016 VERIFY OK: nsCertType=SERVER
openvpn_1 | Wed Feb  3 23:01:40 2016 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
openvpn_1 | Wed Feb  3 23:01:40 2016 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
openvpn_1 | Wed Feb  3 23:01:40 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
openvpn_1 | Wed Feb  3 23:01:40 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn_1 | Wed Feb  3 23:01:40 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
openvpn_1 | Wed Feb  3 23:01:40 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn_1 | Wed Feb  3 23:01:40 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
openvpn_1 | Wed Feb  3 23:01:40 2016 [server] Peer Connection Initiated with [AF_INET]185.94.28.242:52
openvpn_1 | Wed Feb  3 23:01:43 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
openvpn_1 | Wed Feb  3 23:01:43 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.3.0.1,route-gateway 10.11.0.1,topology subnet,ifconfig 10.11.0.3 255.255.0.0'
openvpn_1 | Wed Feb  3 23:01:43 2016 OPTIONS IMPORT: --ifconfig/up options modified
openvpn_1 | Wed Feb  3 23:01:43 2016 OPTIONS IMPORT: route options modified
openvpn_1 | Wed Feb  3 23:01:43 2016 OPTIONS IMPORT: route-related options modified
openvpn_1 | Wed Feb  3 23:01:43 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
openvpn_1 | Wed Feb  3 23:01:43 2016 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
openvpn_1 | Wed Feb  3 23:01:43 2016 TUN/TAP device tun0 opened
openvpn_1 | Wed Feb  3 23:01:43 2016 TUN/TAP TX queue length set to 100
openvpn_1 | Wed Feb  3 23:01:43 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
openvpn_1 | Wed Feb  3 23:01:43 2016 /sbin/ip link set dev tun0 up mtu 1500
openvpn_1 | Wed Feb  3 23:01:43 2016 /sbin/ip addr add dev tun0 10.11.0.3/16 broadcast 10.11.255.255
openvpn_1 | Wed Feb  3 23:01:43 2016 /sbin/ip route add 185.94.28.242/32 via 172.17.0.1
openvpn_1 | Wed Feb  3 23:01:43 2016 /sbin/ip route add 0.0.0.0/1 via 10.11.0.1
openvpn_1 | Wed Feb  3 23:01:43 2016 /sbin/ip route add 128.0.0.0/1 via 10.11.0.1
openvpn_1 | Wed Feb  3 23:01:43 2016 Initialization Sequence Completed
openvpn_1 | Sat Feb  6 02:32:52 2016 [server] Inactivity timeout (--ping-restart), restarting
openvpn_1 | Sat Feb  6 02:32:52 2016 SIGUSR1[soft,ping-restart] received, process restarting
openvpn_1 | Sat Feb  6 02:32:52 2016 Restart pause, 5 second(s)
openvpn_1 | Sat Feb  6 02:32:57 2016 NOTE: --fast-io is disabled since we are not using UDP
openvpn_1 | Sat Feb  6 02:32:57 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
openvpn_1 | Sat Feb  6 02:33:37 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:34:17 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:35:02 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:35:47 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:36:32 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:37:17 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:38:02 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:38:47 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:39:32 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:40:17 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Sat Feb  6 02:41:02 2016 NOTE: --mute triggered...

[dperson]

Hmm, I haven't run into the issue that you're seeing. I can rule out the firewall rules blocking DNS as the source however. They allow access to:

• Interface lo - loopback (the host itself)
• Interface tap0 or tun0 - created by OpenVPN and only has traffic that's headed out the VPN connection
• UDP packets on port 53 - DNS queries
• Packets from a process running as the group vpn - the OpenVPN process itself

[dperson]

Actually thinking back, I'm pretty sure I used to get that error before I started using the Google DNS servers 8.8.4.4 and 8.8.8.8. So I think that you're running into an issue created by your VPN provider. In your case it may help to not set the DNS servers. If that doesn't work, you may need to use DNS servers provided by them...

Hope this helps.

[dmp1ce]

I'll try to turn off the Google DNS. I'll also attempt to dig the URL I'm trying to connect to the next time i get disconnected. Thank you for the response.

[dmp1ce]

I didn't get a chance to dig because I forgot to install dnstools before I lost internet connect. Here is my log when I lost connection. I had removed my Google DNS settings.

log

openvpn_1 | Sun Feb  7 02:03:00 2016 /sbin/ip route add 0.0.0.0/1 via 10.11.0.1
openvpn_1 | Sun Feb  7 02:03:00 2016 /sbin/ip route add 128.0.0.0/1 via 10.11.0.1
openvpn_1 | Sun Feb  7 02:03:00 2016 Initialization Sequence Completed
openvpn_1 | Wed Feb 10 10:50:16 2016 write TCPv4_CLIENT: Connection reset by peer (code=104)
openvpn_1 | Wed Feb 10 10:50:16 2016 Connection reset, restarting [0]
openvpn_1 | Wed Feb 10 10:50:16 2016 SIGUSR1[soft,connection-reset] received, process restarting
openvpn_1 | Wed Feb 10 10:50:16 2016 Restart pause, 5 second(s)
openvpn_1 | Wed Feb 10 10:50:21 2016 NOTE: --fast-io is disabled since we are not using UDP
openvpn_1 | Wed Feb 10 10:50:21 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
openvpn_1 | Wed Feb 10 10:50:41 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:51:01 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:51:26 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:51:51 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:52:16 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:52:41 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:53:06 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:53:31 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:53:56 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:54:21 2016 RESOLVE: Cannot resolve host address: hub.vpn.ht: Temporary failure in name resolution
openvpn_1 | Wed Feb 10 10:54:46 2016 NOTE: --mute triggered...

vpn.conf

openvpn:
  image: dperson/openvpn-client
  cap_add:
    - NET_ADMIN
  devices:
    - "/dev/net/tun"
#  dns:
#    - 8.8.4.4
#    - 8.8.8.8
  restart: always
  log_driver: journald
  volumes:
    - ./vpn:/vpn
  command: -f
transmission:
  image: dperson/transmission  
  log_driver: journald
  net: "container:openvpn"
  restart: always
  volumes:
    - /mnt/data/transmission/downloads:/var/lib/transmission-daemon/downloads
    - /mnt/data/transmission/incomplete:/var/lib/transmission-daemon/incomplete
    - /mnt/data/transmission/config:/var/lib/transmission-daemon
  environment:
    - USERID=1005
    - GROUPID=1006
transmission-proxy:
  image: dperson/nginx
  log_driver: journald
  links:
    - transmission
  command: -w "http://transmission:9091/transmission;/transmission"
  ports:
    - "9091:80"
  restart: always

# vi: set tabstop=2 expandtab syntax=yaml:

I'll ask them about DNS servers that I can use from them.

[dmp1ce]

My provider ask me to try https://github.com/masterkorp/openvpn-update-resolv-conf

That script is already installed on Debian so I just added the following to my vpn.conf. I'll let you know if it fixes the issue for me.

# This updates the resolvconf with dns settings
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

[dperson]

Thanks for the information, I'll add a flag to the startup script to use the VPN providers DNS with the /etc/openvpn/update-resolv-conf script. It will be available on the docker hub in a few minutes.

[FAWTS]

I've got the same issue, I added

# This updates the resolvconf with dns settings script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

in client.conf, but it didn't fixed it. Now I run a crontab to restart openvpn client every 8 hours, it works, but the issue can happen after few minutes or after one day...

Any idea ?

[dperson]

@FAWTS @dmp1ce I've just made some changes yesterday and another today, that I think will now fix the reconnect issue (fingers crossed).

• Yesterday I added a keepalive check to verify the connection or restart automatically.
• Today I just removed the persist-tun option, which will force it to be brought down before reconnecting.

I think between the two of them, they should fix this issue. So please pull a fresh image and let me know if you still have any problems. Thanks.

[giejay]

Thanks for the information, I'll add a flag to the startup script to use the VPN providers DNS with the /etc/openvpn/update-resolv-conf script. It will be available on the docker hub in a few minutes.

I see the "-d" flag, how do I use this with a docker-compose file? Is specifying the dns ip's enough?

dns: - 8.8.4.4

[dperson]

The -d option is about using DNS from the VPN provider, by default it will use your DNS servers ether relayed to your main host or the ones defined to docker.