DNS problem

Support requests about OpenVPN Client
Post Reply
Elodie
Posts: 6
Joined: Thu Mar 28, 2019 10:13 pm

DNS problem

Post by Elodie » Thu Mar 28, 2019 10:32 pm

Hello there,

I just paid the product VPN Client and my VPN is working between my Android phone (10.8.0.6) and my Debian (10.8.0.1) where is installed an OpenVPN server.

My problem is very strange : I can open a website into Internet (so forwarding and masquerad are correct) by his IP (with Firefox, Chrome, etc ...) but I can't open a website with his domain name (example google.fr), seem the DNS resolution isn't working. But when I use an Android App (IP Tools) I can request my DNS server without problem, same for 8.8.8.8 ...

When I try to go to a website on a web browser (Firefox, Chrome, etc ...) and I use a "tcpdump -n -i tun0 port 53" on my Debian (10.8.0.1) where is the DNS Server and the request with response are correct ... which is very strange.

When I fix into option the DNS server (my own 10.8.0.1 or 8.8.8.8 for the test) it's don't work neither ...

I don't understand at the moment what could be the problem ...

I'm using a Samsung S8+ on Android 8.0.0 Samsung Experience 9.0, Patch Security 1 January 2019, rooted with Magisk and TWRP.

Someone could have an idea please ?

admin
Site Admin
Posts: 458
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: DNS problem

Post by admin » Fri Mar 29, 2019 7:59 am

Hello,

please, can you post the tcpdump output?

Elodie
Posts: 6
Joined: Thu Mar 28, 2019 10:13 pm

Re: DNS problem

Post by Elodie » Fri Mar 29, 2019 8:23 am

I checked more tcpdump and it's don't seem related to DNS, it's very strange, this is my checks :

with IP Tools manually (a google play application, I request google.com through my DNS Server 10.8.0.1) (OK) :

Code: Select all

09:09:03.025239 IP (tos 0x0, ttl 64, id 42005, offset 0, flags [DF], proto UDP (17), length 56)
    10.8.0.6.47402 > 10.8.0.1.53: [udp sum ok] 63824+ A? google.com. (28)
09:09:03.049759 IP (tos 0x0, ttl 64, id 45621, offset 0, flags [DF], proto UDP (17), length 72)
    10.8.0.1.53 > 10.8.0.6.47402: [udp sum ok] 63824 q: A? google.com. 1/0/0 google.com. A 172.217.16.142 (44)
with firefox to 62.4.19.99:80 (Without DNS) (OK) :

Code: Select all

09:10:52.365819 IP 10.8.0.6.47390 > 62.4.19.99.80: Flags [S], seq 3315693856, win 65535, options [mss 1358,sackOK,TS val 7733491 ecr 0,nop,wscale 6], length 0
09:10:52.466498 IP 10.8.0.6.47390 > 62.4.19.99.80: Flags [.], ack 1883334337, win 1369, options [nop,nop,TS val 7733515 ecr 2043746592], length 0
with firefox to mx.franceserv.fr:80 (With DNS) (NOK) :

