Currently I am trying to route my traffic through a gateway running Debian Linux which forwards all incoming traffic thorugh a VPN connection (Client -> Gateway with OpenVPN client -> VPN server -> Internet). This works fine exept it loses the connection from time to time and is unable to reconnect ifself due to nslookup timeouts. This happens every few days, mostly at night (as far as I know, some servers are terminating the session if no traffic was sent for a long time).
When happening, I'll try to connect through SSH but after entering the username the server waits about 20 seconds before asking for the password which is also strange. Normally it askes for the password immediately.
When looking into the syslog this one comes up:
Jul 20 00:50:11 gateway ovpn-cyberghost[23893]: RESOLVE: Cannot resolve host address: 5-nl.cg-dialup.net: Temporary failure in name resolution
ifconfig and route shows, that the VPN interface is still up but seems to be hung up.
root@gateway:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.129.57.169 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth2
10.129.57.169 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
93.190.138.125 192.168.0.1 255.255.255.255 UGH 0 0 0 eth2
128.0.0.0 10.129.57.169 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
217.23.12.229 192.168.0.1 255.255.255.255 UGH 0 0 0 eth2
Heres my OpenVPN config:
client
remote 5-nl.cg-dialup.net 443
dev tun
proto udp
auth-user-pass /etc/openvpn/auth.txt
route-nopull
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
writepid /run/openvpn.pid
nobind
cipher AES-256-CBC
auth MD5
ping 5
ping-restart 20
persist-local-ip
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
verb 1
comp-lzo
Heres my resolv.conf:
root@gateway:~# cat /etc/resolv.conf
nameserver 85.214.20.141
nameserver 213.73.91.35
Changing the nameservers, for example to 127.0.0.1 (bind9 correctly installed as a dns resolver), did not solve anything but I do not expect to find the problem here.
I guess, the following is the reason: The server closed the session due inactivity of the client so the client tries to reconnect. In the process of reconnecting OpenVPN resolves the hostname of the VPN server but it uses the broken VPN interface which is set as the default gateway instead of the correct default gateway. No cleanup is made (remove tun0 interface and deleting the routes), which would perhaps solve the problem. Also I think there could be an issue having two default gateways but I am not sure.
After terminating the OpenVPN process manually and starting it again everything works fine like nothing ever happend.
I don't know how either tell OpenVPN to use the eth2 interface for that initial nslookup or to get OpenVPN to cleanup the routes. Did I forgot to add something in the config file (I didn't found any helpful commands in the manpage)?
Best Answer
https://askubuntu.com/questions/28733/how-do-i-run-a-script-after-openvpn-has-connected-successfully tells how you can execute custom scripts after connection going up or down.
So, you should create a down script, which would clean up the routes and make OpenVPN execute that when connection goes down.