Bug 966281 - openvpn 2.3.1 reconnect fails with DNS error, when network is switched
openvpn 2.3.1 reconnect fails with DNS error, when network is switched
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: openvpn (Show other bugs)
19
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Steven Pritchard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-22 18:31 EDT by Deian
Modified: 2013-12-23 09:58 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-23 09:58:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Deian 2013-05-22 18:31:28 EDT
Description of problem:

Since I updated openvpn 
from
    openvpn-2.2.2-9.fc18.i686
to
    openvpn-2.3.1-2.fc18.i686

I get the following behavior:

I am connected somewhere, for example wired network. 
If I disconnect and connect to another network, which has different DNS settings I start getting the following errors in the log:

May 22 21:16:47 XXXX openvpn[13230]: RESOLVE: Cannot resolve host address: xxx.yyy.zzz: Temporary failure in name resolution

I sniffed the network traffic and came to the following:
For some reason openvpn remembers the DNS servers from resolv.conf which were valid during process creation. 
Later when the DNS servers change, because I switch to different network, it does not reload them, but keeps trying to question the old DNS-es, which usually refuse recursive queries, because I am already not in their network.

If I downgrade back to openvpn-2.2.2-9.fc18.i686, all goes back to normal, without touching anything else.

My client config:

----------
client                                                                          dev tun
proto tcp
remote xxx.yyy.zzz  443
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher BF-CBC
keysize 512
script-security 1
comp-lzo
verb 3
keepalive 10 60
<cert>
CERT HERE
</cert>
<key>
KEY HERE
</key>
<ca>
CA HERE
</ca>
---------------


Version-Release number of selected component (if applicable):

openvpn-2.3.1-2.fc18.i686

How reproducible:

always

Steps to Reproduce:
1. Establish VPN tunnel
2. Connect to different network with different DNS servers
3. The IPs of the old DNS servers MUST be inaccessible or not be valid DNS resolvers in the new network. 

Actual results:

Start getting the following errors:

Cannot resolve host address: xxx.yyy.zzz: Temporary failure in name resolution


Expected results:

To reconnect with no issues. 


Additional info:
Comment 1 Samuel Sieb 2013-05-24 13:45:44 EDT
I'm seeing this too.  It's getting rather annoying...
Comment 2 Mihai T. Lazarescu 2013-06-08 14:05:27 EDT
I confirm, same here.
Comment 3 Björn Ruberg 2013-12-19 06:15:53 EST
Confirmed here. Verry annoying. 
I use a dnynds adresse for my clients to connect to. But that does simply not work in Fedora because of this bug.
Comment 4 Fedora End Of Life 2013-12-21 08:40:57 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 5 Samuel Sieb 2013-12-21 17:21:08 EST
This still happens in Fedora 19.
Comment 6 Björn Ruberg 2013-12-22 05:08:24 EST
And in Fedora 20 of course. I helped myself by configuring the openvpn connection in NetworkManager and adding a dispatch script that starts the vpn connection as soon as any network interface gets up. That is a workaround.
Comment 7 David Sommerseth 2013-12-23 09:58:29 EST
This seems to be tracked now by the upstream tracker too.

https://community.openvpn.net/openvpn/ticket/303 (pointing back to this bz)

As this seems to primarily be an upstream OpenVPN issue, and not a Fedora issue - I'll close this one as CLOSED:UPSTREAM.  OpenVPN bugs in this bugzilla mostly tackles packaging and Fedora only related issues.

Please consider to try to help out testing and debugging in cooperation with upstream directly.

Note You need to log in before you can comment on or make changes to this bug.