Code: Select all

09:13:30.784701 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [S], seq 1162172647, win 65535, options [mss 1358,sackOK,TS val 7773093 ecr 0,nop,wscale 6], length 0
09:13:30.894892 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 2419196543, win 1369, options [nop,nop,TS val 7773120 ecr 2043786197], length 0
09:13:30.905108 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [P.], seq 0:345, ack 1, win 1369, options [nop,nop,TS val 7773120 ecr 2043786197], length 345: HTTP: GET / HTTP/1.1
09:13:31.004622 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1386, options [nop,nop,TS val 7773150 ecr 2043786227], length 0
09:13:31.015307 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [P.], seq 345:698, ack 137, win 1386, options [nop,nop,TS val 7773153 ecr 2043786227], length 353: HTTP: GET /listinfo HTTP/1.1
09:13:31.335537 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7773230 ecr 2043786265,nop,nop,sack 1 {1483:2061}], length 0
09:13:34.064780 IP 10.8.0.6.47512 > 62.4.19.99.80: Flags [S], seq 2117396824, win 65535, options [mss 1358,sackOK,TS val 7773909 ecr 0,nop,wscale 6], length 0
09:13:34.174881 IP 10.8.0.6.47512 > 62.4.19.99.80: Flags [.], ack 2193539312, win 1369, options [nop,nop,TS val 7773940 ecr 2043787017], length 0
09:13:37.285529 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7774717 ecr 2043786265,nop,nop,sack 1 {1483:2062}], length 0
09:13:39.904848 IP 10.8.0.6.47512 > 62.4.19.99.80: Flags [F.], seq 0, ack 1, win 1369, options [nop,nop,TS val 7775371 ecr 2043787017], length 0
09:13:40.024691 IP 10.8.0.6.47512 > 62.4.19.99.80: Flags [.], ack 2, win 1369, options [nop,nop,TS val 7775400 ecr 2043788477], length 0
09:13:47.955048 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7777220 ecr 2043786265,nop,nop,sack 1 {1483:2062}], length 0
09:13:58.114849 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7779928 ecr 2043786265,nop,nop,sack 1 {1483:2062}], length 0
09:14:08.235029 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7782456 ecr 2043786265,nop,nop,sack 1 {1483:2062}], length 0
09:14:18.355288 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7784984 ecr 2043786265,nop,nop,sack 1 {1483:2062}], length 0
09:14:28.486168 IP 10.8.0.6.47510 > 62.4.19.99.80: Flags [.], ack 137, win 1404, options [nop,nop,TS val 7787520 ecr 2043786265,nop,nop,sack 1 {1483:2062}], length 0
But it's don't seem a DNS problem because we can the correct IP and tcpdump show "HTTP: GET /listinfo HTTP/1.1" which is a correct URL, because through my own computer without VPN the full link is : http://mx.franceserv.fr/listinfo

I can't explain why with VPN + DNS the browser can't finish to load the page ...

Thank you in advance and for your replay :)

Elodie
Posts: 6
Joined: Thu Mar 28, 2019 10:13 pm

Re: DNS problem

Post by Elodie » Fri Mar 29, 2019 8:40 am

Arghhhh, the problem is not present with the domain name "perdu.com" on Firefox :

Code: Select all

09:33:11.954216 IP 10.8.0.6.53452 > 208.97.177.124.80: Flags [S], seq 1015648347, win 65535, options [mss 1358,sackOK,TS val 7967702 ecr 0,nop,wscale 6], length 0
09:33:12.048772 IP 208.97.177.124.80 > 10.8.0.6.53452: Flags [S.], seq 799983058, ack 1015648348, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
09:33:12.104381 IP 10.8.0.6.53454 > 208.97.177.124.80: Flags [S], seq 1502894618, win 65535, options [mss 1358,sackOK,TS val 7967732 ecr 0,nop,wscale 6], length 0
09:33:12.123923 IP 10.8.0.6.53452 > 208.97.177.124.80: Flags [.], ack 1, win 1369, length 0
09:33:12.197740 IP 208.97.177.124.80 > 10.8.0.6.53454: Flags [S.], seq 230192166, ack 1502894619, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
09:33:12.263751 IP 10.8.0.6.53454 > 208.97.177.124.80: Flags [.], ack 1, win 1369, length 0
09:33:12.284152 IP 10.8.0.6.53454 > 208.97.177.124.80: Flags [P.], seq 1:182, ack 1, win 1369, length 181: HTTP: GET /favicon.ico HTTP/1.1
09:33:12.377244 IP 208.97.177.124.80 > 10.8.0.6.53454: Flags [.], ack 182, win 30, length 0
09:33:12.378617 IP 208.97.177.124.80 > 10.8.0.6.53454: Flags [P.], seq 1:269, ack 182, win 30, length 268: HTTP: HTTP/1.1 200 OK
09:33:12.464638 IP 10.8.0.6.53454 > 208.97.177.124.80: Flags [.], ack 269, win 1386, length 0
09:33:14.383135 IP 208.97.177.124.80 > 10.8.0.6.53454: Flags [F.], seq 269, ack 182, win 30, length 0
09:33:14.504193 IP 10.8.0.6.53454 > 208.97.177.124.80: Flags [.], ack 270, win 1386, length 0
09:33:17.264245 IP 10.8.0.6.53452 > 208.97.177.124.80: Flags [F.], seq 1, ack 1, win 1369, length 0
09:33:17.359245 IP 208.97.177.124.80 > 10.8.0.6.53452: Flags [F.], seq 1, ack 2, win 29, length 0
09:33:17.464514 IP 10.8.0.6.53452 > 208.97.177.124.80: Flags [.], ack 2, win 1369, length 0
But with "google.com" on Firefox, the problem is still here ....

