Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected DNS failure in NEPacketTunnelProvider #1099

Open
ratkins opened this issue Jan 24, 2025 · 7 comments
Open

Unexpected DNS failure in NEPacketTunnelProvider #1099

ratkins opened this issue Jan 24, 2025 · 7 comments
Labels
bug Something isn't working DNS help wanted Extra attention is needed
Milestone
3.2.0 / Bugfixing

Comments

@ratkins
Copy link

ratkins commented Jan 24, 2025

Summary

I get a "Failed" when I try and start a VPN configured via an .ovpn file I got from AWS

Steps to reproduce

  1. Download .ovpn file from AWS (AWS/VPC/Client VPN Endpoints/select endpoint/Download client configuration)
  2. "Import Profile" into Passepartout
  3. Click on profile under "My Profiles"

What is the current bug behavior?

See "Activating" for a second, then "Failed" (note this profile works fine as-is in the AWS first-party VPN application.)

What is the expected correct behavior?

Passepartout opens a browser window into which I authenticate with AWS, then the VPN opens and I can access my VPC.

Relevant logs and/or screenshots

16:49:35 - 
16:49:35 - --- BEGIN ---
16:49:35 - 
16:49:35 - Verify profile
16:49:35 - App level: freemium
16:49:35 - Start reloading in-app receipt...
16:49:35 - 	Parse receipt for user level freemium
16:49:35 - 	Production, read main receipt
16:49:35 - Process in-app purchase receipts...
16:49:35 - Finished reloading in-app receipt for user level freemium
16:49:35 - 	Purchased build number: unknown
16:49:35 - 	Purchased products: []
16:49:35 - 	Eligible features: []
16:49:35 - Will verify profile again in 3600.0 seconds...
16:49:35 - Start PTP
16:49:35 - Start daemon
16:49:35 - Clear connection environment
16:49:35 - AppGroupEnvironment.remove(PassepartoutKit.connectionStatus)
16:49:35 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:35 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:35 - Decoded profile:
16:49:35 - 	ID: 62DF6807-3B95-4A23-BE62-FAF8232EF42A
16:49:35 - 	Name: AWS Somethingorother
16:49:35 - 	Modules:
16:49:35 - 		+ OpenVPNModule: {"id":"F5E0722B-30FD-4C44-A706-4A9F687CF080","configuration":{"renegotiatesAfter":0,"checksEKU":true,"ca":"<redacted>","staticChallenge":false,"remotes":["<redacted>:UDP:443"],"cipher":"AES-256-GCM","authUserPass":true,"randomizeEndpoint":true},"requiresInteractiveCredentials":false}
16:49:35 - 		+ OnDemandModule: {"id":"4F7B267C-69CF-48FA-BFAB-F48922E473E8","isEnabled":false,"policy":"any","withSSIDs":{},"withOtherNetworks":[]}
16:49:35 - Start TUN loop
16:49:35 - NetworkObserver.onReady({signal=false, network=false, status=disconnected}) -> false
16:49:35 - Start reachability observer
16:49:35 - NetworkObserver.onReady({signal=true, network=false, status=disconnected}) -> false
16:49:35 - Tunnel started successfully
16:49:35 - NetworkObserver.onReady({signal=true, network=true, status=disconnected}) -> true
16:49:35 - Network is ready to connect
16:49:35 - Network is ready, pause observer and restart connection
16:49:35 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:35 - Clear tunnel settings
16:49:35 - Report link status: connecting
16:49:35 - NetworkObserver.onReady({signal=false, network=true, status=connecting}) -> false
16:49:35 - Create new link
16:49:35 - Cycle to next endpoint
16:49:35 - Try DNS resolution: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:35 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:35 - DNS resolution failed: [PassepartoutError.dnsFailure]
16:49:35 - Try next endpoint in current resolvable: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:35 - Exhausted endpoints in current resolvable, advance to next resolvable
16:49:35 - Exhausted endpoints
16:49:35 - Unable to create link: [PassepartoutError.exhaustedEndpoints]
16:49:35 - Report link status: disconnected
16:49:35 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:35 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:35 - AppGroupEnvironment.remove(PassepartoutKit.OpenVPN.serverConfiguration)
16:49:35 - Unable to restart connection: [PassepartoutError.exhaustedEndpoints]
16:49:35 - Restore network observer in 2000 milliseconds
16:49:37 - NetworkObserver.onReady({signal=true, network=true, status=disconnected}) -> true
16:49:37 - Network is ready to connect
16:49:37 - Network is ready, pause observer and restart connection
16:49:37 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:37 - Clear tunnel settings
16:49:37 - Report link status: connecting
16:49:37 - NetworkObserver.onReady({signal=false, network=true, status=connecting}) -> false
16:49:37 - Create new link
16:49:37 - Cycle to next endpoint
16:49:37 - Try DNS resolution: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:37 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:37 - DNS resolution failed: [PassepartoutError.dnsFailure]
16:49:37 - Try next endpoint in current resolvable: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:37 - Exhausted endpoints in current resolvable, advance to next resolvable
16:49:37 - Exhausted endpoints
16:49:37 - Unable to create link: [PassepartoutError.exhaustedEndpoints]
16:49:37 - Report link status: disconnected
16:49:37 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:37 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:37 - AppGroupEnvironment.remove(PassepartoutKit.OpenVPN.serverConfiguration)
16:49:37 - Unable to restart connection: [PassepartoutError.exhaustedEndpoints]
16:49:37 - Restore network observer in 2000 milliseconds
16:49:39 - NetworkObserver.onReady({signal=true, network=true, status=disconnected}) -> true
