connecting to OpenVPN server: why NetworkManager nm-openvpn gererates curious, pointless random hostnames?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to configure OpenVPN connection in Fedora 37 NetworkManager.
The configuration was created by importing the .ovpn file and subsequent
its result correction. But connection is not working, and it seems it
is because MetwokManage/nm-openvpn prepend OpenVPN server name with
random string - which, of course, isn't resolvable to IP (v4) address.

My configuration file is:
# cat /etc/NetworkManager/system-connections/lada.nmconnection
[connection]
id=mojevpn
uuid=523155d8-ce42-499f-9b65-371733cd420c
type=vpn
autoconnect=false

[vpn]
ca=/etc/pki/vpnky/mojevpn/mojevpn-ca.pem
cert=/etc/pki/vpnky/mojevpn/mojevpn-cert.pem
cert-pass-flags=4
cipher=AES-128-GCM
connection-type=password-tls
dev=tun
dev-type=tun
key=/etc/pki/vpnky/mojevpn/mojevpn-key.pem
password-flags=2
remote=gw.mujsrv.org
remote-cert-tls=server
remote-random-hostname=yes
ta=/etc/pki/vpnky/mojevpn/mojevpn-tls-auth.pem
ta-dir=0
username=lada
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=disabled

[proxy]


# nmcli connection up --ask mojevpn
You need to authenticate to access the Virtual Private Network “mojevpn”.
Password (vpn.secrets.password): ••••••••••
Error: Connection activation failed: The connection attempt timed out

And what is listen with tcpdump and in syslog:

# tcpdump -i any -B 64000 -nn port 53 or port 1194
20:27:55.403571 enp4s0 Out IP 172.31.48.127.44308 > 172.31.48.254.53: 3278+ [1au] A? 7cf36e0b3a88.gw.mujsrv.org. (53)
20:27:55.403711 enp4s0 Out IP 172.31.48.127.36822 > 172.31.48.254.53: 58603+ [1au] AAAA? 7cf36e0b3a88.gw.mujsrv.org. (53)
20:27:55.545573 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.36822: 58603 NXDomain 0/1/1 (138)
20:27:55.545752 enp4s0 Out IP 172.31.48.127.36822 > 172.31.48.254.53: 58603+ AAAA? 7cf36e0b3a88.gw.mujsrv.org. (42)
20:27:55.546081 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.36822: 58603 NXDomain 0/1/0 (127)
20:27:55.548708 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.44308: 3278 NXDomain 0/1/1 (138)
20:27:55.549710 enp4s0 Out IP 172.31.48.127.60509 > 172.31.48.254.53: 41153+ [1au] A? bd30780f6ca9.gw.mujsrv.org. (53)
20:27:55.549819 enp4s0 Out IP 172.31.48.127.35849 > 172.31.48.254.53: 43141+ [1au] AAAA? bd30780f6ca9.gw.mujsrv.org. (53)
20:27:55.610201 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.60509: 41153 NXDomain 0/1/1 (138)
20:27:55.610256 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.35849: 43141 NXDomain 0/1/1 (138)
20:27:55.610349 enp4s0 Out IP 172.31.48.127.60509 > 172.31.48.254.53: 41153+ A? bd30780f6ca9.gw.mujsrv.org. (42)
20:27:55.610427 enp4s0 Out IP 172.31.48.127.35849 > 172.31.48.254.53: 43141+ AAAA? bd30780f6ca9.gw.mujsrv.org. (42)
20:27:55.610635 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.60509: 41153 NXDomain 0/1/0 (127)
20:27:55.610677 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.35849: 43141 NXDomain 0/1/0 (127)
20:28:15.631685 enp4s0 Out IP 172.31.48.127.46400 > 172.31.48.254.53: 33469+ [1au] A? 041d1d870348.gw.mujsrv.org. (53)
20:28:15.631799 enp4s0 Out IP 172.31.48.127.38725 > 172.31.48.254.53: 21530+ [1au] AAAA? 041d1d870348.gw.mujsrv.org. (53)
20:28:15.776090 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.46400: 33469 NXDomain 0/1/1 (138)
20:28:15.776145 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.38725: 21530 NXDomain 0/1/1 (138)
20:28:15.776247 enp4s0 Out IP 172.31.48.127.46400 > 172.31.48.254.53: 33469+ A? 041d1d870348.gw.mujsrv.org. (42)
20:28:15.776330 enp4s0 Out IP 172.31.48.127.38725 > 172.31.48.254.53: 21530+ AAAA? 041d1d870348.gw.mujsrv.org. (42)
20:28:15.776663 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.46400: 33469 NXDomain 0/1/0 (127)
20:28:15.776711 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.38725: 21530 NXDomain 0/1/0 (127)
20:28:15.777705 enp4s0 Out IP 172.31.48.127.40721 > 172.31.48.254.53: 22744+ [1au] A? 3f9917dadb55.gw.mujsrv.org. (53)
20:28:15.777813 enp4s0 Out IP 172.31.48.127.57177 > 172.31.48.254.53: 3045+ [1au] AAAA? 3f9917dadb55.gw.mujsrv.org. (53)
20:28:15.817539 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.57177: 3045 NXDomain 0/1/1 (138)
20:28:15.817593 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.40721: 22744 NXDomain 0/1/1 (138)
20:28:15.817716 enp4s0 Out IP 172.31.48.127.57177 > 172.31.48.254.53: 3045+ AAAA? 3f9917dadb55.gw.mujsrv.org. (42)
20:28:15.817797 enp4s0 Out IP 172.31.48.127.40721 > 172.31.48.254.53: 22744+ A? 3f9917dadb55.gw.mujsrv.org. (42)
20:28:15.817997 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.57177: 3045 NXDomain 0/1/0 (127)
20:28:15.818074 enp4s0 In  IP 172.31.48.254.53 > 172.31.48.127.40721: 22744 NXDomain 0/1/0 (127)
....