Same to colucci-web.it on port 80 through Firefox :

Code: Select all

09:34:24.171207 IP 10.8.0.6.47230 > 185.58.193.94.80: Flags [S], seq 4233748983, win 65535, options [mss 1358,sackOK,TS val 7985673 ecr 0,nop,wscale 6], length 0
09:34:24.171489 IP 10.8.0.6.47232 > 185.58.193.94.80: Flags [S], seq 1194860032, win 65535, options [mss 1358,sackOK,TS val 7985736 ecr 0,nop,wscale 6], length 0
09:34:24.223212 IP 185.58.193.94.80 > 10.8.0.6.47230: Flags [S.], seq 1619573875, ack 4233748984, win 28960, options [mss 1460,sackOK,TS val 2339613610 ecr 7985673,nop,wscale 7], length 0
09:34:24.223495 IP 185.58.193.94.80 > 10.8.0.6.47232: Flags [S.], seq 3188034373, ack 1194860033, win 28960, options [mss 1460,sackOK,TS val 2339613611 ecr 7985736,nop,wscale 7], length 0
09:34:24.295378 IP 10.8.0.6.47230 > 185.58.193.94.80: Flags [.], ack 1, win 1369, options [nop,nop,TS val 7985786 ecr 2339613610], length 0
09:34:24.296860 IP 10.8.0.6.47232 > 185.58.193.94.80: Flags [.], ack 1, win 1369, options [nop,nop,TS val 7985786 ecr 2339613611], length 0
09:34:24.304582 IP 10.8.0.6.47230 > 185.58.193.94.80: Flags [P.], seq 1:344, ack 1, win 1369, options [nop,nop,TS val 7985787 ecr 2339613610], length 343: HTTP: GET / HTTP/1.1
09:34:24.356701 IP 185.58.193.94.80 > 10.8.0.6.47230: Flags [.], ack 344, win 235, options [nop,nop,TS val 2339613744 ecr 7985787], length 0
09:34:24.356817 IP 185.58.193.94.80 > 10.8.0.6.47230: Flags [P.], seq 1:544, ack 344, win 235, options [nop,nop,TS val 2339613744 ecr 7985787], length 543: HTTP: HTTP/1.1 302 Found
09:34:24.424199 IP 10.8.0.6.47230 > 185.58.193.94.80: Flags [.], ack 544, win 1386, options [nop,nop,TS val 7985819 ecr 2339613744], length 0
09:34:29.362135 IP 185.58.193.94.80 > 10.8.0.6.47230: Flags [F.], seq 544, ack 344, win 235, options [nop,nop,TS val 2339618749 ecr 7985819], length 0
09:34:29.444044 IP 10.8.0.6.47232 > 185.58.193.94.80: Flags [F.], seq 1, ack 1, win 1369, options [nop,nop,TS val 7987070 ecr 2339613611], length 0
09:34:29.455529 IP 10.8.0.6.47230 > 185.58.193.94.80: Flags [F.], seq 344, ack 544, win 1386, options [nop,nop,TS val 7987070 ecr 2339613744], length 0
09:34:29.455760 IP 10.8.0.6.47230 > 185.58.193.94.80: Flags [.], ack 545, win 1386, options [nop,nop,TS val 7987072 ecr 2339618749], length 0
09:34:29.496097 IP 185.58.193.94.80 > 10.8.0.6.47232: Flags [.], ack 2, win 227, options [nop,nop,TS val 2339618883 ecr 7987070], length 0
09:34:29.496209 IP 185.58.193.94.80 > 10.8.0.6.47232: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 2339618883 ecr 7987070], length 0
09:34:29.507534 IP 185.58.193.94.80 > 10.8.0.6.47230: Flags [.], ack 345, win 235, options [nop,nop,TS val 2339618895 ecr 7987070], length 0
09:34:29.574270 IP 10.8.0.6.47232 > 185.58.193.94.80: Flags [.], ack 2, win 1369, options [nop,nop,TS val 7987105 ecr 2339618883], length 0
09:34:34.284138 IP 10.8.0.6.34288 > 49.51.40.151.80: Flags [P.], seq 1934279416:1934279417, ack 1178193537, win 1386, options [nop,nop,TS val 7988276 ecr 2508934808], length 1: HTTP
09:34:34.448727 IP 49.51.40.151.80 > 10.8.0.6.34288: Flags [P.], seq 1:5, ack 1, win 57, options [nop,nop,TS val 2509233988 ecr 7988276], length 4: HTTP
09:34:34.524591 IP 10.8.0.6.34288 > 49.51.40.151.80: Flags [.], ack 5, win 1386, options [nop,nop,TS val 7988341 ecr 2509233988], length 0
colucci-web.it resolv to 185.58.193.94 but Firefox give me this error page (timeout) :

