Hello,
I will try to give you as much detail as necessary. Hopefully it will all be applicable and I don’t waste too much of your time. I’ve attempted to search the forum for similar issues and while I’ve found some, none quite seemed to help. And while this issue also occurs with my OpenVPN desktop app (Windows10), I want to see if I can get my droid working first — who knows, maybe this place will kill two birds with one stone 
The current error when trying to use OpenVPN on my phone is:
Transport Error: DNS resolve error on ‘[mydomainname.blah.blah]’ for UDP session: Host not found (authoritative)
Backstory as to what I’m trying to accomplish:
I have been trying to set up a hardware VPN using Raspberry Pi3 by following this article: http://www.bbc.com/news/technology-33548728
At the end of this article it suggested I use ChangeIP to set up a ddns, however, it didn’t go into too much detail and I kind of winged it. I have created a domain which I can ping and it is giving me my public ip correctly, so I’m assuming I did that step correctly.
I really have no idea what the error could mean and not sure if it’s something to do with my domain that I set up through changeip.com. But here’s what I’ve done since encountering the error:
— I’ve forwarded ports 443 and 1194 on the local network IP that my Raspberry Pi is connected to on the linksys router
— I’ve forwarded ports 443 and 1194 on the local network IP that my linksys is connected to on the Comcast modem/router
— I’ve manually changed my DNS to “80.67.14.78″ or “8.8.8.8”.
Here’s a general overview of what my network looks like:
(internet) < > [Comcast modem/router] < > [Linksys Router] < > Raspberri Pi 3 and other computers/devices
Side note: The reason for the linksys is because the comcast router is terrible for wifi and I had a linksys lying around which solved all my wifi issues.
My config is as follows:
Code: Select all
client
dev tun
proto udp
remote [mydomain.blah.blah] 1194 #REPLACE YOUR DYNAMIC DNS VALUE FROM CHANGEIP$ note: I'm purposefully hiding the domain I made.
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
<ca>
-----BEGIN CERTIFICATE-----
yadda yadda
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
yadda yadda
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
yadda yadda
-----END OpenVPN Static key V1-----
</tls-auth>
my ddclient config file:
Code: Select all
#ddclient.conf
#tell ddclient how to get your ip address
use=web, web=ip.changeip.com #I left this unchanged, wasn't sure if ip.changeip.com was placeholder or not.
#provide server and login details
protocol=changeip
ssl=yes
server=nic.changeip.com/nic/update
login=yourLogin #I certainly changed this to my username
password=yourPassword #I of course change this to have my password
#specify the domain to update
mydomain.blah.blah
Please, any help on this would be awesome. I’m using the raspberry pi as a learning tool. Thank you for taking the time to read.
macOS troubleshooting
The following sections contain information about logging and problems that you might have when using macOS clients. Please ensure that you are running the latest version of these clients.
Topics
- AWS provided client
- Tunnelblick
- OpenVPN
AWS provided client
The AWS provided client creates event logs and stores them in the following location on your computer.
/Users/username/.config/AWSVPNClient/logs
The following types of logs are available:
- Application logs: Contain information about the application. These logs are prefixed with ‘aws_vpn_client_’.
- OpenVPN logs: Contain information about OpenVPN processes. These logs are prefixed with ‘ovpn_aws_vpn_client_’.
The AWS provided client uses the client daemon to perform root operations. The daemon logs are stored in the following locations on your computer.
/tmp/AcvcHelperErrLog.txt
/tmp/AcvcHelperOutLog.txt
The AWS provided client stores the configuration files in the following location on your computer.
/Users/username/.config/AWSVPNClient/OpenVpnConfigs
Topics
- Client cannot connect
- Client is stuck in a reconnecting state
- Client cannot create profile
Client cannot connect
Problem
The AWS provided client cannot connect to the Client VPN endpoint.
Cause
The cause of this problem might be one of the following:
- Another OpenVPN process is already running on your computer, which prevents the client from connecting.
- Your configuration (.ovpn) file is not valid.
Solution
Check to see if there are other OpenVPN applications running on your computer. If there are, stop or quit these processes and try connecting to the Client VPN endpoint again. Check the OpenVPN logs for errors, and ask your Client VPN administrator to verify the following information:
- That the configuration file contains the correct client key and certificate. For more information, see Export Client Configuration in the AWS Client VPN Administrator Guide.