16:49:39 - Network is ready to connect
16:49:39 - Network is ready, pause observer and restart connection
16:49:39 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:39 - Clear tunnel settings
16:49:39 - Report link status: connecting
16:49:39 - NetworkObserver.onReady({signal=false, network=true, status=connecting}) -> false
16:49:39 - Create new link
16:49:39 - Cycle to next endpoint
16:49:39 - Try DNS resolution: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:39 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:39 - DNS resolution failed: [PassepartoutError.dnsFailure]
16:49:39 - Try next endpoint in current resolvable: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:39 - Exhausted endpoints in current resolvable, advance to next resolvable
16:49:39 - Exhausted endpoints
16:49:39 - Unable to create link: [PassepartoutError.exhaustedEndpoints]
16:49:39 - Report link status: disconnected
16:49:39 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:39 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:39 - AppGroupEnvironment.remove(PassepartoutKit.OpenVPN.serverConfiguration)
16:49:39 - Unable to restart connection: [PassepartoutError.exhaustedEndpoints]
16:49:39 - Restore network observer in 2000 milliseconds
16:49:41 - NetworkObserver.onReady({signal=true, network=true, status=disconnected}) -> true
16:49:41 - Network is ready to connect
16:49:41 - Network is ready, pause observer and restart connection
16:49:41 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:41 - Clear tunnel settings
16:49:41 - Report link status: connecting
16:49:41 - NetworkObserver.onReady({signal=false, network=true, status=connecting}) -> false
16:49:41 - Create new link
16:49:41 - Cycle to next endpoint
16:49:41 - Try DNS resolution: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:41 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:41 - DNS resolution failed: [PassepartoutError.dnsFailure]
16:49:41 - Try next endpoint in current resolvable: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:41 - Exhausted endpoints in current resolvable, advance to next resolvable
16:49:41 - Exhausted endpoints
16:49:41 - Unable to create link: [PassepartoutError.exhaustedEndpoints]
16:49:41 - Report link status: disconnected
16:49:41 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:41 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:41 - AppGroupEnvironment.remove(PassepartoutKit.OpenVPN.serverConfiguration)
16:49:41 - Unable to restart connection: [PassepartoutError.exhaustedEndpoints]
16:49:41 - Restore network observer in 2000 milliseconds
16:49:43 - NetworkObserver.onReady({signal=true, network=true, status=disconnected}) -> true
16:49:43 - Network is ready to connect
16:49:43 - Network is ready, pause observer and restart connection
16:49:43 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:43 - Clear tunnel settings
16:49:43 - Report link status: connecting
16:49:43 - NetworkObserver.onReady({signal=false, network=true, status=connecting}) -> false
16:49:43 - Create new link
16:49:43 - Cycle to next endpoint
16:49:43 - Try DNS resolution: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:43 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:43 - DNS resolution failed: [PassepartoutError.dnsFailure]
16:49:43 - Try next endpoint in current resolvable: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:43 - Exhausted endpoints in current resolvable, advance to next resolvable
16:49:43 - Exhausted endpoints
16:49:43 - Unable to create link: [PassepartoutError.exhaustedEndpoints]
16:49:43 - Report link status: disconnected
16:49:43 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:43 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:43 - AppGroupEnvironment.remove(PassepartoutKit.OpenVPN.serverConfiguration)
16:49:43 - Unable to restart connection: [PassepartoutError.exhaustedEndpoints]
16:49:43 - Restore network observer in 2000 milliseconds
16:49:45 - NetworkObserver.onReady({signal=true, network=true, status=disconnected}) -> true
16:49:45 - Network is ready to connect
16:49:45 - Network is ready, pause observer and restart connection
16:49:45 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:45 - Clear tunnel settings
16:49:45 - Report link status: connecting
16:49:45 - NetworkObserver.onReady({signal=false, network=true, status=connecting}) -> false
16:49:45 - Create new link
16:49:45 - Cycle to next endpoint
16:49:45 - Try DNS resolution: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:45 - AppGroupEnvironment.remove(PassepartoutKit.lastErrorCode)
16:49:45 - DNS resolution failed: [PassepartoutError.dnsFailure]
16:49:45 - Try next endpoint in current resolvable: {<redacted>:UDP:443, isResolved: false, endpoints: []
16:49:45 - Exhausted endpoints in current resolvable, advance to next resolvable
16:49:45 - Exhausted endpoints
16:49:45 - Unable to create link: [PassepartoutError.exhaustedEndpoints]
16:49:45 - Report link status: disconnected
16:49:45 - NetworkObserver.onReady({signal=false, network=true, status=disconnected}) -> false
16:49:45 - AppGroupEnvironment.remove(PassepartoutKit.dataCount)
16:49:45 - AppGroupEnvironment.remove(PassepartoutKit.OpenVPN.serverConfiguration)
16:49:45 - Unable to restart connection: [PassepartoutError.exhaustedEndpoints]
16:49:45 - Restore network observer in 2000 milliseconds
16:49:47 - Handle PTP message
16:49:47 - Handle message input: localLog(sinceLast: 86400.0, maxLevel: PassepartoutCore.DebugLog.Level.info)

