Page MenuHomeVyOS Platform

OpenVPN: Fix for IPv4 remote-host hostname in client mode:
Closed, ResolvedPublicBUG

Description

If we configure hostname for the remote-host parameter in openvpn configuration in client mode, the tunnel does not come up. This error is observed in the openvpn logs:

OpenVPN: RESOLVE: Cannot resolve host address: HOSTNAME:14386 (No address associated with hostname) .

The address is associated to the hostname.

[email protected]# ping server.abc.net
PING server.abc.net (11.22.33.44) 56(84) bytes of data.
64 bytes from server.abc.net (11.22.33.44): icmp_seq=1 ttl=63 time=3.38 ms
64 bytes from server.abc.net (11.22.33.44): icmp_seq=2 ttl=63 time=1.75 ms
64 bytes from server.abc.net (11.22.33.44): icmp_seq=3 ttl=63 time=1.79 ms
64 bytes from server.abc.net (11.22.33.44): icmp_seq=4 ttl=63 time=1.94 ms

Workaround is to add "openvpn-option ‘–proto udp4’", post it works, tested for latest rolling and LTS release.

Server mode configuration:

[email protected]# run sh conf comm | grep openvpn
set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 hash 'sha256'
set interfaces openvpn vtun0 local-host '11.22.33.44'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 server client client ip '10.140.0.55'
set interfaces openvpn vtun0 server domain-name 'abc.net'
set interfaces openvpn vtun0 server name-server '55.44.33.22'
set interfaces openvpn vtun0 server push-route '55.44.33.22/32'
set interfaces openvpn vtun0 server subnet '10.140.0.0/20'
set interfaces openvpn vtun0 server topology 'subnet'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'
set interfaces openvpn vtun0 use-lzo-compression

Client mode configuration:

[email protected]# run sh conf comm | grep openvpn
set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 hash 'sha256'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option '--proto udp4'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'server.abc.net'
set interfaces openvpn vtun0 remote-port '1194'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/client.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/client.key'
set interfaces openvpn vtun0 use-lzo-compression

.
I found this pull request "https://github.com/vyos/vyos-1x/commit/08bd4ed10b3772c61f24cd9564c1639334d7feba" which was submitted to fix it but still there seems to be issue.
One more reference link:
https://github.com/vyos/vyos-1x/pull/361

This code was added:
https://github.com/vyos/vyos-1x/blob/24c4f9b6fa299e5bc67d82f5a8e0e5b4f9c4d04b/src/conf_mode/interfaces-openvpn.py#L594-L598

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202009220118
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Event Timeline

SrividyaA renamed this task from OpenVPN: Fix for IPv4 remote-host addresses in client mode: to OpenVPN: Fix for IPv4 remote-host hostname in client mode:.Sep 22 2020, 12:11 PM
SrividyaA created this task.
SrividyaA claimed this task.

Issue is fixed in the latest rolling release. The IPv4 remote-host hostname in client mode works without adding the option '--proto udp4'.
Tested in VyOS 1.3-rolling-202011060217

vyos@vyos# date
Sat 07 Nov 2020 03:43:24 PM UTC
[edit]
vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.254.1/24                  u/u
eth1             74.203.219.52/24                  u/u
eth2             -                                 u/u
eth3             -                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vtun30365        10.10.0.2/24                      u/u
[edit]
vyos@vyos# run sh conf comm | grep openvpn
set interfaces openvpn vtun30365 encryption cipher 'aes256'
set interfaces openvpn vtun30365 hash 'sha512'
set interfaces openvpn vtun30365 mode 'client'
set interfaces openvpn vtun30365 persistent-tunnel
set interfaces openvpn vtun30365 protocol 'udp'
set interfaces openvpn vtun30365 remote-host 'server.xyz.net'
set interfaces openvpn vtun30365 remote-port '1194'
set interfaces openvpn vtun30365 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun30365 tls cert-file '/config/auth/ovpn/branch.crt'
set interfaces openvpn vtun30365 tls key-file '/config/auth/ovpn/branch.key'
set interfaces openvpn vtun30365 use-lzo-compression

openvpn logs:

Nov  7 15:24:29 client openvpn-vtun30365[2851]: TLS: Initial packet from [AF_INET]74.204.159.119:1194, sid=12e4c1af c34514b0
Nov  7 15:24:29 client openvpn-vtun30365[2851]: VERIFY OK: depth=1, /C=US/ST=California/L=San_Francisco/O=Copyleft_Certificate_Co/OU=Accounts/CN=Easy-RSA_CA/[email protected]
Nov  7 15:24:29 client openvpn-vtun30365[2851]: VERIFY OK: depth=0, /C=US/ST=California/L=San_Francisco/O=Copyleft_Certificate_Co/OU=Accounts/CN=central/[email protected]
Nov  7 15:24:29 client openvpn-vtun30365[2851]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Nov  7 15:24:29 client openvpn-vtun30365[2851]: [central] Peer Connection Initiated with [AF_INET]74.204.159.119:1194
Nov  7 15:24:30 client openvpn-vtun30365[2851]: SENT CONTROL [central]: 'PUSH_REQUEST' (status=1)
Nov  7 15:24:30 client openvpn-vtun30365[2851]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN xyz.net,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 60,ifconfig -GCM'
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: timers and/or timeouts modified
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: --ifconfig/up options modified
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: route-related options modified
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: peer-id set
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: adjusting link_mtu to 1625
Nov  7 15:24:30 client openvpn-vtun30365[2851]: OPTIONS IMPORT: data channel crypto options modified
Nov  7 15:24:30 client openvpn-vtun30365[2851]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov  7 15:24:30 client openvpn-vtun30365[2851]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov  7 15:24:30 client openvpn-vtun30365[2851]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov  7 15:24:30 client openvpn-vtun30365[2851]: TUN/TAP device vtun30365 opened
Nov  7 15:24:30 client openvpn-vtun30365[2851]: TUN/TAP TX queue length set to 100
Nov  7 15:24:30 client openvpn-vtun30365[2851]: /usr/libexec/vyos/system/unpriv-ip link set dev vtun30365 up mtu 1500
Nov  7 15:24:30 client openvpn-vtun30365[2851]: /usr/libexec/vyos/system/unpriv-ip addr add dev vtun30365 10.10.0.2/24 broadcast 10.10.0.255