- That the CRL is still valid. For more information, see Clients Unable to Connect to a Client VPN Endpoint in the AWS Client VPN Administrator Guide.
Client is stuck in a reconnecting state
Problem
The AWS provided client is trying to connect to the Client VPN endpoint, but is stuck in a reconnecting state.
Cause
The cause of this problem might be one of the following:
- Your computer is not connected to the internet.
- The DNS hostname does not resolve to an IP address.
- An OpenVPN process is indefinitely trying to connect to the endpoint.
Solution
Verify that your computer is connected to the internet. Ask your Client VPN administrator to verify that the remote directive in the configuration file resolves to a valid IP address. You can also disconnect the VPN session by choosing Disconnect in the AWS VPN Client window, and try connecting again.
Client cannot create profile
Problem
You get the following error when you try to create a profile using the AWS provided client.
The config should have either cert and key or auth-user-pass specified.
Cause
If the Client VPN endpoint uses mutual authentication, the configuration (.ovpn) file does not contain the client certificate and key.
Solution
Ensure that your Client VPN administrator adds the client certificate and key to the configuration file. For more information, see Export Client Configuration in the AWS Client VPN Administrator Guide.
Tunnelblick
The following troubleshooting information was tested on version 3.7.8 (build 5180) of the Tunnelblick software on macOS High Sierra 10.13.6.
The configuration file for private configurations is stored in the following location on your computer.
/Users/username/Library/Application Support/Tunnelblick/Configurations
The configuration file for shared configurations is stored in the following location on your computer.
/Library/Application Support/Tunnelblick/Shared
The connection logs are stored in the following location on your computer.
/Library/Application Support/Tunnelblick/Logs
To increase the log verbosity, open the Tunnelblick application, choose Settings, and adjust the value for VPN log level.
Cipher algorithm ‘AES-256-GCM’ not found
Problem
The connection fails and returns the following error in the logs.
2019-04-11 09:37:14 Cipher algorithm 'AES-256-GCM' not found
2019-04-11 09:37:14 Exiting due to fatal error
Cause
The application is using an OpenVPN version that doesn’t support cipher algorithm AES-256-GCM.
Solution
Choose a compatible OpenVPN version by doing the following:
-
Open the Tunnelblick application.
-
Choose Settings.
-
For OpenVPN version, choose 2.4.6 — OpenSSL version is v1.0.2q.
Connection stops responding and resets
Problem
The connection fails and returns the following error in the logs.
MANAGEMENT: >STATE:1559117927,WAIT,,,,,,
MANAGEMENT: >STATE:1559117928,AUTH,,,,,,
TLS: Initial packet from [AF_INET]3.217.107.5:443, sid=df19e70f a992cda3
VERIFY OK: depth=1, CN=server-certificate
VERIFY KU OK
Validating certificate extended key usage
Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server-cvpn
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
Cause
The client certificate has been revoked. The connection stops responding after trying to authenticate and is eventually reset from the server side.
Solution
Request a new configuration file from your Client VPN administrator.
Extended key usage (EKU)
Problem
The connection fails and returns the following error in the logs.
TLS: Initial packet from [AF_INET]50.19.205.135:443, sid=29f2c917 4856ad34
VERIFY OK: depth=2, O=Digital Signature Trust Co., CN=DST Root CA X3
VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=cvpn-lab.myrandomnotes.com (http://cvpn-lab.myrandomnotes.com/)
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1559138717,RECONNECTING,connection-reset,,,,,
Cause
The server authentication succeeded. However, the client authentication fails because the client certificate has the extended key usage (EKU) field enabled for server authentication.
Solution
Verify that you are using correct client certificate and key. If necessary, verify with your Client VPN administrator. This error might occur if you’re using the server certificate and not the client certificate to connect to the Client VPN endpoint.
Expired certificate
Problem
The server authentication succeeds but the client authentication fails with the following error.
WARNING: “Connection reset, restarting [0] , SIGUSR1[soft,connection-reset] received, process restarting”
Cause
The client certificate validity has expired.
Solution
Request a new client certificate from your Client VPN administrator.