Possible fixes suggested remediation

I see a lot of DNS failures in the above log, but I don't have any idea if they're relevant. DNS works fine on my machine.
@ratkins ratkins added the bug Something isn't working label Jan 24, 2025
@keeshux keeshux modified the milestones: Hotfixes for v3, Inconsistencies with DNS Jan 25, 2025
@keeshux
Copy link
Member

keeshux commented Jan 25, 2025

I will need a bit more time to attack this. I've occasionally seen those DNS failures and they often make no sense, but I couldn't find the culprit. Or, at least, I thought I had fixed them a while ago.

Is this urgent?

@keeshux keeshux changed the title Can't connect to AWS via ovpn config Unexpected DNS failure in NEPacketTunnelProvider Jan 25, 2025
@keeshux
Copy link
Member

keeshux commented Jan 25, 2025
edited
Loading

Self note: ensure that CFDNS queries are NEVER going through the tunnel.

@ratkins
Copy link
Author

ratkins commented Jan 25, 2025
edited
Loading

No, not urgent urgent, but if this is meant to work I’d love to be able to get rid of AWS’s shitty first-party client.

Is it an intermittent failure or is there an actual bug that’s triggered by something in my setup?

@keeshux
Copy link
Member

keeshux commented Jan 25, 2025

No, not urgent urgent, but if this is meant to work I’d love to be able to get rid of AWS’s shitty first-party client.

Is it an intermittent failure or is there an actual bug that’s triggered by something in my setup?

Unfortunately, I have no clue yet. DNS is the most unpredictable point of failure in the tunnel extension. My comment is an idea but I don't have the time now to confirm or dismiss it.

@keeshux
Copy link
Member

keeshux commented Jan 25, 2025

Out of curiosity, can you link me to the "AWS client" you are talking about?

@ratkins
Copy link
Author

ratkins commented Jan 26, 2025

It’s this one (the macOS version obvs.)

@keeshux
Copy link
Member

keeshux commented Jan 28, 2025

Just wanted to say that as a temporary workaround you can replace the remotes in the .ovpn with the resolved IP addresses.

@keeshux keeshux added the DNS label Jan 30, 2025
@keeshux keeshux self-assigned this Jan 30, 2025
@keeshux keeshux modified the milestones: 3.1.0 / Routing/DNS, 3.1.0 / Hotfixes Jan 31, 2025
@keeshux keeshux added the help wanted Extra attention is needed label Feb 3, 2025
@keeshux keeshux removed their assignment Feb 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working DNS help wanted Extra attention is needed
Projects
None yet
Milestone
3.2.0 / Bugfixing
Development

No branches or pull requests
2 participants
@ratkins @keeshux