Image

admin
Site Admin
Posts: 458
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: DNS problem

Post by admin » Fri Mar 29, 2019 10:36 am

Maybe the problem is related to the packets size.
Please, try to follow these steps:
  • edit the VPN
  • tap on "Remote servers"
  • tap on server's ip/name
  • select "Limit Maximum Segment Size MSS" and set the value to 1400
  • save the changes

Elodie
Posts: 6
Joined: Thu Mar 28, 2019 10:13 pm

Re: DNS problem

Post by Elodie » Fri Mar 29, 2019 10:49 am

Yeah ! \o/

Its working perfectly with an MSS at 1400.

Thank you very much :)

admin
Site Admin
Posts: 458
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: DNS problem

Post by admin » Fri Mar 29, 2019 1:53 pm

Very well!
You're welcome.

Elodie
Posts: 6
Joined: Thu Mar 28, 2019 10:13 pm

Re: DNS problem

Post by Elodie » Wed Apr 10, 2019 8:45 pm

I'm sorry to disturb you a new time, but I try to extend my connectivity and I have a tiny problem.

I have a functional VPN between my phone 3G and my gateway at home (tun0) to go to Internet (throw my vDSL) and my local network.

I added a second VPN between this gateway (tun1) to a VPN provider and all is working at 99% : From my phone 3G I go to my gateway (tun0) and I jump throw (tun1) to an another provider. My computer "gateway" is server and client in same time (with 2 conf files) and all is OK.

Except I have again the same problem, I can launch from my mobile phone the website "perdu.com" but not "google.com", I think I have a MSS problem between the 2 VPN because ping are working.

I can modify at 100% the VPN 1 between my mobile phone 3G and my gateway, but my gateway is a client to an another provider and I can't touch the server config.

This is my test to obtain the good MTU from my local Internet to the external provider : ping -n 1 -l 1470 google.com OK (1480 NOT OK).

How could I sync all same MTU please ? I know I have this openvpn parameters "mssfix" but I don't know how to manage it and the correct value.

Could you help me please a new time ? :)

Elodie
Posts: 6
Joined: Thu Mar 28, 2019 10:13 pm

Re: DNS problem

Post by Elodie » Wed Apr 10, 2019 9:26 pm

With an MSS at 1350 instead 1400 it's working perfectly :)

Now I'm able to go to Internet from my mobile phone in 3G to my local network located at home (throw 3G -> tun0) then go to Internet from the same gateway at home (throw tun1 -> WAN) ! :)

I don't know if 1350 is a good value or if I should increase the MSS to the second VPN to don't need to low at 1350 the first VPN ;)

admin
Site Admin
Posts: 458
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: DNS problem

Post by admin » Thu Apr 11, 2019 6:26 am

To find the best value, you can use the ping method and use this calc

MTU = ping payload (on linux -s xxxx/on windows -l xxxx) + 28 (20 byte for ip header + 8 for ICMP header)
MSS = MTU - 40 (20 byte for ip header + 20 byte for tcp header)

For example:
on linux
ping -s 1472 = MTU 1500 and MSS 1460
ping -s 1362 = MTU 1390 and MSS 1350

on windows
ping -l 1472 = MTU 1500 and MSS 1460
ping -l 1362 = MTU 1390 and MSS 1350

Post Reply