OpenVPN
The following troubleshooting information was tested on version 2.7.1.100 of the OpenVPN Connect Client software on macOS High Sierra 10.13.6.
The configuration file is stored in the following location on your computer.
/Library/Application Support/OpenVPN/profile
The connection logs are stored in the following location on your computer.
Library/Application Support/OpenVPN/log/connection_name.log
Cannot resolve DNS
Problem
The connection fails with the following error.
Mon Jul 15 13:07:17 2019 Transport Error: DNS resolve error on 'cvpn-endpoint-1234.prod.clientvpn.us-east-1.amazonaws.com' for UDP session: Host not found (authoritative)
Mon Jul 15 13:07:17 2019 Client terminated, restarting in 2000 ms...
Mon Jul 15 13:07:18 2019 CONNECTION_TIMEOUT [FATAL-ERR]
Mon Jul 15 13:07:18 2019 DISCONNECTED
Mon Jul 15 13:07:18 2019 >FATAL:CONNECTION_TIMEOUT
Cause
OpenVPN Connect is unable to resolve the Client VPN DNS name.
Solution
See the solution for Unable to Resolve Client VPN Endpoint DNS Name in the AWS Client VPN Administrator Guide.
-
#1
I happen to already have Asuswrt-Merlin loaded on my RT-AC68U so I thought I’d try using IPCT DDNS following
THESE INSTRUCTIONS
. I didn’t have any problems and I got a «Registration is successful» at the end of the process. The only notable difference with my router was for DDNS I had the option to select either EXTERNAL or INTERNAL for «Method to retrieve WAN IP». I tried both since I was having a problem..but which one is it supposed to be?
The only other setup I did was to Export OpenVPN configuration file under the VPN Server tab of the VPN menu settings. With OpenVPN Connect installed on my Android phone I selected the connection type as OVPN Profile Connect with .ovpn file and I supplied the configuration file I previously exported from the Asus router. And yes, the phone is going through the cell phone tower not my WiFi.
I get a «Host not found» error. Any ideas on which other settings I need to look for on the Asus router?
Here’s the log file from OpenVPN Connect on the Android phone:
16:23:07.152 — —— OpenVPN Start ——
16:23:07.153 — EVENT: CORE_THREAD_ACTIVE
16:23:07.156 — Frame=512/2048/512 mssfix-ctrl=1250
16:23:07.157 — UNUSED OPTIONS
5 [ncp-ciphers] [AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC]
11 [resolv-retry] [infinite]
12 [nobind]
16:23:07.158 — EVENT: RESOLVE
16:23:07.209 — Transport Error: DNS resolve error on ‘
API KEY‘ for UDP session: Host not found (authoritative)
16:23:07.210 — Client terminated, restarting in 2000 ms…
16:23:09.210 — EVENT: RECONNECTING
16:23:09.227 — EVENT: RESOLVE
16:23:09.261 — Transport Error: DNS resolve error on ‘
API KEY‘ for UDP session: Host not found (authoritative)
Last edited: Feb 28, 2019
-
#2
Probably have to get the DDNS working first then generate a new OpenVPN certificate and export/import it (delete the previous).
-
#3
I removed your API code from your post. Try doing what @Whoaru99 said and also please post or send a screenshot of your DDNS settings on the router. Make sure if you post it here to remove your API key.
-
#4
In a web browser I enter https://ipcamtalk.com/dyn?api=’API KEY’
Web browers responds:
nochg
no change
97.X.X.X <== this is my current dynamic assigned IP address from my ISP
If I ping ‘myURL’.ipctddns.com I get:
SSH
JFFS
DDNS SCRIPT
ENABLE DDNS
VPN SETTINGS
-
#5
Your DDNS , JFFS and SSH settings look right, but change SSH to LAN only for security purposes (unless you plan on SSH’ing remotely). The nochg error means your subdomain did not change IP addresses, so that is a confirmation the request was sent and received. Also looks like the URL is pinging.
Silly question but did you modify the .ovpn file with the new hostname?
I use my Synology for my VPN so I can’t confirm the VPN settings, hopefully someone else can chime in for that.
For «Method to retrieve WAN IP» I have Internal set on mine. I updated the screenshot in the wiki to reflect this (this is a fake API key)
-
#6
The .ovpn configuration file was imported into OpenVPN exactly as it was exported by the ASUS router.
