Troubleshoot Client VPN Connection – Linux

Troubleshoot Client VPN connection - Linux

Now let’s see how to troubleshoot a Client VPN connection, that is the problem you face while using a client application to connect to a Client VPN endpoint, with Linux-based clients. We hope you are using the latest version of these clients. The AWS provided client – also known as AWS VPN Client.

For you to find the log files and configuration files stored by the AWS-provided client on your system run the below;

/home/username/.config/AWSVPNClient/

The store log files can be found on your system;

/var/log/aws-vpn-client/username/

At some point, after a VPN connection is established, you could see that, instead of the nameservers that are configured for the ClientVPN endpoint, the DNS queries go to the default system nameserver, and then the problem arises. This is because systemd-resolved doesn’t set the highest priority to DNS servers that are provided by the ClientVPN endpoint, it appends the servers to the existing list of DNS servers which is configured to the local system. Hence the original DNS servers might have the highest priority, which can be used to resolve DNS queries.

Let’s see the solutions to troubleshoot the issues:

  • First, include the following directive in the OpenVPN configuration to ensure that all DNS queries are routed through the VPN Tunnel.
dhcp-option DOMAIN-ROUTE
  • Use the systemd-resolved stub resolver. Run the following command to do this symlink /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf.
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  • This step is optional – Incase if you don’t want system-resolved to the proxy, instead if you prefer to go directly to the real DNS nameserver symlink/etc/resolv.conf to /run/systemd/resolve/resolv.conf.
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

This procedure may be useful if you want to bypass the systemd-resolved configuration, such as for DNS answer caching, per-interface DNS configuration, DNSSec enforcement, and so on. When you have connected to a VPN, this option is useful for replacing a public DNS record with a private record.

OpenVPN (command line)

The main cause and problem in OpenVPN (Command Line) are: Due to a DNS resolution issue, the connection is not functioning properly. On the Client VPN endpoint, the DNS server is either not configured or the client software is not honoring it.

Let’s see the solutions to troubleshoot the issues:

Follow the step to ensure that the DNS server is properly configured and working.

  • Check that the logs contain a DNS server entry. The final line of the example returns the DNS server 192.168.0.2, which is configured in the Client VPN endpoint. If the DNS server is not specified, then request your Client VPN administrator to modify the Client VPN endpoint. So that a DNS server has been specified.
Mon Apr 15 21:26:55 2019 us=274574 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

WRRMon Apr 15 21:26:55 2019 us=276082 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway
def1 bypass-dhcp,dhcp-option DNS 192.168.0.2,route-gateway 10.0.0.97,topology
subnet,ping 1,ping-restart 20,auth-token,ifconfig 10.0.0.98
255.255.255.224,peer-id 0
  • Now run the following command to check the installation of resolvconfpackage
sudo apt list resolvconf

Output:

Listing... Done
resolvconf/bionic-updates,now 1.79ubuntu10.18.04.3 all [installed]

Use the below command to install it if it isn’t there already,

sudo apt install resolvconf
  • Add the following lines to the Client VPN configuration file (the.ovpn file)
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Check the logs to confirm that the resolvconf script has been executed and the log should contain similar following lines

Mon Apr 15 21:33:52 2019 us=795388
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.0.0.98 255.255.255.224 init
dhcp-option DNS 192.168.0.2

Hope this helps you to troubleshoot the client VPN connection – Linux and if you need any further assistance – Get Assistance.

To get more updates you can follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox