Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    Well, what are you testing from?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    The site I'm connecting to is a physically separate building. I have two network connections to my home office, but at the moment my control machine (Windows 7, talking RDP machine to machine on non-standard ports through my own Untangle firewall and the on-site Untangle firewall) and the test machine (Linux Mint 19, talking, or trying to talk, OpenVPN machine-to-network) are on the same network here. (And yes, I know RDP is hideously unsafe, but my home office is a static IP and the Untangle firewall at the site is set to port-forward RDP only from my home office.) My test is very simple: I take the OVPN connection down, bring it back up, and look for error messages in the log file.

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    Well, you're down to basic troubleshooting now.

    Can the remotely connected client ping Untnagle's LAN IP? If not... that needs fixed first.

    If the issue is purely DNS, I have no real experience with the Linux OpenVPN client to know how that behaves. I'm fairly certain it just drops some stuff in resolve.conf, which can result in the unit using the incorrect DNS server at times. So I'd start testing with FQDNs, and move to short names afterward.

    But all of that is after you get ICMP working.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    ICMP works just fine; I can ping machines by IP inside the server's network, including the DNS server, and get an immediate and solid response. I haven't tried pinging the LAN interface on the firewall - never occurred to me that would be worthwhile, if I can ping other machines inside the network. At this point it is, alas, purely DNS; and more than that, the issue would appear to be that the DNS push being passed to the client has some invalid parameters in it, and as such the stuff that should be dropped into resolv.conf doesn't, because it can't interpret the command.

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    And yet, I'm at a loss as to why that would be. The commands used to push the DNS configuration to the clients haven't to my knowledge changed in years.

    The reset of the module was to update the certificates from MD5 to SHA, the rest is largely all unchanged.

    So if it worked before... it should be working now!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #16
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    Ah. I thought I had mentioned that this is a fresh Mint 19 install. It has never worked on this machine.

    The instance that did work, if I am actually correct in my recollection (no guarantees there) was a straight Debian build talking to an Untangle 12 instance, when SHA-1 was still valid. And in fact that Debian instance would have probably not used systemd.

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    If you took my advice earlier and disabled the compression directives, you could fire up an Android or iOS device and test with that, at least then you can confirm if it's a client issue on the test platform, or something up with Untangle.

    At this point, my gut is leaning on the former. I'm fairly certain your Untangle is configured properly. If you didn't take my advice on the compression setting, try it, redistribute the VPN client and try again. Because an OpenVPN client that doesn't want to compress when it was told to, does this... ICMP works, nothing else. Usually it's the mobile OpenVPN clients that give fits though.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    Well, in fact I have disabled compression - had to distribute a new client anyway so I figured "why the heck not"? But I've never tried installing OpenVPN on an Android or iOS device, not sure I'd have a proper clue how to do it. I can of course set it up on a Windows device, using a stock OpenVPN client rather than the installer Untangle distributes (computer troubleshooting rule 1: change only one thing at a time). I guess, though, I'd argue against "ping works, nothing else does"; I know ping works, yes, but it's not true that nothing else does. I have a web server on that network, and if I point Firefox at it by IP address it instantly shows me Apache's default page (as it should, me not having an immediate way of giving it a name in the host header). So I have to say evidence indicates that the literal only thing not working is DNS.

  9. #19
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    To be more specific, I'll bet that DNS works just fine. Your remote endpoint just isn't getting the configuration straight to use it correctly.

    Meaning if you used nslookup or any other DNS testing tool, aimed it at the DNS server's IP address and asked it a question, you'll very likely get the answer.

    The key here is if you have a Windows device connecting, and it's doing the SAME thing, then we know the problem is on the Untangle server somewhere. If it doesn't, and DNS resolution and everything else just works, then you know there's a configuration problem that's impacting your Mint platform specifically.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #20
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    Precisely.

    The error message in the log file states that there is a problem with the push that's trying to provide DNS servers. Unfortunately it doesn't provide information about what part of that push is the problem... it is one of the more obscure error messages I've seen. But because of the error, the DNS info doesn't get dropped into resolv.conf, and so the scripts to update DNS find nothing useful to do. At least that's the hypothesis I'm working with, based on what I'm seeing.

    If I had some idea what part of the push was being problematic, I might be able to change something in the server config to eliminate it.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2