-
#7
You need to use your hostname here: whatever.ipctddns.com
-
#8
You need to use your hostname here: whatever.ipctddns.com
I had tried that yesterday as an experiment and it didn’t work but maybe I had another setting off so I’ll try again but the instructions for IPCT DDNS stated to use the API key.
-
#9
The instructions don’t say use the API key in the VPN file, only in the DDNS settings in the router. The VPN file needs to have the hostname (URL or IP), not the API key.
-
#10
The instructions don’t say use the API key in the VPN file, only in the DDNS settings in the router. The VPN file needs to have the hostname (URL or IP), not the API key.
That make sense to me…maybe we should specify in the directions that after the .ovpn file is exported from the router to edit the host name and change it from the API key to whatever.ipctddns.com
-
#11
That make sense to me…maybe we should specify in the directions that after the .ovpn file is exported from the router to edit the host name and change it from the API key to whatever.ipctddns.com
The directions say nothing about a VPN, they have nothing to do with setting up a VPN. I suppose I could put a note regarding about this in the setup though, in case other people come across the same thing. Thanks 
-
#12
I went back to modifying the .ovpn hostname file plus «Method to retrieve WAN IP» was changed back to ‘internal’ and SSH was change to «LAN only» instead of both. Looks like I made progress as now OpenVPN Connect is showing it’s connecting to whatever.ipct.ddns.com with the correct IP address. Unfortunately I’m now getting a «Server poll timeout». So I’m off to the next issue…LOL! I thank you for your help!
Last edited: Mar 1, 2019
-
#13
I forgot to turn WiFi off on my phone (I’m at home). It’s working fine now…..LOL!
Здравствуйте.
Можно с разрешения ТС подобный вопрос задать, чтоб темы не плодить.
Подскажите пожалуйста. Поднял сервер openvpn на ubuntu server 18.04, на микрот установил сертификат и ключ. Пробую соединиться — не получается.
Лог сервера:
Код: Выделить всё
Thu Nov 14 01:32:07 2019 TCP connection established with [AF_INET]***.***.***.***:53340
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 TLS: Initial packet from [AF_INET]***.***.***.***:53340, sid=53ffafd8 2edccd19
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]***.***.***.***:53340
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 Fatal TLS error (check_tls_errors_co), restarting
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 SIGUSR1[soft,tls-error] received, client-instance restartingконфигурация сервера:
Код: Выделить всё
port 1194
# Протокол может быть UDP или TCP, я выбрал 1-й вариант.
proto tcp
# Если вы выберите протокол TCP, здесь должно быть устройство tap. Однако, это вариант я не проверял, поэтому ищите информацию отдельно. FIXME
dev tun
# Указываем где искать ключи
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
# Для 12.04 dh1024.pem
# Задаем IP и маску виртуальной сети. Произвольно, но если не уверены лучше делайте как показано здесь
server 10.8.0.0 255.255.255.0
# Указыем, где хранятся файлы с настройками IP-адресов клиентов (создадим ниже)
client-config-dir ccd
# Запоминать динамически выданные адреса для VPN-клиентов и при последующих подключениях назначать те же значения.
ifconfig-pool-persist ipp.txt
# Указываем сети, в которые нужно идти через туннель (сеть-клиента).
route 192.168.0.0 255.255.255.0
# Включаем TLS
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
tls-timeout 120
auth SHA1
cipher AES-256-CBC
# Если нужно, чтобы клиенты видели друг друга раскомментируйте
;client-to-client
keepalive 10 120
# Сжатие трафика
;comp-lzo
# Максимум клиентов
max-clients 10
user nobody
group nogroup
# Не перечитывать ключи, не закрывать и переоткрывать TUNTAP устройство, после получения SIGUSR1 или ping-restart
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
# Детальность логирования
verb 3
# Защита от повторов (максимум 20 одинаковых сообщений подряд)
mute 20
# Файл отозванных сертификатов. Разремить, когда такие сертификаты появятся.
;crl-verify /etc/openvpn/crl.pemлог с микрота:
Настраивал по мануалу с вики ubuntu.ru
Где может быть ошибка?
благодарю