# tail -f /var/log/messages
Apr 16 20:27:55 pc-jana nm-openvpn[786758]: RESOLVE: Cannot resolve host address: 7cf36e0b3a88.gw.mujsrv.org:1194 (Name or service not known)
Apr 16 20:27:55 pc-jana nm-openvpn[786758]: RESOLVE: Cannot resolve host address: bd30780f6ca9.gw.mujsrv.org:1194 (Name or service not known)
Apr 16 20:27:55 pc-jana nm-openvpn[786758]: Could not determine IPv4/IPv6 protocol
Apr 16 20:27:55 pc-jana nm-openvpn[786758]: SIGUSR1[soft,init_instance] received, process restarting
Apr 16 20:28:15 pc-jana nm-openvpn[786758]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 16 20:28:15 pc-jana nm-openvpn[786758]: RESOLVE: Cannot resolve host address: 041d1d870348.gw.mujsrv.org:1194 (Name or service not known)
Apr 16 20:28:15 pc-jana nm-openvpn[786758]: RESOLVE: Cannot resolve host address: 3f9917dadb55.gw.mujsrv.org:1194 (Name or service not known)
Apr 16 20:28:15 pc-jana nm-openvpn[786758]: Could not determine IPv4/IPv6 protocol
Apr 16 20:28:15 pc-jana nm-openvpn[786758]: SIGUSR1[soft,init_instance] received, process restarting
Apr 16 20:28:24 pc-jana nm-openvpn[786758]: SIGTERM[hard,init_instance] received, process exiting
...

>From above, NM tries DNS result not for 'gw.mujsrv.org' host, but for
some insane 7cf36e0b3a88.gw.mujsrv.org / bd30780f6ca9.gw.mujsrv.org /
 041d1d870348.gw.mujsrv.org / 3f9917dadb55.gw.mujsrv.org /...

Can anyone see where the problem might be?

And one more, perhaps not a very important little thing: is it possible
to tell the NM to do only IPv4 resolution of the vpn server name (it
does not have an IPv6 address)?
---
Thanks in advance, Franta Hanzlik
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux